On 6/5/25 4:21 PM, Laurenz Albe wrote:
+
+  <para>
+   You must own the database object to use the <command>SECURITY 
LABEL</command>.
+  </para>
   </refsect1>
<refsect1>

Wouldn't it be more accurate to say that you have to be a member of the owning 
role?
But perhaps that would be complicated enough to confuse many users.

We're calling check_object_ownership which errors out with:

   aclcheck_error(ACLCHECK_NOT_OWNER, [...])

which in turn then aborts with "must be owner of [...]". But checking the code, we do call has_privs_of_role, so you're absolutely right.

In doc/src/sgml/ref/alter_*.sgml we use the phrase "You must own the [...]" to describe the privileges needed. Let me know if you want me to change the wording.

While double checking I noticed that other docs don't have the extra "the " before "<command>[...] " so I dropped that in my v2 patch.

Thanks for reviewing!
Patrick
From c90f9604ee7894c806d92e7fdbc87c304f8628eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20St=C3=A4hlin?= <m...@packi.ch>
Date: Thu, 5 Jun 2025 15:10:01 +0200
Subject: [PATCH] Document ownership requirement for SECURITY LABEL

Clarify that you need ownership of objects you issue SECURITY LABEL on.
---
 doc/src/sgml/ref/security_label.sgml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/doc/src/sgml/ref/security_label.sgml b/doc/src/sgml/ref/security_label.sgml
index e5e5fb483e9..aa45c0af248 100644
--- a/doc/src/sgml/ref/security_label.sgml
+++ b/doc/src/sgml/ref/security_label.sgml
@@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON
    based on object labels, rather than traditional discretionary access control
    (DAC) concepts such as users and groups.
   </para>
+
+  <para>
+   You must own the database object to use <command>SECURITY LABEL</command>.
+  </para>
  </refsect1>
 
  <refsect1>
-- 
2.48.1

Reply via email to