Re: "grant usage on schema" confers the ability to execute all user-defined functions in that schema, with needing to grant "execute"

On Fri, Feb 11, 2022 at 1:46 PM Bryn Llewellyn <bryn(at)yugabyte(dot)com> wrote:

>
>
> *grant usage on schema s to z;revoke execute on function s.f() from z; --
> Yes, really!*
>
> **This surprises me**
>
> The PG doc on, in the "5.7. Privileges" section at
> https://www.postgresql.org/docs/current/ddl-priv.html (under "USAGE"
> following "The available privileges are"), says this:
>
> «
> For schemas, allows access to objects contained in the schema (assuming
> that the objects' own privilege requirements are also met). Essentially
> this allows the grantee to “look up” objects within the schema...
> »
>

> *Is the design of my test-case faulty? Have I found a bug? Or is the doc
> wrong?*
>

WADaD

https://www.postgresql.org/docs/current/ddl-priv.html

"No privileges are granted to PUBLIC by default on tables, table columns,
sequences, foreign data wrappers, foreign servers, large objects, schemas,
or tablespaces. For other types of objects, the default privileges granted
to PUBLIC are as follows: CONNECT and TEMPORARY (create temporary tables)
privileges for databases; ***EXECUTE privilege for functions and procedures
***; and USAGE privilege for languages and data types (including domains)."

David J.