mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Improve privileges discussion (mostly, mention grant options).

Browse Source
This commit is contained in:
Tom Lane 2004-08-07 20:44:50 +00:00
parent 82433e913c
commit 27fedc8a5e
2 changed files with 42 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
doc/src/sgml/ddl.sgml
View File

@ -1,4 +1,4 @@
<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.28 2004/08/07 19:53:48 tgl Exp $ --> <!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.29 2004/08/07 20:44:49 tgl Exp $ -->
<chapter id="ddl"> <chapter id="ddl">
<title>Data Definition</title> <title>Data Definition</title>
@ -1378,29 +1378,22 @@ ALTER TABLE products RENAME TO items;
When you create a database object, you become its owner. By When you create a database object, you become its owner. By
default, only the owner of an object can do anything with the default, only the owner of an object can do anything with the
object. In order to allow other users to use it, object. In order to allow other users to use it,
<firstterm>privileges</firstterm> must be granted. (There are also <firstterm>privileges</firstterm> must be granted. (However,
users that have the superuser privilege. Those users can always users that have the superuser attribute can always
access any object.) access any object.)
</para> </para>
<note>
<para>
To change the owner of a table, index, sequence, or view, use the
<xref linkend="sql-altertable" endterm="sql-altertable-title">
command.
</para>
</note>
<para> <para>
There are several different privileges: <literal>SELECT</>, There are several different privileges: <literal>SELECT</>,
<literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>, <literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
<literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>, <literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
<literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>, <literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
<literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For complete and <literal>USAGE</>. The privileges applicable to a particular
object vary depending on the object's type (table, function, etc).
For complete
information on the different types of privileges supported by information on the different types of privileges supported by
<productname>PostgreSQL</productname>, refer to the <productname>PostgreSQL</productname>, refer to the
<xref linkend="sql-grant" endterm="sql-grant-title"> <xref linkend="sql-grant"> reference page. The following sections
reference page. The following sections
and chapters will also show you how those privileges are used. and chapters will also show you how those privileges are used.
</para> </para>
@ -1409,23 +1402,30 @@ ALTER TABLE products RENAME TO items;
the owner only. the owner only.
</para> </para>
<note>
<para>
To change the owner of a table, index, sequence, or view, use the
<xref linkend="sql-altertable"> command. There are corresponding
<literal>ALTER</> commands for other object types.
</para>
</note>
<para> <para>
To assign privileges, the <command>GRANT</command> command is To assign privileges, the <command>GRANT</command> command is
used. So, if <literal>joe</literal> is an existing user, and used. For example, if <literal>joe</literal> is an existing user, and
<literal>accounts</literal> is an existing table, the privilege to <literal>accounts</literal> is an existing table, the privilege to
update the table can be granted with update the table can be granted with
<programlisting> <programlisting>
GRANT UPDATE ON accounts TO joe; GRANT UPDATE ON accounts TO joe;
</programlisting> </programlisting>
The user executing this command must be the owner of the table. To To grant a privilege to a group, use this syntax:
grant a privilege to a group, use
<programlisting> <programlisting>
GRANT SELECT ON accounts TO GROUP staff; GRANT SELECT ON accounts TO GROUP staff;
</programlisting> </programlisting>
The special <quote>user</quote> name <literal>PUBLIC</literal> can The special <quote>user</quote> name <literal>PUBLIC</literal> can
be used to grant a privilege to every user on the system. Writing be used to grant a privilege to every user on the system. Writing
<literal>ALL</literal> in place of a specific privilege specifies that all <literal>ALL</literal> in place of a specific privilege grants all
privileges will be granted. privileges that are relevant for the object type.
</para> </para>
<para> <para>
@ -1434,13 +1434,24 @@ GRANT SELECT ON accounts TO GROUP staff;
<programlisting> <programlisting>
REVOKE ALL ON accounts FROM PUBLIC; REVOKE ALL ON accounts FROM PUBLIC;
</programlisting> </programlisting>
The special privileges of the table owner (i.e., the right to do The special privileges of the object owner (i.e., the right to do
<command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc.) <command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc.)
are always implicit in being the owner, are always implicit in being the owner,
and cannot be granted or revoked. But the table owner can choose and cannot be granted or revoked. But the object owner can choose
to revoke his own ordinary privileges, for example to make a to revoke his own ordinary privileges, for example to make a
table read-only for himself as well as others. table read-only for himself as well as others.
</para> </para>
<para>
Ordinarily, only the object's owner (or a superuser) can grant or revoke
privileges on an object. However, it is possible to grant a privilege
<quote>with grant option</>, which gives the recipient the right to
grant it in turn to others. If the grant option is subsequently revoked
then all who received the privilege from that recipient (directly or
through a chain of grants) will lose the privilege. For details see
the <xref linkend="sql-grant"> and <xref linkend="sql-revoke"> reference
pages.
</para>
</sect1> </sect1>
<sect1 id="ddl-schemas"> <sect1 id="ddl-schemas">
@ -1544,12 +1555,17 @@ CREATE SCHEMA myschema;
<synopsis> <synopsis>
<replaceable>schema</><literal>.</><replaceable>table</> <replaceable>schema</><literal>.</><replaceable>table</>
</synopsis> </synopsis>
(For brevity we will speak of tables only, but the same ideas apply
to other kinds of named objects, such as types and functions.)
</para>
<para>
Actually, the even more general syntax Actually, the even more general syntax
<synopsis> <synopsis>
<replaceable>database</><literal>.</><replaceable>schema</><literal>.</><replaceable>table</> <replaceable>database</><literal>.</><replaceable>schema</><literal>.</><replaceable>table</>
</synopsis> </synopsis>
can be used too, but at present this is just for pro-forma compliance can be used too, but at present this is just for pro-forma compliance
with the SQL standard; if you write a database name it must be the with the SQL standard. If you write a database name, it must be the
same as the database you are connected to. same as the database you are connected to.
</para> </para>
@ -1862,7 +1878,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
privileges to allow the other users to access them. Users can privileges to allow the other users to access them. Users can
then refer to these additional objects by qualifying the names then refer to these additional objects by qualifying the names
with a schema name, or they can put the additional schemas into with a schema name, or they can put the additional schemas into
their path, as they choose. their search path, as they choose.
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>

6
doc/src/sgml/ref/grant.sgml
View File

@ -1,5 +1,5 @@
<!-- <!--
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.41 2004/06/18 06:13:05 tgl Exp $ $PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.42 2004/08/07 20:44:50 tgl Exp $
PostgreSQL documentation PostgreSQL documentation
--> -->
@ -52,8 +52,8 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
<para> <para>
The <command>GRANT</command> command gives specific privileges on The <command>GRANT</command> command gives specific privileges on
an object (table, view, sequence, database, function, procedural language, an object (table, view, sequence, database, tablespace, function,
or schema) to procedural language, or schema) to
one or more users or groups of users. These privileges are added one or more users or groups of users. These privileges are added
to those already granted, if any. to those already granted, if any.
</para> </para>