Lists: | pgsql-hackers |
---|
From: | Marc Munro <marc(at)bloodnok(dot)com> |
---|---|
To: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Schema grants for creating and dropping objects |
Date: | 2011-10-09 00:41:16 |
Message-ID: | 1318120876.9194.6.camel@bloodnok.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
It seems that in order to create an object in a given schema, I must
have been granted create privilege on the schema. But in order to drop
that object I require usage privilege.
This means that with the right privilege settings I can create objects
that I cannot subsequently drop, or can drop an object that I cannot
recreate.
I assume this is a bug but if it's intended behaviour I'd love to hear
the rationale.
I checked this on 8.3, 8.4, 9.0 and 9.1 all with the same results.
Best regards.
__
Marc
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | marc(at)bloodnok(dot)com |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Schema grants for creating and dropping objects |
Date: | 2011-10-09 15:58:59 |
Message-ID: | 3969.1318175939@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Marc Munro <marc(at)bloodnok(dot)com> writes:
> It seems that in order to create an object in a given schema, I must
> have been granted create privilege on the schema. But in order to drop
> that object I require usage privilege.
> This means that with the right privilege settings I can create objects
> that I cannot subsequently drop, or can drop an object that I cannot
> recreate.
Yeah. So? You can get similar effects with read-only or write-only
directories in Unix filesystems. Don't see why you find this surprising.
regards, tom lane
From: | Marc Munro <marc(at)bloodnok(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Schema grants for creating and dropping objects |
Date: | 2011-10-09 19:03:38 |
Message-ID: | 1318187018.28212.26.camel@bloodnok.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Sun, 2011-10-09 at 11:58 -0400, Tom Lane wrote:
> Marc Munro <marc(at)bloodnok(dot)com> writes:
> > It seems that in order to create an object in a given schema, I must
> > have been granted create privilege on the schema. But in order to drop
> > that object I require usage privilege.
>
> > This means that with the right privilege settings I can create objects
> > that I cannot subsequently drop, or can drop an object that I cannot
> > recreate.
>
> Yeah. So? You can get similar effects with read-only or write-only
> directories in Unix filesystems. Don't see why you find this surprising.
It's just that ordinarily as the owner of an object, I can do what I
like with it. In this case, I can't. In fact, once I've created the
table I can't access it. I guess the surprising thing to me is that I'm
allowed to create it without usage privilege.
However, it is what it is, and as it is intended behaviour I will
happily work with it. Perhaps some extra notes in the documentation of
the sql-grants section might be useful.
As a side note: creating a file in a write-only directory on Unix
doesn't work for me.
> regards, tom lane
Thanks for the response.
__
Marc