8000 More documentation update for GRANT ... WITH SET OPTION. · postgrespro/postgres@3cdf750 · GitHub
[go: up one dir, main page]

Skip to content

Commit 3cdf750

Browse files
committed
More documentation update for GRANT ... WITH SET OPTION.
Update the reference pages for various ALTER commands that mentioned that you must be a member of role that will be the new owner to instead say that you must be able to SET ROLE to the new owner. Update ddl.sgml's generate statement on this topic along similar lines. Likewise, update CREATE SCHEMA and CREATE DATABASE, which have options to specify who will own the new objects, to say that you must be able to SET ROLE to the role that will own them. Finally, update the documentation for the GRANT statement itself with some general principles about how the SET option works and how it can be used. Patch by me, reviewed (but not fully endorsed) by Noah Misch. Discussion: http://postgr.es/m/CA+TgmoZk6VB3DQ83+DO5P_HP=M9PQAh1yj-KgeV30uKefVaWDg@mail.gmail.com
1 parent 20428d3 commit 3cdf750

26 files changed

+96
-67
lines changed

doc/src/sgml/ddl.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1741,8 +1741,8 @@ ALTER TABLE products RENAME TO items;
17411741
ALTER TABLE <replaceable>table_name</replaceable> OWNER TO <replaceable>new_owner</replaceable>;
17421742
</programlisting>
17431743
Superusers can always do this; ordinary roles can only do it if they are
1744-
both the current owner of the object (or a member of the owning role) and
1745-
a member of the new owning role.
1744+
both the current owner of the object (or inherit the privileges of the
1745+
owning role) and able to <literal>SET ROLE</literal> to the new owning role.
17461746
</para>
17471747

17481748
<para>

doc/src/sgml/ref/alter_aggregate.sgml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,10 @@ ALTER AGGREGATE <replaceable>name</replaceable> ( <replaceable>aggregate_signatu
4646
You must own the aggregate function to use <command>ALTER AGGREGATE</command>.
4747
To change the schema of an aggregate function, you must also have
4848
<literal>CREATE</literal> privilege on the new schema.
49-
To alter the owner, you must also be a direct or indirect member of the new
50-
owning role, and that role must have <literal>CREATE</literal> privilege on
51-
the aggregate function's schema. (These restrictions enforce that altering
49+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
50+
new owning role, and that role must have <literal>CREATE</literal>
51+
privilege on the aggregate function's schema.
52+
(These restrictions enforce that altering
5253
the owner doesn't do anything you couldn't do by dropping and recreating
5354
the aggregate function. However, a superuser can alter ownership of any
5455
aggregate function anyway.)

doc/src/sgml/ref/alter_collation.sgml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -39,9 +39,10 @@ ALTER COLLATION <replaceable>name</replaceable> SET SCHEMA <replaceable>new_sche
3939

4040
<para>
4141
You must own the collation to use <command>ALTER COLLATION</command>.
42-
To alter the owner, you must also be a direct or indirect member of the new
43-
owning role, and that role must have <literal>CREATE</literal> privilege on
44-
the collation's schema. (These restrictions enforce that altering the
42+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
43+
new owning role, and that role must have <literal>CREATE</literal>
9E12 44+
privilege on the collation's schema.
45+
(These restrictions enforce that altering the
4546
owner doesn't do anything you couldn't do by dropping and recreating the
4647
collation. However, a superuser can alter ownership of any collation
4748
anyway.)

doc/src/sgml/ref/alter_conversion.sgml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,10 @@ ALTER CONVERSION <replaceable>name</replaceable> SET SCHEMA <replaceable>new_sch
3737

3838
<para>
3939
You must own the conversion to use <command>ALTER CONVERSION</command>.
40-
To alter the owner, you must also be a direct or indirect member of the new
41-
owning role, and that role must have <literal>CREATE</literal> privilege on
42-
the conversion's schema. (These restrictions enforce that altering the
40+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
41+
new owning role, and that role must have <literal>CREATE</literal>
42+
privilege on the conversion's schema.
43+
(These restrictions enforce that altering the
4344
owner doesn't do anything you couldn't do by dropping and recreating the
4445
conversion. However, a superuser can alter ownership of any conversion
4546
anyway.)

doc/src/sgml/ref/alter_database.sgml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -68,8 +68,8 @@ ALTER DATABASE <replaceable class="parameter">name</replaceable> RESET ALL
6868

6969
<para>
7070
The third form changes the owner of the database.
71-
To alter the owner, you must own the database and also be a direct or
72-
indirect member of the new owning role, and you must have the
71+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
72+
new owning role, and you must have the
7373
<literal>CREATEDB</literal> privilege.
7474
(Note that superusers have all these privileges automatically.)
7575
</para>

doc/src/sgml/ref/alter_domain.sgml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -157,9 +157,9 @@ ALTER DOMAIN <replaceable class="parameter">name</replaceable>
157157
You must own the domain to use <command>ALTER DOMAIN</command>.
158158
To change the schema of a domain, you must also have
159159
<literal>CREATE</literal> privilege on the new schema.
160-
To alter the owner, you must also be a direct or indirect member of the new
161-
owning role, and that role must have <literal>CREATE</literal> privilege on
162-
the domain's schema. (These restrictions enforce that altering the owner
160+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
161+
new owning role, and that role must have <literal>CREATE</literal> privilege
162+
on the domain's schema. (These restrictions enforce that altering the owner
163163
doesn't do anything you couldn't do by dropping and recreating the domain.
164164
However, a superuser can alter ownership of any domain anyway.)
165165
</para>

doc/src/sgml/ref/alter_foreign_table.sgml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -320,9 +320,9 @@ ALTER FOREIGN TABLE [ IF EXISTS ] <replaceable class="parameter">name</replaceab
320320
You must own the table to use <command>ALTER FOREIGN TABLE</command>.
321321
To change the schema of a foreign table, you must also have
322322
<literal>CREATE</literal> privilege on the new schema.
323-
To alter the owner, you must also be a direct or indirect member of the new
324-
owning role, and that role must have <literal>CREATE</literal> privilege on
325-
the table's schema. (These restrictions enforce that altering the owner
323+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
324+
new owning role, and that role must have <literal>CREATE</literal> privilege
325+
on the table's schema. (These restrictions enforce that altering the owner
326326
doesn't do anything you couldn't do by dropping and recreating the table.
327327
However, a superuser can alter ownership of any table anyway.)
328328
To add a column or alter a column type, you must also

doc/src/sgml/ref/alter_function.sgml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,9 +60,9 @@ ALTER FUNCTION <replaceable>name</replaceable> [ ( [ [ <replaceable class="param
6060
<para>
6161
You must own the function to use <command>ALTER FUNCTION</command>.
6262
To change a function's schema, you must also have <literal>CREATE</literal>
63-
privilege on the new schema.
64-
To alter the owner, you must also be a direct or indirect member of the new
65-
owning role, and that role must have <literal>CREATE</literal> privilege on
63+
privilege on the new schema. To alter the owner, you must be able to
64+
<literal>SET ROLE</literal> to the new owning role, and that role must
65+
have <literal>CREATE</literal> privilege on
6666
the function's schema. (These restrictions enforce that altering the owner
6767
doesn't do anything you couldn't do by dropping and recreating the function.
6868
However, a superuser can alter ownership of any function anyway.)

doc/src/sgml/ref/alter_large_object.sgml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -35,8 +35,9 @@ ALTER LARGE OBJECT <replaceable class="parameter">large_object_oid</replaceable>
3535

3636
<para>
3737
You must own the large object to use <command>ALTER LARGE OBJECT</command>.
38-
To alter the owner, you must also be a direct or indirect member of the new
39-
owning role. (However, a superuser can alter any large object anyway.)
38+
To alter the owner, you must also be able to <literal>SET ROLE</literal> to
39+
the new owning role.
40+
(However, a superuser can alter any large object anyway.)
4041
Currently, the only functionality is to assign a new owner, so both
4142
restrictions always apply.
4243
</para>

doc/src/sgml/ref/alter_materialized_view.sgml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -63,9 +63,10 @@ ALTER MATERIALIZED VIEW ALL IN TABLESPACE <replaceable class="parameter">name</r
6363
You must own the materialized view to use <command>ALTER MATERIALIZED
6464
VIEW</command>. To change a materialized view's schema, you must also have
6565
<literal>CREATE</literal> privilege on the new schema.
66-
To alter the owner, you must also be a direct or indirect member of the new
67-
owning role, and that role must have <literal>CREATE</literal> privilege on
68-
the materialized view's schema. (These restrictions enforce that altering
66+
To alter the owner, you must be able to <literal>SET ROLE</literal> to the
67+
new owning role, and that role must have <literal>CREATE</literal>
68+
privilege on the materialized view's schema.
69+
(These restrictions enforce that altering
6970
the owner doesn't do anything you couldn't do by dropping and recreating the
7071
materialized view. However, a superuser can alter ownership of any view
7172
anyway.)

0 commit comments

Comments
 (0)
0