| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | David Fetter <david(at)fetter(dot)org> |
| Cc: | Alvaro Herrera <alvherre(at)commandprompt(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: default privileges wording |
| Date: | 2011-06-29 17:42:34 |
| Message-ID: | BANLkTiknRwbTw_A0odBvBt+DRMZ3suhqcQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Wed, Jun 29, 2011 at 1:20 PM, David Fetter <david(at)fetter(dot)org> wrote:
> On Wed, Jun 29, 2011 at 11:50:38AM -0400, Alvaro Herrera wrote:
>> Excerpts from Andrew Dunstan's message of mié jun 29 11:21:12 -0400 2011:
>> >
>> > I was just reading the docs on default privileges, and they say this:
>> >
>> > Depending on the type of object, the initial default privileges
>> > might include granting some privileges to PUBLIC. The default is no
>> > public access for tables, columns, schemas, and tablespaces; CONNECT
>> > privilege and TEMP table creation privilege for databases; EXECUTE
>> > privilege for functions; and USAGE privilege for languages. The
>> > object owner can of course revoke these privileges.
>> >
>> >
>> > I had to read it several times before I understood it properly, so I'm
>> > not terribly happy with it. I'm thinking of revising it slightly like this:
>> >
>> > Depending on the type of object, the initial default privileges
>> > might include granting some privileges to PUBLIC, including CONNECT
>> > privilege and TEMP table creation privilege for databases, EXECUTE
>> > privilege for functions, and USAGE privilege for languages. For
>> > tables, columns, schemas and tablespaces the default is no public
>> > access. The object owner can of course revoke any default PUBLIC
>> > privileges.
>>
>> Some types of objects [have/include/grant] no privileges to PUBLIC by
>> default. These are tables, columns, schemas and tablespaces. For other
>> types, the default privileges granted to PUBLIC are as follows: CONNECT
>> privilege and TEMP table creation privilege for databases; EXECUTE
>> privilege for functions; and USAGE privilege for languages. The object
>> owner can, of course, revoke [these/any default] privileges.
>
> How about this?
>
> Some types of objects deny all privileges to PUBLIC by default. These
> are tables, columns, schemas and tablespaces. For other types, the
> default privileges granted to PUBLIC are as follows: CONNECT privilege
> and TEMP table creation privilege for databases; EXECUTE privilege for
> functions; and USAGE privilege for languages. The object owner can,
> of course, revoke both default and expressly granted privileges.
Or, since I find the use of the word "deny" a bit unclear:
When a table, column, schema, or tablespace is created, no privileges
are granted to PUBLIC. But for other objects, some privileges will be
granted to PUBLIC automatically at the time the object is created:
CONNECT privilege and TEMP table creation privilege for database, ...
<etc., the rest as you have it>
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Simon Riggs | 2011-06-29 17:50:22 | Re: time-delayed standbys |
| Previous Message | Radosław Smogura | 2011-06-29 17:34:23 | Patch Review: Bugfix for XPATH() if text or attribute nodes are selected |