| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | "Ing(dot) Marijo Kristo" <marijo(dot)kristo(at)icloud(dot)com> |
| Cc: | pgsql-sql(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Revoke Connect Privilege from Database not working |
| Date: | 2025-04-01 14:15:13 |
| Message-ID: | CAKFQuwZyJbnSBC2fW9bL-ftd6JR7jfwSdV83dsbE7vpWm4vqNQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Tue, Apr 1, 2025 at 4:59 AM Ing. Marijo Kristo <marijo(dot)kristo(at)icloud(dot)com>
wrote:
>
> >
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"=c/vault_admin
>
> > Same happens when trying to revoke with the vault admin user:
> >
> > disp_db=# select current_user;
> > current_user
> > --------------
> > vault_admin
> > (1 row)
> >
> > disp_db=# revoke connect on database "disp_db" from
> > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> > REVOKE
> > disp_db=# drop user
> > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> > ERROR: role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"
> > cannot be dropped because some objects depend on it
> > DETAIL: privileges for database disp_db
>
>
If you include the "granted by" clause when you perform revoke everything
usually just works.
"If a superuser chooses to issue a GRANT or REVOKE command, the command is
performed as though it were issued by the owner of the affected object." [1]
The fact vault_admin is superuser overrides the fact that it is their
specific grant that is trying to be revoked.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ing. Marijo Kristo | 2025-04-07 08:53:07 | Aw: Re: Revoke Connect Privilege from Database not working |
| Previous Message | Tom Lane | 2025-04-01 14:13:49 | Re: Revoke Connect Privilege from Database not working |