| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Dominique Devienne <ddevienne(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: DROP ROLE as SUPERUSER |
| Date: | 2025-02-20 16:52:18 |
| Message-ID: | 2765124.1740070338@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> On Thu, Feb 20, 2025 at 9:05 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> It used to be that if a superuser issued GRANT/REVOKE, the operation
>> was silently done as the owner of the affected object.
> That is still the case according to the docs (REVOKE):
[ scratches head ... ] I thought we had changed that, but nope I'm wrong:
regression=# create user alice;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> create table alices_table (f1 int);
CREATE TABLE
regression=> grant select on alices_table to bob;
GRANT
regression=> \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice+| |
| | | bob=r/alice | |
(1 row)
regression=> \c - postgres
You are now connected to database "regression" as user "postgres".
regression=# grant update on alices_table to bob;
GRANT
regression=# \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice+| |
| | | bob=rw/alice | |
(1 row)
regression=# revoke update on alices_table from bob;
REVOKE
regression=# \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice+| |
| | | bob=r/alice | |
(1 row)
regression=# revoke select on alices_table from bob;
REVOKE
regression=# \dp alices_table
Access privileges
Schema | Name | Type | Access privileges | Column privileges | Policies
--------+--------------+-------+----------------------+-------------------+----------
public | alices_table | table | alice=arwdDxtm/alice | |
(1 row)
So grants and revokes are still being done as the object owner by
default.
Now I'm unclear on exactly what was happening in Dominique's case.
Was the problematic permission granted by somebody other than the
database's owner?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jerry Sievers | 2025-02-21 03:57:43 | Re: In-place upgrade with streaming replicas |
| Previous Message | David G. Johnston | 2025-02-20 16:29:40 | Re: DROP ROLE as SUPERUSER |