| From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
|---|---|
| To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
| Cc: | john(dot)doe(at)example(dot)com |
| Subject: | BUG #16124: Altering default privileges problem |
| Date: | 2019-11-18 14:44:37 |
| Message-ID: | 16124-423d8ee4358421bc@postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 16124
Logged by: John Doe
Email address: john(dot)doe(at)example(dot)com
PostgreSQL version: 11.5
Operating system: NixOS
Description:
Altering default privileges in specific schema to revoke all privileges on
types from PUBLIC does nothing.
Steps to reproduce:
- Connect as superuser and execute:
CREATE ROLE ownerrole WITH INHERIT LOGIN PASSWORD 'ownerrole';
CREATE ROLE approle WITH INHERIT LOGIN PASSWORD 'approle';
CREATE DATABASE test1 ENCODING = 'UTF8' OWNER = ownerrole;
CREATE DATABASE test2 ENCODING = 'UTF8' OWNER = ownerrole;
Test 1
- Setup: Connect as ownerrole to test1 and execute the following commands:
CREATE SCHEMA myschema;
GRANT ALL PRIVILEGES ON SCHEMA myschema TO approle;
ALTER DEFAULT PRIVILEGES
FOR ROLE ownerrole
IN SCHEMA myschema
REVOKE ALL PRIVILEGES ON TYPES FROM PUBLIC;
CREATE DOMAIN myschema.comment AS text;
- Test: connect as approle to test1 and execute the following command:
CREATE TABLE myschema.table(
comment myschema.comment
);
- Actual result
The myschema.table table is created.
- Expected result:
The table creation should fail due to the following error:
ERROR: permission denied for type myschema.comment
- Notes:
$ psql -U ownerrole -d test1
psql (11.5)
Type "help" for help.
test1=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-------+--------+------+-------------------
(0 rows)
Test 2
- Setup: Connect as ownerrole to test2 and execute the following commands
(ALTER DEFAULT PRIVILEGES is not specific to any schema):
CREATE SCHEMA myschema;
GRANT ALL PRIVILEGES ON SCHEMA myschema TO approle;
ALTER DEFAULT PRIVILEGES
FOR ROLE ownerrole
REVOKE ALL PRIVILEGES ON TYPES FROM PUBLIC;
CREATE DOMAIN myschema.comment AS text;
- Test: connect as approle to test2 and execute the following command:
CREATE TABLE myschema.table(
comment myschema.comment
);
- Actual result
ERROR: permission denied for type myschema.comment
- Expected result:
ERROR: permission denied for type myschema.comment
- Notes:
$ psql -U ownerrole -d test2
psql (11.5)
Type "help" for help.
test2=> \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-----------+--------+------+-----------------------
ownerrole | | type | ownerrole=U/ownerrole
(1 row)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2019-11-18 15:31:21 | Re: BUG #16124: Altering default privileges problem |
| Previous Message | Tom Lane | 2019-11-18 14:41:51 | Re: BUG #16123: DST not respected for America/Sao_Paulo in `timestamp` function |