| From: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Bryn Llewellyn <bryn(at)yugabyte(dot)com>, jeremy(at)musicsmith(dot)net, pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" |
| Date: | 2022-02-11 22:41:13 |
| Message-ID: | CAKFQuwaQo9_KjEniKBhq=kGJWFS4TSRyJ9NS7WAO4nzmsJxMmg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Fri, Feb 11, 2022 at 3:05 PM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> (I wonder if it'd be practical or useful to emit a warning when
> granting permissions on an object that already has a grant of
> the same permissions to PUBLIC. That would at least cue people
> who don't understand about this behavior that they ought to look
> more closely.)
>
We did something similar a while ago where we now warn if you try to revoke
a privilege on a role that is actually inherited from PUBLIC and so the
revoke on the role doesn't actually do anything. The inverse seems
reasonable, and consistent that, at first blush.
David J.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bryn Llewellyn | 2022-02-11 23:14:39 | Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" |
| Previous Message | David G. Johnston | 2022-02-11 22:38:50 | Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute" |