On 6/5/25 4:21 PM, Laurenz Albe wrote:
+
+ <para>
+ You must own the database object to use the <command>SECURITY
LABEL</command>.
+ </para>
</refsect1>
<refsect1>
Wouldn't it be more accurate to say that you have to be a member of the owning
role?
But perhaps that would be complicated enough to confuse many users.
We're calling check_object_ownership which errors out with:
aclcheck_error(ACLCHECK_NOT_OWNER, [...])
which in turn then aborts with "must be owner of [...]". But checking
the code, we do call has_privs_of_role, so you're absolutely right.
In doc/src/sgml/ref/alter_*.sgml we use the phrase "You must own the
[...]" to describe the privileges needed. Let me know if you want me to
change the wording.
While double checking I noticed that other docs don't have the extra
"the " before "<command>[...] " so I dropped that in my v2 patch.
Thanks for reviewing!
Patrick
From c90f9604ee7894c806d92e7fdbc87c304f8628eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Patrick=20St=C3=A4hlin?= <m...@packi.ch>
Date: Thu, 5 Jun 2025 15:10:01 +0200
Subject: [PATCH] Document ownership requirement for SECURITY LABEL
Clarify that you need ownership of objects you issue SECURITY LABEL on.
---
doc/src/sgml/ref/security_label.sgml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/doc/src/sgml/ref/security_label.sgml b/doc/src/sgml/ref/security_label.sgml
index e5e5fb483e9..aa45c0af248 100644
--- a/doc/src/sgml/ref/security_label.sgml
+++ b/doc/src/sgml/ref/security_label.sgml
@@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON
based on object labels, rather than traditional discretionary access control
(DAC) concepts such as users and groups.
</para>
+
+ <para>
+ You must own the database object to use <command>SECURITY LABEL</command>.
+ </para>
</refsect1>
<refsect1>
--
2.48.1
