| From: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
|---|---|
| To: | Patrick Stählin <me(at)packi(dot)ch>, pgsql-docs(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Add sentence about SECURITY LABEL object ownership |
| Date: | 2025-06-05 14:21:47 |
| Message-ID: | 2c8f7b87b68fd2084faebdcf48b4edb23f4e93e0.camel@cybertec.at |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-docs |
On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
> Hi,
>
> I noticed that we don't document that you need to own the object being
> modified by SECURITY LABEL.
>
> Page: https://www.postgresql.org/docs/current/sql-security-label.html
>
> I've attached a patch that would have answered that question (for me)
> without diving into the code.
> --- a/doc/src/sgml/ref/security_label.sgml
> +++ b/doc/src/sgml/ref/security_label.sgml
> @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON
> based on object labels, rather than traditional discretionary access control
> (DAC) concepts such as users and groups.
> </para>
> +
> + <para>
> + You must own the database object to use the <command>SECURITY LABEL</command>.
> + </para>
> </refsect1>
>
> <refsect1>
Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.
In general, +1 for documenting that.
Yours,
Laurenz Albe
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Patrick Stählin | 2025-06-05 15:02:43 | Re: Add sentence about SECURITY LABEL object ownership |
| Previous Message | Patrick Stählin | 2025-06-05 13:29:46 | Add sentence about SECURITY LABEL object ownership |