Thread

Commits

  1. Doc: improve discussion of object owners' inherent privileges.

  1. Role membership and DROP

    Laurenz Albe <laurenz.albe@cybertec.at> — 2019-11-13T21:36:11Z

    I realized only today that if role A is a member of role B,
    A can ALTER and DROP objects owned by B.
    
    I don't have a problem with that, but the documentation seems to
    suggest otherwise.  For example, for DROP TABLE:
    
       Only the table owner, the schema owner, and superuser can drop a table.
    
    Should I compose a doc patch, or is that too much of a corner case
    to mention?  I wanted to ask before I do the repetetive work.
    
    Yours,
    Laurenz Albe
    
    
    
    
    
  2. Re: Role membership and DROP

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-11-13T22:17:06Z

    Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > I realized only today that if role A is a member of role B,
    > A can ALTER and DROP objects owned by B.
    > I don't have a problem with that, but the documentation seems to
    > suggest otherwise.  For example, for DROP TABLE:
    
    >    Only the table owner, the schema owner, and superuser can drop a table.
    
    Generally, if you are a member of a role, that means you are the role for
    privilege-test purposes.  I'm not on board with adding "(or a member of
    that role)" to every place it could conceivably be added; I think that
    would be more annoying than helpful.
    
    It might be worth clarifying this point in section 5.7,
    
    https://www.postgresql.org/docs/devel/ddl-priv.html
    
    but let's not duplicate that in every ref/ page.
    
    			regards, tom lane
    
    
    
    
  3. Re: Role membership and DROP

    Laurenz Albe <laurenz.albe@cybertec.at> — 2019-11-15T09:32:11Z

    On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
    > Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > > I realized only today that if role A is a member of role B,
    > > A can ALTER and DROP objects owned by B.
    > > I don't have a problem with that, but the documentation seems to
    > > suggest otherwise.  For example, for DROP TABLE:
    > >     Only the table owner, the schema owner, and superuser can drop a table.
    > 
    > Generally, if you are a member of a role, that means you are the role for
    > privilege-test purposes.  I'm not on board with adding "(or a member of
    > that role)" to every place it could conceivably be added; I think that
    > would be more annoying than helpful.
    > 
    > It might be worth clarifying this point in section 5.7,
    > 
    > https://www.postgresql.org/docs/devel/ddl-priv.html
    > 
    > but let's not duplicate that in every ref/ page.
    
    That's much better.
    
    I have attached a proposed patch.
    
    Yours,
    Laurenz Albe
    
  4. Re: Role membership and DROP

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-11-15T18:41:06Z

    Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
    >> It might be worth clarifying this point in section 5.7,
    >> https://www.postgresql.org/docs/devel/ddl-priv.html
    >> but let's not duplicate that in every ref/ page.
    
    > I have attached a proposed patch.
    
       <para>
        The right to modify or destroy an object is always the privilege of
    -   the owner only.
    +   the owner.  Like all privileges, that right can be inherited by members of
    +   the owning role.
       </para>
    
    Hm.  This is more or less contradicting the original meaning of the
    existing sentence, so maybe we need to rewrite a bit more.  What do
    you think of
    
        The right to modify or destroy an object is inherent in being the
        object's owner.  Like all privileges, that right can be inherited by
        members of the owning role; but there is no way to grant or revoke
        it more selectively.
    
    A larger problem (pre-existing, since there's a reference to being a
    member of the owning role just a bit further down) is that I don't think
    we've defined role membership at this point, so the reader is quite
    entitled to come away more confused than they were before.  It might not
    be advisable to try to cover role membership here, but we should at
    least add a cross-reference to where it's explained.
    
    			regards, tom lane
    
    
    
    
  5. Re: Role membership and DROP

    Laurenz Albe <laurenz.albe@cybertec.at> — 2019-11-18T14:40:51Z

    On Fri, 2019-11-15 at 13:41 -0500, Tom Lane wrote:
    > Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > > On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
    > > > It might be worth clarifying this point in section 5.7,
    > > > https://www.postgresql.org/docs/devel/ddl-priv.html
    > > > but let's not duplicate that in every ref/ page.
    > > I have attached a proposed patch.
    > 
    >    <para>
    >     The right to modify or destroy an object is always the privilege of
    > -   the owner only.
    > +   the owner.  Like all privileges, that right can be inherited by members of
    > +   the owning role.
    >    </para>
    > 
    > Hm.  This is more or less contradicting the original meaning of the
    > existing sentence, so maybe we need to rewrite a bit more.  What do
    > you think of
    > 
    >     The right to modify or destroy an object is inherent in being the
    >     object's owner.  Like all privileges, that right can be inherited by
    >     members of the owning role; but there is no way to grant or revoke
    >     it more selectively.
    > 
    > A larger problem (pre-existing, since there's a reference to being a
    > member of the owning role just a bit further down) is that I don't think
    > we've defined role membership at this point, so the reader is quite
    > entitled to come away more confused than they were before.  It might not
    > be advisable to try to cover role membership here, but we should at
    > least add a cross-reference to where it's explained.
    
    I think you are right about the potential confusion; I have added a
    cross-reference.  That cross-reference is hopefully still in short-term
    memory when the reader proceeds to the second reference to role membership
    a few sentences later.
    
    I like your second sentence, but I think that "the right ... is inherent
    in being the ... owner" is unnecessarily complicated.
    Removing the "always" and "only" makes the apparent contradiction between
    the sentences less jarring to me.
    
    I won't fight about words though.  Attached is my second attempt.
    
    Yours,
    Laurenz Albe
    
  6. Re: Role membership and DROP

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-11-19T18:21:37Z

    Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > On Fri, 2019-11-15 at 13:41 -0500, Tom Lane wrote:
    >> Laurenz Albe <laurenz.albe@cybertec.at> writes:
    >>> On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
    >>>> It might be worth clarifying this point in section 5.7,
    >>>> https://www.postgresql.org/docs/devel/ddl-priv.html
    
    > I like your second sentence, but I think that "the right ... is inherent
    > in being the ... owner" is unnecessarily complicated.
    > Removing the "always" and "only" makes the apparent contradiction between
    > the sentences less jarring to me.
    
    I think it's important to emphasize that this is implicit in object
    ownership.
    
    Looking at the page again, I notice that there's a para a little further
    down that overlaps quite a bit with what we're discussing here, but it's
    about implicit grant options rather than the right to DROP.  In the
    attached, I reworded that too, and moved it because it's not fully
    intelligible until we've explained grant options.  Thoughts?
    
    			regards, tom lane
    
    
  7. Re: Role membership and DROP

    Laurenz Albe <laurenz.albe@cybertec.at> — 2019-11-19T23:05:11Z

    On Tue, 2019-11-19 at 13:21 -0500, Tom Lane wrote:
    > Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > > On Fri, 2019-11-15 at 13:41 -0500, Tom Lane wrote:
    > > > Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > > > > On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
    > > > > > It might be worth clarifying this point in section 5.7,
    > > > > > https://www.postgresql.org/docs/devel/ddl-priv.html
    > > I like your second sentence, but I think that "the right ... is inherent
    > > in being the ... owner" is unnecessarily complicated.
    > > Removing the "always" and "only" makes the apparent contradiction between
    > > the sentences less jarring to me.
    > 
    > I think it's important to emphasize that this is implicit in object
    > ownership.
    > 
    > Looking at the page again, I notice that there's a para a little further
    > down that overlaps quite a bit with what we're discussing here, but it's
    > about implicit grant options rather than the right to DROP.  In the
    > attached, I reworded that too, and moved it because it's not fully
    > intelligible until we've explained grant options.  Thoughts?
    
    I am fine with that.
    
    Yours,
    Laurenz Albe
    
    
    
    
    
  8. Re: Role membership and DROP

    Tom Lane <tgl@sss.pgh.pa.us> — 2019-11-20T17:27:56Z

    Laurenz Albe <laurenz.albe@cybertec.at> writes:
    > On Tue, 2019-11-19 at 13:21 -0500, Tom Lane wrote:
    >> Looking at the page again, I notice that there's a para a little further
    >> down that overlaps quite a bit with what we're discussing here, but it's
    >> about implicit grant options rather than the right to DROP.  In the
    >> attached, I reworded that too, and moved it because it's not fully
    >> intelligible until we've explained grant options.  Thoughts?
    
    > I am fine with that.
    
    OK, pushed.
    
    			regards, tom lane