Re: Version 14/15 documentation Section "Alter Default Privileges" - Mailing list pgsql-hackers
| From | Bruce Momjian |
|---|---|
| Subject | Re: Version 14/15 documentation Section "Alter Default Privileges" |
| Date | |
| Msg-id | ZUq6fAsQZsyUAySx@momjian.us Whole thread Raw |
| In response to | Re: Version 14/15 documentation Section "Alter Default Privileges" (Laurenz Albe <laurenz.albe@cybertec.at>) |
| Responses |
Re: Version 14/15 documentation Section "Alter Default Privileges"
Re: Version 14/15 documentation Section "Alter Default Privileges" |
| List | pgsql-hackers |
On Mon, Nov 6, 2023 at 09:53:50PM +0100, Laurenz Albe wrote: > On Mon, 2023-11-06 at 10:55 -0500, Bruce Momjian wrote: > > Okay, I think I have good wording for this. I didn't like the wording > > of other roles, so I restructured that in the attached patch too. > > > <para> > > ! Default privileges apply only to the active role; the default > > ! privileges of member roles have no affect on object permissions. > > ! <command>SET ROLE</command> can be used to change the active user and > > ! apply their default privileges. > > ! </para> > > You don't mean member roles, but roles that the active role is a member of, > right? Yes, sorry fixed in the attached patch. > + <para> > + As a non-superuser, you can change default privileges only on objects created > + by yourself or by roles that you are a member of. However, you don't inherit > + altered default privileges from roles you are a member of; objects you create > + will receive the default privileges for your current role. > + </para> I went with different wording since I found the above confusing. You didn't seem to like my SET ROLE suggestion so I removed it. > + > + <para> > + There is no way to change the default privileges for objects created by > + arbitrary roles. You have run <command>ALTER DEFAULT PRIVILEGES</command> I find the above sentence odd. What is its purpose? > + for any role that can create objects whose default privileges should be > + modified. > + </para> > + > + <para> > + Currently, > + only the privileges for schemas, tables (including views and foreign > + tables), sequences, functions, and types (including domains) can be > + altered. For this command, functions include aggregates and procedures. > + The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are > + equivalent in this command. (<literal>ROUTINES</literal> is preferred > + going forward as the standard term for functions and procedures taken > + together. In earlier PostgreSQL releases, only the > + word <literal>FUNCTIONS</literal> was allowed. It is not possible to set > + default privileges for functions and procedures separately.) > + </para> > + > <para> > Default privileges that are specified per-schema are added to whatever > the global default privileges are for the particular object type. > @@ -136,8 +149,9 @@ REVOKE [ GRANT OPTION FOR ] > <term><replaceable>target_role</replaceable></term> > <listitem> > <para> > - The name of an existing role of which the current role is a member. > - If <literal>FOR ROLE</literal> is omitted, the current role is assumed. > + Default privileges are changed for objects created by the > + <replaceable>target_role</replaceable>, or the current > + role if unspecified. I like a verb to be first, like "Change" rather than "default privileges". Patch attached. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com Only you can decide what is important to you.
Attachment
pgsql-hackers by date: