| From: | "Albe Laurenz" <laurenz(dot)albe(at)wien(dot)gv(dot)at> |
|---|---|
| To: | "Keith Fiske *EXTERN*" <keith(at)omniti(dot)com>, <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: ALTER DEFAULT PRIVILEGES target_role doesn't work with group roles |
| Date: | 2012-02-22 08:33:58 |
| Message-ID: | D960CB61B694CF459DCFB4B0128514C20785C897@exadv11.host.magwien.gv.at |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Keith Fiske wrote:
> Situation:
> I have two roles, alice & bob. Both are members of the dev_user group
role.
> I have a schema called 'reports' that both of these users would like
> to be able to manage.
>
> I thought I could use the ALTER DEFAULT PRIVILEGES option
>
(http://www.postgresql.org/docs/9.1/static/sql-alterdefaultprivileges.ht
ml)
> to set it up so that if anyone in the dev_user group role created a
> table in the reports schema, then Postgres would automatically grant
> all privileges to the group role. Then both Alice and Bob could access
> each other's objects in a schema other than their own. This would also
> make it so that any future roles added to the dev_user schema would
> have this happen automatically.
>
> ALTER DEFAULT PRIVILEGES FOR ROLE dev_user IN SCHEMA reports GRANT ALL
> ON TABLES TO dev_user;
>
> It turns out the "target_role" does not work for group roles. When
> either Alice or Bob creates a table in the reports schema, the
> dev_user grants are not automatically added. I had to explicitly set
> the default privileges for each role:
>
> ALTER DEFAULT PRIVILEGES FOR ROLE alice IN SCHEMA reports GRANT ALL ON
> TABLES TO dev_user;
> ALTER DEFAULT PRIVILEGES FOR ROLE bob IN SCHEMA reports GRANT ALL ON
> TABLES TO dev_user;
>
> This isn't ideal for long term management. I wasn't really sure if
> this was a bug or a lack of clarity in the docs, so thought I'd throw
> it out to General for comments first. And to make sure I'm explaining
> this clearly enough for others to reproduce it and see if I'm not
> asking for something unreasonable.
The documentation could be more explicit about that.
http://www.postgresql.org/docs/9.1/static/sql-alterdefaultprivileges.htm
l#SQL-ALTERDEFAULTPRIVILEGES-DESCRIPTION
says:
"You can change default privileges only for objects that will be
created by yourself or by roles that you are a member of."
So, in your case, the original ALTER DEFAULT PRIVILEGES statement
you used would work for tables that dev_user himself creates, not
for tables that a member of the role creates.
Alice cannot change the default privileges for Bob.
Unfortunately I can't see a way to achieve what you want without
granting default privileges to everybody involved.
I think that there is room for improvement there.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | John R Pierce | 2012-02-22 09:33:55 | doc minor glitch? |
| Previous Message | Magnus Hagander | 2012-02-22 08:25:09 | Re: Why warm-standby doesn't work using file-based log shipping method? |