database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-28 23:42:10 +03:00
Code Activity

Doc: improve discussion of object owners' inherent privileges.

Browse Source 
In particular, clarify that the role membership mechanism allows
members to inherit the ownership privileges of an object's owning
role.

Laurenz Albe, with some kibitzing by me

Discussion: https://postgr.es/m/504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at
This commit is contained in:
Tom Lane
2019-11-20 12:27:00 -05:00
parent a28704af42
commit 86be6453ba
1 changed files with 13 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
doc/src/sgml/ddl.sgml
View File

@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items;
</para> </para>
<para> <para>
The right to modify or destroy an object is always the privilege of The right to modify or destroy an object is inherent in being the
the owner only. object's owner, and cannot be granted or revoked in itself.
(However, like all privileges, that right can be inherited by
members of the owning role; see <xref linkend="role-membership"/>.)
</para> </para>
<para> <para>
@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe;
</para> </para>
<para> <para>
To revoke a privilege, use the fittingly named To revoke a previously-granted privilege, use the fittingly named
<xref linkend="sql-revoke"/> command: <xref linkend="sql-revoke"/> command:
<programlisting> <programlisting>
REVOKE ALL ON accounts FROM PUBLIC; REVOKE ALL ON accounts FROM PUBLIC;
</programlisting> </programlisting>
The special privileges of the object owner (i.e., the right to do
<command>DROP</command>, <command>GRANT</command>, <command>REVOKE</command>, etc.)
are always implicit in being the owner,
and cannot be granted or revoked. But the object owner can choose
to revoke their own ordinary privileges, for example to make a
table read-only for themselves as well as others.
</para> </para>
<para> <para>
@ -1638,6 +1634,13 @@ REVOKE ALL ON accounts FROM PUBLIC;
<xref linkend="sql-revoke"/> reference pages. <xref linkend="sql-revoke"/> reference pages.
</para> </para>
<para>
An object's owner can choose to revoke their own ordinary privileges,
for example to make a table read-only for themselves as well as others.
But owners are always treated as holding all grant options, so they
can always re-grant their own privileges.
</para>
<para> <para>
The available privileges are: The available privileges are:
@ -4695,7 +4698,7 @@ EXPLAIN SELECT count(*) FROM measurement WHERE logdate &gt;= DATE '2008-01-01';
</itemizedlist> </itemizedlist>
</para> </para>
</sect2> </sect2>
<sect2 id="ddl-partitioning-declarative-best-practices"> <sect2 id="ddl-partitioning-declarative-best-practices">
<title>Declarative Partitioning Best Practices</title> <title>Declarative Partitioning Best Practices</title>