Re: Version 14/15 documentation Section "Alter Default Privileges"

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: Bruce Momjian <bruce(at)momjian(dot)us>, Michael Banck <mbanck(at)gmx(dot)net>
Cc: David Burns <david(dot)burns(at)fedex(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: Version 14/15 documentation Section "Alter Default Privileges"
Date: 2023-11-04 06:05:28
Message-ID: b227432f87266b680fd6f31e37b202b2fae5d9b6.camel@cybertec.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-docs pgsql-hackers

On Fri, 2023-11-03 at 12:53 -0400, Bruce Momjian wrote:
> I have developed the attached patch on top of the alter default patch I
> just applied. It is more radical, making FOR ROLE clearer, and also
> moving my new FOR ROLE text up to the first paragraph, and reordering
> the paragraphs to be clearer.
>
> I think this is too radical for backpatch to 11/12, but I think
> 16/master makes sense after the minor releases next week.

I think it is a good idea to move part of the text to a new paragraph.

> --- a/doc/src/sgml/ref/alter_default_privileges.sgml
> +++ b/doc/src/sgml/ref/alter_default_privileges.sgml
> @@ -90,23 +90,14 @@ REVOKE [ GRANT OPTION FOR ]
> [...]
> + As a non-superuser, you can change default privileges only for yourself
> + and for roles that you are a member of. These privileges are not
> + inherited, so member roles must use <command>SET ROLE</command> to
> + access these privileges, or <command>ALTER DEFAULT PRIVILEGES</command>
> + must be run for each member role. Privileges can be set globally
> + (i.e., for all objects created in the current database), or just for
> + objects created in specified schemas.

That this paragraph is not clear enough about who gets the privileges and
who creates the objects, and that is one of the difficulties in understanding
ALTER DEFAULT PRIVILEGES.

Perhaps:

<para>
<command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
that will be applied to objects created in the future. (It does not
affect privileges assigned to already-existing objects.) Privileges can be
set globally (i.e., for all objects created in the current database), or
just for objects created in specified schemas.
</para>

<para>
As a non-superuser, you can change default privileges only on objects created
by yourself or by roles that you are a member of. If you alter the default
privileges for a role, only objects created by that role will be affected.
It is not sufficient to be a member of that role; member roles must use
<command>SET ROLE</command> to assume the identity of the role for which
default privileges were altered.
</para>

<para>
There is no way to change the default privileges for objects created by
any role. You have run <command>ALTER DEFAULT PRIVILEGES</command> for all
roles that can create objects whose default privileges should be modified.
</para>

> @@ -136,12 +140,9 @@ REVOKE [ GRANT OPTION FOR ]
> <term><replaceable>target_role</replaceable></term>
> <listitem>
> <para>
> - The name of an existing role of which the current role is a member.
> - Default access privileges are not inherited, so member roles
> - must use <command>SET ROLE</command> to access these privileges,
> - or <command>ALTER DEFAULT PRIVILEGES</command> must be run for
> - each member role. If <literal>FOR ROLE</literal> is omitted,
> - the current role is assumed.
> + If <literal>FOR ROLE</literal> is specified, this is the role that
> + will be assigned the new default privileges, or the current role
> + if not specified.

This is downright wrong; the "target_role" will *not* be assigned any
privileges.

Perhaps:

<para>
Default privileges are changed only for objects created by
<replaceable>target_role</replaceable>. If <literal>FOR ROLE</literal>
is omitted, the current role is assumed.
</para>

Yours,
Laurenz Albe

In response to

Responses

Browse pgsql-docs by date

  From Date Subject
Next Message Tom Lane 2023-11-04 15:16:11 Re: Please make a note regarding the PL/pgSQL FOUND variable
Previous Message Bruce Momjian 2023-11-03 18:03:41 Re: Usage instructions for pg_hba.conf file

Browse pgsql-hackers by date

  From Date Subject
Next Message Dilip Kumar 2023-11-04 08:52:01 Re: Parallel Bitmap Heap Scan reports per-worker stats in EXPLAIN ANALYZE
Previous Message Andres Freund 2023-11-04 04:19:00 Re: Add the ability to limit the amount of memory that can be allocated to backends.