I'm trying to understand how to decode proacl in pg_proc. The documentation says:
PostgreSQL grants default privileges on some types of objects to PUBLIC. ... EXECUTE privilege for functions; ... Also, these initial default privilege settings can be changed using the ALTER DEFAULT PRIVILEGES command.
I also found this
email by Tom saying that NULL means the default of execute to public.
Questions:
a) Does NULL mean execute to public? Or does it mean whatever pg_default_acl contains for functions?
b) What does it mean if pg_default_acl is empty?
c) If NULL means execute to public can somebody explain why this happens:
postgres_prod@proddb_testing=# select proacl from pg_proc where proname = 'hstore_eq';
─[ RECORD 1 ]
proacl │ ¤
Time: 87.862 ms
postgres_prod@proddb_testing=# grant execute on function hstore_eq(hstore, hstore) to public;
GRANT
Time: 88.931 ms
postgres_prod@proddb_testing=# select proacl from pg_proc where proname = 'hstore_eq';
─[ RECORD 1 ]────────────────────────────────────────────
proacl │ {=X/postgres_prod,postgres_prod=X/postgres_prod}
I would have expected the bold to still be NULL. Also I haven't found any combination of statements to set it back to NULL (short of dropping and recreating hstore_eq).
Which leads me to I guess the most important questions.
d) Other than compactness in the representation of acls is there any practical difference between an the above representation and having NULL in proacl?
Thanks in advance,
Bene
