ON TYPES

TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

GRANT { USAGE | CREATE | ALL [ PRIVILEGES ] }

ON SCHEMAS

TO { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]

REVOKE [ GRANT OPTION FOR ]

{ { SELECT | INSERT | UPDATE | DELETE | TRUNCATE | REFERENCES | TRIGGER }

[, ...] | ALL [ PRIVILEGES ] }

ON TYPES

FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]

[ CASCADE | RESTRICT ]

REVOKE [ GRANT OPTION FOR ]

{ USAGE | CREATE | ALL [ PRIVILEGES ] }

ON SCHEMAS

FROM { [ GROUP ] <replaceable class="PARAMETER">role_name</replaceable> | PUBLIC } [, ...]

[ CASCADE | RESTRICT ]

</synopsis>

</refsynopsisdiv>

<command>ALTER DEFAULT PRIVILEGES</> allows you to set the privileges

that will be applied to objects created in the future. (It does not

affect privileges assigned to already-existing objects.) Currently,

only the privileges for tables (including views and foreign tables),

sequences, functions, and types (including domains) can be altered.

only the privileges for schemas, tables (including views and foreign

tables), sequences, functions, and types (including domains) can be

altered.

</para>

<para>

are altered for objects later created in that schema.

If <literal>IN SCHEMA</> is omitted, the global default privileges

are altered.

<literal>IN SCHEMA</> is not allowed when using <literal>ON SCHEMAS</>

as schemas can't be nested.

</para>

</listitem>

</varlistentry>

all_privileges=ACL_ALL_RIGHTS_TYPE;

errormsg=gettext_noop("invalid privilege type %s for type");

break;

caseACL_OBJECT_NAMESPACE:

all_privileges=ACL_ALL_RIGHTS_NAMESPACE;

errormsg=gettext_noop("invalid privilege type %s for schema");

break;

default:

elog(ERROR,"unrecognized GrantStmt.objtype: %d",

(int)action->objtype);

this_privileges=ACL_ALL_RIGHTS_TYPE;

break;

caseACL_OBJECT_NAMESPACE:

if (OidIsValid(iacls->nspid))

ereport(ERROR,

(errcode(ERRCODE_INVALID_GRANT_OPERATION),

errmsg("cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS")));

objtype=DEFACLOBJ_NAMESPACE;

if (iacls->all_privs&&this_privileges==ACL_NO_RIGHTS)

this_privileges=ACL_ALL_RIGHTS_NAMESPACE;

break;

default:

elog(ERROR,"unrecognized objtype: %d",

(int)iacls->objtype);

caseDEFACLOBJ_TYPE:

iacls.objtype=ACL_OBJECT_TYPE;

break;

caseDEFACLOBJ_NAMESPACE:

iacls.objtype=ACL_OBJECT_NAMESPACE;

break;

default:

elog(ERROR,"unexpected default ACL type: %d",

defaclobjtype=DEFACLOBJ_TYPE;

break;

caseACL_OBJECT_NAMESPACE:

defaclobjtype=DEFACLOBJ_NAMESPACE;

break;

default:

returnNULL;

}

caseDEFACLOBJ_TYPE:

objtype_str="types";

break;

caseDEFACLOBJ_NAMESPACE:

objtype_str="schemas";

break;

default:

ereport(ERROR,

(errcode(ERRCODE_INVALID_PARAMETER_VALUE),

errmsg("unrecognized default ACL object type %c",objtype),

errhint("Valid object types are \"r\", \"S\", \"f\", and \"T\".")));

errhint("Valid object types are \"r\", \"S\", \"f\",\"T\"and \"s\".")));

}

_("default privileges on new types belonging to role %s"),

GetUserNameFromId(defacl->defaclrole, false));

break;

caseDEFACLOBJ_NAMESPACE:

appendStringInfo(&buffer,

_("default privileges on new schemas belonging to role %s"),

GetUserNameFromId(defacl->defaclrole, false));

break;

default:

appendStringInfo(&buffer,

appendStringInfoString(&buffer,

" on types");

break;

caseDEFACLOBJ_NAMESPACE:

appendStringInfoString(&buffer,

" on schemas");

break;

}

if (objname)

TupleDesctupDesc;

ObjectAddressmyself;

inti;

Acl*nspacl;

if (!nspName)

(errcode(ERRCODE_DUPLICATE_SCHEMA),

errmsg("schema \"%s\" already exists",nspName)));

if (!isTemp)

nspacl=get_user_default_acl(ACL_OBJECT_NAMESPACE,ownerId,

InvalidOid);

nspacl=NULL;

for (i=0;i<Natts_pg_namespace;i++)

{

namestrcpy(&nname,nspName);

values[Anum_pg_namespace_nspname-1]=NameGetDatum(&nname);

values[Anum_pg_namespace_nspowner-1]=ObjectIdGetDatum(ownerId);

nulls[Anum_pg_namespace_nspacl-1]= true;

if (nspacl!=NULL)

values[Anum_pg_namespace_nspacl-1]=PointerGetDatum(nspacl);

nulls[Anum_pg_namespace_nspacl-1]= true;

nspdesc=heap_open(NamespaceRelationId,RowExclusiveLock);

tupDesc=nspdesc->rd_att;

RESET RESTART RESTRICT RETURNING RETURNS REVOKE RIGHT ROLE ROLLBACK ROLLUP

ROW ROWS RULE

SAVEPOINT SCHEMA SCROLL SEARCH SECOND_P SECURITY SELECT SEQUENCE SEQUENCES

SAVEPOINT SCHEMASCHEMASSCROLL SEARCH SECOND_P SECURITY SELECT SEQUENCE SEQUENCES

SERIALIZABLE SERVER SESSION SESSION_USER SET SETS SETOF SHARE SHOW

SIMILAR SIMPLE SKIP SLOT SMALLINT SNAPSHOT SOME SQL_P STABLE STANDALONE_P

START STATEMENT STATISTICS STDIN STDOUT STORAGE STRICT_P STRIP_P

|FUNCTIONS{$$ = ACL_OBJECT_FUNCTION; }

|SEQUENCES{$$ = ACL_OBJECT_SEQUENCE; }

|TYPES_P{$$ = ACL_OBJECT_TYPE; }

|SCHEMAS{$$ = ACL_OBJECT_NAMESPACE; }

;

| RULE

| SAVEPOINT

| SCHEMA

| SCHEMAS

| SCROLL

| SEARCH

| SECOND_P

CONVERT_PRIV('X',"EXECUTE");

elseif (strcmp(type,"LANGUAGE")==0)

CONVERT_PRIV('U',"USAGE");

elseif (strcmp(type,"SCHEMA")==0)

elseif (strcmp(type,"SCHEMA")==0||

strcmp(type,"SCHEMAS")==0

)

{

CONVERT_PRIV('C',"CREATE");

CONVERT_PRIV('U',"USAGE");

case DEFACLOBJ_TYPE:

type = "TYPES";

break;

case DEFACLOBJ_NAMESPACE:

type = "SCHEMAS";

break;

default:

/* shouldn't get here */

exit_horribly(NULL,

printfPQExpBuffer(&buf,

" ",

gettext_noop("Owner"),

gettext_noop("Schema"),

gettext_noop("function"),

DEFACLOBJ_TYPE,

gettext_noop("type"),

DEFACLOBJ_NAMESPACE,

gettext_noop("schema"),

gettext_noop("Type"));

printACLColumn(&buf,"d.defaclacl");

if (HeadMatches3("ALTER","DEFAULT","PRIVILEGES"))

COMPLETE_WITH_LIST4("TABLES","SEQUENCES","FUNCTIONS","TYPES");

COMPLETE_WITH_LIST5("TABLES","SEQUENCES","FUNCTIONS","TYPES","SCHEMAS");

COMPLETE_WITH_SCHEMA_QUERY(Query_for_list_of_tsvmf,

#defineDEFACLOBJ_SEQUENCE'S'/* sequence */

#defineDEFACLOBJ_FUNCTION'f'/* function */

#defineDEFACLOBJ_TYPE'T'/* type */

#defineDEFACLOBJ_NAMESPACE'n'/* namespace */

PG_KEYWORD("rule",RULE,UNRESERVED_KEYWORD)

PG_KEYWORD("savepoint",SAVEPOINT,UNRESERVED_KEYWORD)

PG_KEYWORD("schema",SCHEMA,UNRESERVED_KEYWORD)

PG_KEYWORD("schemas",SCHEMAS,UNRESERVED_KEYWORD)

PG_KEYWORD("scroll",SCROLL,UNRESERVED_KEYWORD)

PG_KEYWORD("search",SEARCH,UNRESERVED_KEYWORD)

PG_KEYWORD("second",SECOND_P,UNRESERVED_KEYWORD)

(1 row)

ALTER DEFAULT PRIVILEGES FOR ROLE regress_user1 REVOKE EXECUTE ON FUNCTIONS FROM public;

ALTER DEFAULT PRIVILEGES IN SCHEMA testns GRANT USAGE ON SCHEMAS TO regress_user2; -- error

ERROR: cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS

ALTER DEFAULT PRIVILEGES GRANT USAGE ON SCHEMAS TO regress_user2;

CREATE SCHEMA testns2;

SELECT has_schema_privilege('regress_user2', 'testns2', 'USAGE'); -- yes

has_schema_privilege

----------------------

t

(1 row)

SELECT has_schema_privilege('regress_user2', 'testns2', 'CREATE'); -- no

has_schema_privilege

----------------------

f

(1 row)

ALTER DEFAULT PRIVILEGES REVOKE USAGE ON SCHEMAS FROM regress_user2;

CREATE SCHEMA testns3;

SELECT has_schema_privilege('regress_user2', 'testns3', 'USAGE'); -- no

has_schema_privilege

----------------------

f

(1 row)

SELECT has_schema_privilege('regress_user2', 'testns3', 'CREATE'); -- no

has_schema_privilege

----------------------

f

(1 row)

ALTER DEFAULT PRIVILEGES GRANT ALL ON SCHEMAS TO regress_user2;

CREATE SCHEMA testns4;

SELECT has_schema_privilege('regress_user2', 'testns4', 'USAGE'); -- yes

has_schema_privilege

----------------------

t

(1 row)

SELECT has_schema_privilege('regress_user2', 'testns4', 'CREATE'); -- yes

has_schema_privilege

----------------------

t

(1 row)

ALTER DEFAULT PRIVILEGES REVOKE ALL ON SCHEMAS FROM regress_user2;

CREATE SCHEMA testns5;

SELECT has_schema_privilege('regress_user2', 'testns5', 'USAGE'); -- no

has_schema_privilege

----------------------

f

(1 row)

SELECT has_schema_privilege('regress_user2', 'testns5', 'CREATE'); -- no

has_schema_privilege

----------------------

f

(1 row)

SET ROLE regress_user1;

CREATE FUNCTION testns.foo() RETURNS int AS 'select 1' LANGUAGE sql;

SELECT has_function_privilege('regress_user2', 'testns.foo()', 'EXECUTE'); -- no

DROP SCHEMA testns CASCADE;

NOTICE: drop cascades to table testns.acltest1

DROP SCHEMA testns2 CASCADE;

DROP SCHEMA testns3 CASCADE;

DROP SCHEMA testns4 CASCADE;

DROP SCHEMA testns5 CASCADE;

SELECT d.* -- check that entries went away

FROM pg_default_acl d LEFT JOIN pg_namespace n ON defaclnamespace = n.oid

WHERE nspname IS NULL AND defaclnamespace != 0;

ALTER DEFAULT PRIVILEGES FOR ROLE regress_user1REVOKE EXECUTEON FUNCTIONSFROM public;

ALTER DEFAULT PRIVILEGESIN SCHEMA testnsGRANT USAGEON SCHEMAS TO regress_user2;-- error

ALTER DEFAULT PRIVILEGESGRANT USAGEON SCHEMAS TO regress_user2;

CREATESCHEMAtestns2;

SELECT has_schema_privilege('regress_user2','testns2','USAGE');-- yes

SELECT has_schema_privilege('regress_user2','testns2','CREATE');-- no

ALTER DEFAULT PRIVILEGESREVOKE USAGEON SCHEMASFROM regress_user2;

CREATESCHEMAtestns3;

SELECT has_schema_privilege('regress_user2','testns3','USAGE');-- no

SELECT has_schema_privilege('regress_user2','testns3','CREATE');-- no

ALTER DEFAULT PRIVILEGESGRANT ALLON SCHEMAS TO regress_user2;

CREATESCHEMAtestns4;

SELECT has_schema_privilege('regress_user2','testns4','USAGE');-- yes

SELECT has_schema_privilege('regress_user2','testns4','CREATE');-- yes

ALTER DEFAULT PRIVILEGESREVOKE ALLON SCHEMASFROM regress_user2;

CREATESCHEMAtestns5;

SELECT has_schema_privilege('regress_user2','testns5','USAGE');-- no

SELECT has_schema_privilege('regress_user2','testns5','CREATE');-- no

SET ROLE regress_user1;

CREATEFUNCTIONtestns.foo() RETURNSintAS'select 1' LANGUAGE sql;

WHERE nspname='testns';

DROPSCHEMA testns CASCADE;

DROPSCHEMA testns2 CASCADE;

DROPSCHEMA testns3 CASCADE;

DROPSCHEMA testns4 CASCADE;

DROPSCHEMA testns5 CASCADE;

SELECT d.*-- check that entries went away

FROM pg_default_acl dLEFT JOIN pg_namespace nON defaclnamespace=n.oid