From: | Christophe Pettus <xof(at)thebuild(dot)com> |
---|---|
To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, "pgsql-generallists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
Subject: | Re: No warning for a no-op REVOKE |
Date: | 2024-03-25 14:37:45 |
Message-ID: | DE7C1C13-7ED8-4815-B4B4-1ECE20C29C0C@thebuild.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
> On Mar 25, 2024, at 07:20, Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
>
>> On 25 Mar 2024, at 15:09, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>
>> My initial reaction is that we should warn only when the command
>> is a complete no-op, that is none of the mentioned privileges
>> matched.
>
> That's my gut reaction too,
I think that's fine. The all-singing-all-dancing solution would be to warn if the role retains any of the mentioned privileges for some other reason, as in:
WARNING: role "lowpriv" still has EXECUTE permission on "f()" via a grant to role "PUBLIC" by role "owner"
... but I suspect the implementation complexity there isn't trivial.
From | Date | Subject | |
---|---|---|---|
Next Message | Nathan Bossart | 2024-03-25 14:47:43 | Re: Slow GRANT ROLE on PostgreSQL 16 with thousands of ROLEs |
Previous Message | Daniel Gustafsson | 2024-03-25 14:20:17 | Re: No warning for a no-op REVOKE |