Skip site navigation (1) Skip section navigation (2)

Re: BUG #6421: Revoke column level privilage

From: "bdmytrak(at)eranet(dot)pl" <bdmytrak(at)eranet(dot)pl>
To: tgl(at)sss(dot)pgh(dot)pa(dot)us
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #6421: Revoke column level privilage
Date: 2012-02-01 21:49:54
Message-ID: 8564163.114.1328132994056.JavaMail.omnix03@wlas3 (view raw or flat)
Thread:
Lists: pgsql-bugs
Thanks for Your answer.
Works as designed - I have to get used.
Please notice the return message from REVOKE ALL command:
myDatabase=# REVOKE ALL("Column1") ON public."tblTest" FROM public;
REVOKE
myDatabase=# \dp public."tblTest"
Access privileges
Schema | Name | Type | Access privileges | Column access
privileges
--------+---------+-------+----------------------------+--------------------------
public | tblTest | table | postgres=arwdDxt/postgres +| Column1:
+
| | | otherUser=ar*wdxt/postgres | =r/otherUser
(1 row)
return message is REVOKE, but privileges are not really revoked ? there should be at least warning message generated. REVOKE...CASCADE works fine.
AFAIK SQL Standard defines GRANTED BY. I haven't found it in PosgtreSQL documentation, so assume it is not implemented. I think it is good idea to imlement it, this could help in that case.
Regards,
Bartek
--- Oryginalna wiadomo?? ---
Od: Tom Lane [mailto: tgl(at)sss(dot)pgh(dot)pa(dot)us]
Wys?ane: Tuesday, January 31, 2012 03:03 AM
Do: bdmytrak(at)eranet(dot)pl
Kopia: pgsql-bugs(at)postgresql(dot)org
Temat: Re: [BUGS] BUG #6421: Revoke column level privilage
bdmytrak(at)eranet(dot)pl writes:
> Cannot revoke column level privilages.
AFAICS this is not a bug, and it's certainly not specific to
column-level privileges. You had "postgres" grant some privileges to
"otherUser" with grant option, and then had "otherUser" re-grant those
privileges to public. "postgres" cannot revoke the re-grant directly.
You can have it revoke "otherUser"'s grant option. (I think this will
require the CASCADE keyword if there are dependent privileges that
have to be revoked in consequence.) Or you can log in as "otherUser"
and revoke the privilege grants made by that role. This is per design
and AFAIK it's per the SQL standard's requirements.
There's a lot of fine print in the Notes sections of the GRANT and
REVOKE reference pages, which you might find helpful.
regards, tom lane

Pozdrawiam,
Bartek

pgsql-bugs by date

Next:From: keithDate: 2012-02-01 21:50:45
Subject: BUG #6428: pg_restore -l not consistent with function comments
Previous:From: Tom LaneDate: 2012-02-01 21:48:35
Subject: Re: BUG #6426: Complex query runs 10 times longer with "LIMIT 20"

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group