Re: GRANT/roles problem: grant is shown as from login role - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: GRANT/roles problem: grant is shown as from login role
Date
Msg-id 20050902152343.GV6026@ns.snowman.net
Whole thread Raw
In response to GRANT/roles problem: grant is shown as from login role  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: GRANT/roles problem: grant is shown as from login role
List pgsql-hackers
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> This is looking a bit messy.  Maybe for GRANT/REVOKE, we have to insist
> that privileges do not inherit, you have to actually be SET ROLE'd to
> whatever role has the authority to do the grant.  I haven't figured out
> how the SQL spec avoids this problem, considering that they do have the
> concept of rights inheriting for roles.

There is 'revoke update on t1 from u3 granted by u2;' syntax in the
SQL 2003 specification. It doesn't look like we support that syntax
(looking at 8.0.3 anyway)- would that solve the problem if we did?

From your example, u1 couldn't revoke it because u1 couldn't become u2,
and we don't support syntax for saying "revoke this priviledge which was
granted by someone else", but the SQL spec has that syntax and if we did
then I think we'd allow the owner to use it.

Does that help?
Thanks,
    Stephen

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: Call for 7.5 feature completion
Next
From: Hannu Krosing
Date:
Subject: Re: Question about explain of index scan