| From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
|---|---|
| To: | Jean-Michel Scheiwiler <jm(dot)scheiwiler(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Access privileges /yyyy -- role that granted this privilege. |
| Date: | 2017-02-17 14:18:05 |
| Message-ID: | 6433a2c8-d2b5-76be-9cd6-cf3304381311@aklaver.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 02/17/2017 05:44 AM, Jean-Michel Scheiwiler wrote:
> Hello,
>
> I delve into access privileges and I have a problem (or a
> miscomprehension) when i type \l, \dn+ or \dp with the /yyyy "role that
> granted this privilege" part.
>
> ( https://www.postgresql.org/docs/current/static/sql-grant.html )
>
> \l for instance
>
> [postgres:~]$psql
> psql (9.6.2)
> Type "help" for help.
>
> postgres=# create role superman login superuser;
> CREATE ROLE
> postgres=# create role user01 login ;
> CREATE ROLE
> postgres=# create role user02 login ;
> CREATE ROLE
> postgres=# create database db001;
> CREATE DATABASE
> postgres=# \l db001
> List of databases
> Name | Owner | Encoding | Collate | Ctype | Access
> privileges
> -------+----------+----------+-------------+-------------+-------------------
> db001 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
> (1 row)
>
> postgres=# grant connect on database db001 to user01 ;
> GRANT
> postgres=# \l db001
> List of databases
> Name | Owner | Encoding | Collate | Ctype | Access
> privileges
> -------+----------+----------+-------------+-------------+-----------------------
> db001 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres
> +
> | | | | |
> postgres=CTc/postgres+
> | | | | | user01=c/postgres
> (1 row)
>
> postgres=# \q
> [postgres:~]$psql -U superman postgres
> psql (9.6.2)
> Type "help" for help.
>
> postgres=# grant connect on database db001 to user02;
> GRANT
> postgres=# \l db001
> List of databases
> Name | Owner | Encoding | Collate | Ctype | Access
> privileges
> -------+----------+----------+-------------+-------------+-----------------------
> db001 | postgres | UTF8 | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres
> +
> | | | | |
> postgres=CTc/postgres+
> | | | | |
> user01=c/postgres +
> | | | | | user02=c/postgres
> (1 row)
>
>
> I thought i would get user02=c/superman but instead i
> get user02=c/postgres => I don't get the "role that granted this
> privilege" but i get the owner of the database.
As a practical matter it does not matter as postgres and superman are
both superusers, still for an explanation of why it happens:
https://www.postgresql.org/docs/9.6/static/sql-grant.html
"If a superuser chooses to issue a GRANT or REVOKE command, the command
is performed as though it were issued by the owner of the affected
object. In particular, privileges granted via such a command will appear
to have been granted by the object owner. (For role membership, the
membership appears to have been granted by the containing role itself.)"
>
> The problem is the same with schemas or tables access privileges.
>
> Can you help me figure this out ?
What are you trying to achieve?
>
> Thank you in advance
>
> Jean-Michel Scheiwiler
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jean-Michel Scheiwiler | 2017-02-17 14:36:00 | Re: Access privileges /yyyy -- role that granted this privilege. |
| Previous Message | Adrian Klaver | 2017-02-17 14:10:15 | Re: Load multiple CSV file in Postgres using COPY |