Re: Add sentence about SECURITY LABEL object ownership

Laurenz Albe <laurenz.albe@cybertec.at>

From: Laurenz Albe <laurenz.albe@cybertec.at>
To: Patrick Stählin <me@packi.ch>, pgsql-docs@lists.postgresql.org
Date: 2025-06-05T14:21:47Z
Lists: pgsql-docs
On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
> Hi,
> 
> I noticed that we don't document that you need to own the object being 
> modified by SECURITY LABEL.
> 
> Page: https://www.postgresql.org/docs/current/sql-security-label.html
> 
> I've attached a patch that would have answered that question (for me) 
> without diving into the code.

> --- a/doc/src/sgml/ref/security_label.sgml
> +++ b/doc/src/sgml/ref/security_label.sgml
> @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON
>     based on object labels, rather than traditional discretionary access control
>     (DAC) concepts such as users and groups.
>    </para>
> +
> +  <para>
> +   You must own the database object to use the <command>SECURITY LABEL</command>.
> +  </para>
>   </refsect1>
>  
>   <refsect1>

Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.

In general, +1 for documenting that.

Yours,
Laurenz Albe



Commits

  1. Doc: you must own the target object to use SECURITY LABEL.