Lists: | pgsql-hackers |
---|
From: | Marko Tiikkaja <marko(at)joh(dot)to> |
---|---|
To: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | DROP PRIVILEGES OWNED BY |
Date: | 2014-12-15 00:43:40 |
Message-ID: | 548E2EBC.6040401@joh.to |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
Hi,
This week I had a problem where I wanted to drop only the privileges a
certain role had in the system, while keeping all the objects. I
couldn't figure out a reasonable way to do that, so I've attached a
patch for this to this email. Please consider it for inclusion into
9.5. The syntax is:
DROP PRIVILEGES OWNED BY role [, ...]
I at some point decided to implement it as a new command instead of
changing DropOwnedStmt, and I think that might have been a mistake. It
might have made more sense to instead teach DROP OWNED to accept a
specification of which things to drop. But the proposal is more
important than such details, I think.
.marko
Attachment | Content-Type | Size |
---|---|---|
drop_privileges_owned.v0.patch | text/plain | 14.7 KB |
From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Marko Tiikkaja <marko(at)joh(dot)to> |
Cc: | PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: DROP PRIVILEGES OWNED BY |
Date: | 2014-12-15 00:48:52 |
Message-ID: | CAB7nPqSbPZTMgm8zspP2jj5B+1JUwB8odhhSPUbyufR-AoHMwQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Mon, Dec 15, 2014 at 9:43 AM, Marko Tiikkaja <marko(at)joh(dot)to> wrote:
> Hi,
>
> This week I had a problem where I wanted to drop only the privileges a
> certain role had in the system, while keeping all the objects. I couldn't
> figure out a reasonable way to do that, so I've attached a patch for this to
> this email. Please consider it for inclusion into 9.5. The syntax is:
>
> DROP PRIVILEGES OWNED BY role [, ...]
>
> I at some point decided to implement it as a new command instead of changing
> DropOwnedStmt, and I think that might have been a mistake. It might have
> made more sense to instead teach DROP OWNED to accept a specification of
> which things to drop. But the proposal is more important than such details,
> I think.
You should consider adding it to the upcoming CF:
https://commitfest.postgresql.org/action/commitfest_view?id=25
Regards,
--
Michael
From: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com> |
---|---|
To: | Marko Tiikkaja <marko(at)joh(dot)to>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: DROP PRIVILEGES OWNED BY |
Date: | 2014-12-17 16:37:01 |
Message-ID: | 5491B12D.7040801@vmware.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On 12/15/2014 02:43 AM, Marko Tiikkaja wrote:
> This week I had a problem where I wanted to drop only the privileges a
> certain role had in the system, while keeping all the objects. I
> couldn't figure out a reasonable way to do that, so I've attached a
> patch for this to this email. Please consider it for inclusion into
> 9.5. The syntax is:
>
> DROP PRIVILEGES OWNED BY role [, ...]
>
> I at some point decided to implement it as a new command instead of
> changing DropOwnedStmt, and I think that might have been a mistake. It
> might have made more sense to instead teach DROP OWNED to accept a
> specification of which things to drop. But the proposal is more
> important than such details, I think.
DROP seems like the wrong verb here. DROP is used for deleting objects,
while REVOKE is used for removing permissions from them. REVOKE already
has something similar:
REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM heikki;
Following that style, how about making the syntax:
REVOKE ALL PRIVILEGES ON ALL OBJECTS FROM <role>
or just:
REVOKE ALL PRIVILEGES FROM <role>;
- Heikki
From: | Marko Tiikkaja <marko(at)joh(dot)to> |
---|---|
To: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: DROP PRIVILEGES OWNED BY |
Date: | 2014-12-17 16:43:35 |
Message-ID: | 5491B2B7.8060708@joh.to |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On 12/17/14 5:37 PM, Heikki Linnakangas wrote:
> On 12/15/2014 02:43 AM, Marko Tiikkaja wrote:
>> The syntax is:
>>
>> DROP PRIVILEGES OWNED BY role [, ...]
>
> DROP seems like the wrong verb here. DROP is used for deleting objects,
> while REVOKE is used for removing permissions from them. REVOKE already
> has something similar:
>
> REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM heikki;
>
> Following that style, how about making the syntax:
>
> REVOKE ALL PRIVILEGES FROM <role>;
I don't have a problem with that. It would probably work, too, since
FROM is already fully reserved.
.marko
From: | Michael Paquier <michael(dot)paquier(at)gmail(dot)com> |
---|---|
To: | Marko Tiikkaja <marko(at)joh(dot)to> |
Cc: | Heikki Linnakangas <hlinnakangas(at)vmware(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: DROP PRIVILEGES OWNED BY |
Date: | 2015-01-15 07:54:16 |
Message-ID: | CAB7nPqRCKpyQD7rA4VAenP8w9pFAMQgq_RbyVBKdn_C1vSO8kg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Thu, Dec 18, 2014 at 1:43 AM, Marko Tiikkaja <marko(at)joh(dot)to> wrote:
> I don't have a problem with that. It would probably work, too, since FROM
> is already fully reserved.
Marking patch as returned with feedback as there has been no input
from Marko in the last couple of weeks.
--
Michael