Re: ALTER DEFAULT PRIVILEGES FOR ROLE is broken

On Mon, Apr 29, 2013 at 01:25:47PM -0400, Tom Lane wrote:
> Josh Berkus <josh(at)agliodbs(dot)com> writes:
> > On 04/29/2013 09:59 AM, Tom Lane wrote:
> >> As I pointed out to you last night, it does already say that.
> >> I think the problem here is that we're just throwing a generic
> >> permissions failure rather than identifying the particular permission
> >> needed.
>
> > Yeah, a better error message would help a lot. My first thought was
> > "WTF? I'm the superuser, whaddya mean, 'permission denied'"?
>
> Right. I wonder if there's any good reason why we shouldn't extend
> aclerror() to, in all cases, add a DETAIL line along the lines of
>
> ERROR: permission denied for schema web
> DETAIL: This operation requires role X to have privilege Y.
>
> Is there any scenario where this'd be exposing too much info?

Can't think of one. Seems safe and helpful.

The particular restriction at hand, namely that a role have CREATE rights on a
schema before assigning role-specific default privileges, seems like needless
paternalism. It would be akin to forbidding ALTER ROLE ... PASSWORD on a
NOLOGIN role. I'd support removing it when such a proposal arrives. If
anything, require that the user executing the ALTER DEFAULT PRIVILEGES, not
the subject of the command, has CREATE rights on the schema.

--
Noah Misch
EnterpriseDB http://www.enterprisedb.com