Re: domain access privilege

On Sat, Jul 20, 2002 at 11:59:07 -0400,
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Bruno Wolff III <bruno(at)wolff(dot)to> writes:
> > I didn't see anything in the 7.3 docs on what privilege will be needed
> > to use a domain.
>
> It's documented, but I think only on the GRANT reference page at
> present:
> http://candle.pha.pa.us/main/writings/pgsql/sgml/sql-grant.html
>
> regards, tom lane

There isn't much. "domain" is only referred to in the compatibility section.
It says "usage" is the standard keyword used for granting permission
to use domains. It doesn't indicate that this will be something usable
in 7.3. I haven't downloaded the 7.3 code, so I can't tell if this is
just a case of the development documentation not having been finished or
if there isn't going to be a way to do it.

Its not a big deal keeping domains secret. But if anyone can reference your
domain, it looks like they can keep you from dropping it. (Assuming it
works like the references privilege currently does in 7.2.1.) This might
be a pain in the rear in some cases. (The admin can always help you out
though.)

There can be a similar problem if you temporarily grant someone references
to a table to do something and they either create other references you
don't want or they refuse to drop the reference later to allow you to
drop the table. Revoke of references doesn't affect references that have
already been made (which can be good for some purposes). I don't think there
is a better solution to this than appealing to the local superuser, since
letting someone drop somebody else's tables unexpectedly is a worse solution
and there isn't a lot of other options.