Re: Document target_role param of ALTER DEFAULT PRIVILEGES

Wed, 17 Feb 2021 23:16:26 -0800 

On Wed, 2021-02-17 at 15:08 -0500, Jordi Gutiérrez Hermoso wrote:
> I just had a confusing moment trying to figure out why my roles
> weren't creating tables the way I was expecting them to. I didn't
> understand what the `target_role` parameter did. No matter how I try
> to read this page, I can't see an explanation for that parameter:
> 
> https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html
> 
> I propose an explanation like the following be added to the
> `target_role` parameter:
> 
>     This is the role that will create objects with altered default
>     privileges. Note that changes in default privileges aren't
>     inherited, so altering the default privileges of created objects
>     for a parent role will not change the default privileges of
>     objects created by inherited roles.

+1.  I cannot count the number of times I have seen people confused by that.

Suggested patch attached.

Yours,
Laurenz Albe

From 6ca7ad89b06c65d574a5e9da8192a14458863cb6 Mon Sep 17 00:00:00 2001
From: Laurenz Albe <laurenz.a...@cybertec.at>
Date: Thu, 18 Feb 2021 08:14:55 +0100
Subject: [PATCH] Clarify docs for ALTER DEFAULT PRIVILEGES
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Since this is often a cause of confusion, document that the
default privileges will only be applied to objects created
by the target role.

Suggested by Jordi Gutiérrez Hermoso.

Discussion: https://postgr.es/m/72652d72e1816bfc3c05d40f9e0e0373d07823c8.ca...@octave.org
---
 doc/src/sgml/ref/alter_default_privileges.sgml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index f1d54f5aa3..048dbc9fe2 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -138,6 +138,13 @@ REVOKE [ GRANT OPTION FOR ]
      <para>
       The name of an existing role of which the current role is a member.
       If <literal>FOR ROLE</literal> is omitted, the current role is assumed.
+
+      The privileges defined in
+      <replaceable class="parameter">abbreviated_grant_or_revoke</replaceable>
+      will only be set on objects created by <replaceable>target_role</replaceable>.
+      This does not extend to role members.  If there are several roles that could
+      create objects, you may have to run <command>ALTER DEFAULT PRIVILEGES</command>
+      for each of them.
      </para>
     </listitem>
    </varlistentry>
-- 
2.26.2

Reply via email to