Re: [PATCH] DefaultACLs

From: Jan Urbański <wulczer(at)wulczer(dot)org>
To: Petr Jelinek <pjmodos(at)pjmodos(dot)net>
Cc: Josh Berkus <josh(at)agliodbs(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [PATCH] DefaultACLs
Date: 2009-09-24 14:21:47
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Petr Jelinek wrote:
> Jan Urbański napsal(a):
>> Dependencies suck, I know..
> Cross-database dependencies do.
> I had to make target role owner of the default acls which adds some side
> effects like the fact that it blocks DROP ROLE so DROP OWNED BY has to
> be used.
> As for REASSIGN OWNED, it does not reassign anything (I don't think it's
> a good idea to reassign default acls) it just spits warning with hint
> what to do if user plans to drop the role.

OK, so that addresses my last gripe.

It seems that when you try to drop a role to which you have granted some
privileges before, you can't, and when you REASSIGN OWNED, it doesn't
help. So maybe it's not even necessary to give a warning when REASSIGN
OWNED is called on default ACLs.

Only loose end is tab completion which can probably be added later on.

I'm also not sure if we wouldn't like to have ALTER DEFAULT PRIVILEGES
FOR ALL ROLES (or something similar), so you won't have to ALTER DEFAULT
PRIVILEGES for each developer you gave a DB login to.

Petr told me that was the previous design but has been shot down - I
found references to that on the mailing list, but most complains were
about tying the syntax to ALTER SCHEMA. Since we now have ALTER DEFAULT
PRIVILEGES I think it might make sense to introduce a way to set the
default privileges for all roles (and give superusers the right to do it).

This can be added later on, but maybe we could make the syntax work so
when you do ALTER DEFAULT PRIVILEGES without FOR ROLE you set them for
all roles in the current DB and if you want to set them for yourself,
you need to specify FOR ROLE <yourrole>. That'd be a minor change in the

Setting to "Ready for Committer" (and leaving to the committer the
decision whether to support "FOR ALL ROLES" and what to do about the


In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Marko Tiikkaja 2009-09-24 14:23:17 Re: Using results from INSERT ... RETURNING
Previous Message pg 2009-09-24 13:24:07 Re: Unicode Normalization