Thread: Discrpency in the GRANT docs
I just noticed this. In the section of the page, near the end, that
describes the access privileges display generated by psql's \z (which
come from pg_class.relacl) there is the following:
/yyyy -- user who granted this privilege
That's not the case. What get's listed there is the current owner of
the table (at least in 8.2). So, then the question is are the docs
correct or is the behavior correct ? Here's a test run:
usda=# select current_user;
current_user
--------------
admin
(1 row)
usda=# create table test (id integer);
CREATE TABLE
usda=# create role test_user1;
CREATE ROLE
usda=# create role test_user2;
CREATE ROLE
usda=# \z test
Access privileges for database "usda"
Schema | Name | Type | Access privileges
--------+------+-------+-------------------
public | test | table |
(1 row)
usda=# grant all on test to test_user1;
GRANT
usda=# \z test
Access privileges for database "usda"
Schema | Name | Type | Access privileges
--------+------+-------+----------------------------------------------
public | test | table | {admin=arwdxt/admin,test_user1=arwdxt/admin}
(1 row)
usda=# alter table test owner to test_user2;
ALTER TABLE
usda=# \z test
Access privileges for database "usda"
Schema | Name | Type | Access privileges
--------+------+-------
+-------------------------------------------------------------
public | test | table | {test_user2=arwdxt/
test_user2,test_user1=arwdxt/test_user2}
(1 row)
usda=# alter table test owner to admin;
ALTER TABLE
usda=# \z test
Access privileges for database "usda"
Schema | Name | Type | Access privileges
--------+------+-------+----------------------------------------------
public | test | table | {admin=arwdxt/admin,test_user1=arwdxt/admin}
(1 row)
Erik Jones
Software Developer | Emma®
erik@myemma.com
800.595.4401 or 615.292.5888
615.292.0777 (fax)
Emma helps organizations everywhere communicate & market in style.
Visit us online at http://www.myemma.com
Erik Jones <erik@myemma.com> writes:
> I just noticed this. In the section of the page, near the end, that
> describes the access privileges display generated by psql's \z (which
> come from pg_class.relacl) there is the following:
> /yyyy -- user who granted this privilege
> That's not the case. What get's listed there is the current owner of
> the table (at least in 8.2).
Your test case does not show that. I think you missed this paragraph:
: If a superuser chooses to issue a GRANT or REVOKE command, the command
: is performed as though it were issued by the owner of the affected
: object. In particular, privileges granted via such a command will appear
: to have been granted by the object owner. (For role membership, the
: membership appears to have been granted by the containing role itself.)
regards, tom lane
On Nov 29, 2007, at 12:05 PM, Tom Lane wrote: > Erik Jones <erik@myemma.com> writes: >> I just noticed this. In the section of the page, near the end, that >> describes the access privileges display generated by psql's \z (which >> come from pg_class.relacl) there is the following: > >> /yyyy -- user who granted this privilege > >> That's not the case. What get's listed there is the current owner of >> the table (at least in 8.2). > > Your test case does not show that. I think you missed this paragraph: > > : If a superuser chooses to issue a GRANT or REVOKE command, the > command > : is performed as though it were issued by the owner of the affected > : object. In particular, privileges granted via such a command will > appear > : to have been granted by the object owner. (For role membership, the > : membership appears to have been granted by the containing role > itself.) > > regards, tom lane Ah, thanks, I did miss that one. Erik Jones Software Developer | Emma® erik@myemma.com 800.595.4401 or 615.292.5888 615.292.0777 (fax) Emma helps organizations everywhere communicate & market in style. Visit us online at http://www.myemma.com