Thread: Why grantor is owner in this case?

"donniehan" <donniehan@126.com> writes:
> I have a question about the grantor. Why the grantor is owner in the following case ?  I think it should be
postgres(dba). 

Grants done by a superuser on an object he doesn't own are treated as
being done by the object owner instead.  Otherwise you end up with
grants that don't have a clear chain of traceability to the owner,
which causes all sorts of un-fun issues for REVOKE.  (I'm too lazy
to come up with the details right now, but if you care you can look
back in the pgsql-hackers archives to find the discussions where this
behavior was agreed on.)

            regards, tom lane

donniehan wrote:
> Dear Tom,
>
> I'm sorry to bother you. i really care about this behavior, but i couldn't find the discussions you mentioned in
pgsql-hackersarchives. 
> Would you please tell me more about the discussions(about date? the related issue?), so that i can search it and find
itmore easily?  

Maybe he's referring to this discussion:
http://archives.postgresql.org/message-id/1176775180.4152.97.camel%40dogma.v10.wvs

Note that on archives.pg.org it is truncated and continues here:
http://archives.postgresql.org/message-id/20070503225044.GK4218@alvh.no-ip.org

--
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Alvaro Herrera <alvherre@commandprompt.com> writes:
> donniehan wrote:
>> I'm sorry to bother you. i really care about this behavior, but i couldn't find the discussions you mentioned in
pgsql-hackersarchives. 
>> Would you please tell me more about the discussions(about date? the related issue?), so that i can search it and
findit more easily?  

> Maybe he's referring to this discussion:
> http://archives.postgresql.org/message-id/1176775180.4152.97.camel%40dogma.v10.wvs

No, it's a lot older than that.  See
http://archives.postgresql.org/pgsql-hackers/2003-10/msg01497.php
http://archives.postgresql.org/pgsql-committers/2003-10/msg00305.php

The original 7.4-devel behavior made it effectively impossible for a
superuser to *revoke* privileges, which is certainly not acceptable in
practice.

Looking at the CVS history of aclchk.c, I notice that we later installed
a similar provision with respect to roles: grants/revokes are done as
the role that owns the object, not as the role member that is actually
issuing the command.  Otherwise other role members can't adjust the
privileges.

This comes down to the fact that privileges granted on the same object
by two different roles are distinct, and you can only revoke the ones
you granted.  Which AFAICT is required behavior per SQL spec.

            regards, tom lane

On Dec 27, 2009, at 6:59 PM, donniehan wrote:

> Hi Tom,
>
> Thanks for your information. One more question, if i wanna get the accurate information about grantor(Sometimes the
applicationjust needs the information), what can i do? 
> Apparently i cannot get from the acls, so where can i get the info?
>
> -Dongni

First, please, trim posts and don't top post, it makes it confusing for others to follow along with what's currently
beingdiscussed in a thread when you don't do either. 

As to how you can determine who *actually* made a particular grant, there isn't any built-in way.  What you'd need to
dois wrap your GRANT statements in functions that log what was done and by whom to a table and then consult that log
tablewhen you need that info. 

Erik Jones, Database Administrator
Engine Yard
Support, Scalability, Reliability
866.518.9273 x 260
Location: US/Pacific
IRC: mage2k