Thread: NULL pg_database.datacl

NULL pg_database.datacl

From
Dominique Devienne
Date:
Hi. I'm surprised, I thought ACLs would never be empty for a database.
Does that mean nobody can connect to this database?
I guess SUPERUSER and/or its datDBA can?
What does a NULL AclItem[] mean exactly?
(BTW, datallowconn is true)

Thanks, --DD

ddb=> select datname, datdba::regrole::text from pg_database where datacl is null;
 datname | datdba
---------+--------
 qadb    | qauser
(1 row)

PS: Was also surprised with  #42883: ERROR:  no binary output function available for type aclitem
  Thankfully datacl::text[] works fine in binary mode.

Re: NULL pg_database.datacl

From
Erik Wienhold
Date:
> On 20/03/2023 11:52 CET Dominique Devienne <ddevienne@gmail.com> wrote:
>
> Hi. I'm surprised, I thought ACLs would never be empty for a database.
> Does that mean nobody can connect to this database?
> I guess SUPERUSER and/or its datDBA can?
> What does a NULL AclItem[] mean exactly?

It means that the object has default privileges (before any GRANT or REVOKE
is executed).  For databases this means full privileges for the database owner
and the CONNECT and TEMPORARY privileges for PUBLIC.  So any user can connect
if allowed by pg_hba.conf.

https://www.postgresql.org/docs/current/ddl-priv.html

--
Erik



Re: NULL pg_database.datacl

From
Dominique Devienne
Date:
On Mon, Mar 20, 2023 at 1:18 PM Erik Wienhold <ewie@ewie.name> wrote:
> On 20/03/2023 11:52 CET Dominique Devienne <ddevienne@gmail.com> wrote:
> What does a NULL AclItem[] mean exactly?

It means that the object has default privileges (before any GRANT or REVOKE
is executed).  For databases this means full privileges for the database owner
and the CONNECT and TEMPORARY privileges for PUBLIC.  So any user can connect
if allowed by pg_hba.conf.

https://www.postgresql.org/docs/current/ddl-priv.html

Thanks Erik. But then, how come aclexplode() is not showing these default/implicit privileges?

Is there a SQL function returning those per-type default provileges?
That I could then coalesce() datacl with?

Or some other means to list actual / effective privileges, even those implicit ones?

Thanks, --DD

ddb=> select datname, grantor::regrole::text, grantee::regrole::text, privilege_type, is_grantable
ddb->   from pg_database
ddb->   left join lateral aclexplode(datacl) on true
ddb-> where datacl is null;
 datname | grantor | grantee | privilege_type | is_grantable
---------+---------+---------+----------------+--------------
 qadb    |         |         |                |
(1 row) 

Re: NULL pg_database.datacl

From
Erik Wienhold
Date:
> On 20/03/2023 13:50 CET Dominique Devienne <ddevienne@gmail.com> wrote:
>
> On Mon, Mar 20, 2023 at 1:18 PM Erik Wienhold <ewie@ewie.name> wrote:
> > > On 20/03/2023 11:52 CET Dominique Devienne <ddevienne@gmail.com> wrote:
> > > What does a NULL AclItem[] mean exactly?
> >
> >  It means that the object has default privileges (before any GRANT or REVOKE
> >  is executed). For databases this means full privileges for the database owner
> >  and the CONNECT and TEMPORARY privileges for PUBLIC. So any user can connect
> >  if allowed by pg_hba.conf.
> >
> >  https://www.postgresql.org/docs/current/ddl-priv.html
>
> Thanks Erik. But then, how come aclexplode() is not showing these
> default/implicit privileges?
>
> Is there a SQL function returning those per-type default provileges?
> That I could then coalesce() datacl with?

Use acldefault.  Pass in ownerId=0 to get the privileges for PUBLIC.

https://www.postgresql.org/docs/current/functions-info.html#FUNCTIONS-ACLITEM-FN-TABLE

--
Erik



Re: NULL pg_database.datacl

From
Dominique Devienne
Date:
On Mon, Mar 20, 2023 at 2:18 PM Erik Wienhold <ewie@ewie.name> wrote:
> On 20/03/2023 13:50 CET Dominique Devienne <ddevienne@gmail.com> wrote:
>
> On Mon, Mar 20, 2023 at 1:18 PM Erik Wienhold <ewie@ewie.name> wrote:
> > > On 20/03/2023 11:52 CET Dominique Devienne <ddevienne@gmail.com> wrote:
> > > What does a NULL AclItem[] mean exactly?
> >
> >  It means that the object has default privileges [...]
> >  https://www.postgresql.org/docs/current/ddl-priv.html
>
> Is there a SQL function returning those per-type default provileges?

Use acldefault.  Pass in ownerId=0 to get the privileges for PUBLIC.

https://www.postgresql.org/docs/current/functions-info.html#FUNCTIONS-ACLITEM-FN-TABLE

Thanks again. After experimenting a little, sounds like acldefault('d', datdba) is what I want,
since it seems to give something closer to the AclItem[] actually instantiated on the first GRANT or REVOKE.

This has been an education for me, once again. I appreciate the help. Thanks, --DD

ddb=> select datname, coalesce(datacl, acldefault('d', 0)) from pg_database where datacl is null;
 datname |    coalesce
---------+----------------
 qadb    | {=Tc/0,=CTc/0}
(1 row)

ddb=> select datname, coalesce(datacl, acldefault('d', datdba)) from pg_database where datacl is null;
 datname |            coalesce
---------+--------------------------------
 qadb    | {=Tc/qauser,qauser=CTc/qauser}
(1 row)

ddb=# revoke all on database qadb from public;
REVOKE

ddb=# select datname, datacl from pg_database where datname = 'qadb';
 datname |       datacl
---------+---------------------
 qadb    | {qauser=CTc/qauser}
(1 row)

ddb=# grant connect, temporary on database qadb to public;
GRANT

ddb=# select datname, datacl from pg_database where datname = 'qadb';
 datname |             datacl
---------+--------------------------------
 qadb    | {qauser=CTc/qauser,=Tc/qauser}
(1 row)

ddb=# select count(*) from pg_database where datacl is null;
 count
-------
     0
(1 row)