I apologize, that was sloppy.
I was using the acldefault() function with pg_roles, like this:
=> select rolname, acldefault('f',oid) from pg_roles where rolname like 'mjt%'
order by 1;
rolname | acldefault
-----------+--------------------------------------
mjt_test1 | {=X/mjt_test1,mjt_test1=X/mjt_test1}
mjt_test2 | {=X/mjt_test2,mjt_test2=X/mjt_test2}
(2 rows)
I had issued
alter default privileges for role mjt_test1 revoke execute on functions from
public;
but had not done a similar ALTER for mjt_test2. And so I was surprised that
they both showed a default =X/rolename.
Examining \ddp and its underlying quuery, I see that view column
pg_default_acl gets a new row with defaclacl populated after the ALTER DEFAULT
PRIVILEGES.
Thanks very much for your guidance, I am on track now.
Mike Tefft
From: Tom Lane <[email protected]>
Sent: Friday, July 5, 2024 2:22 PM
To: Tefft, Michael J <[email protected]>
Cc: [email protected]
Subject: Re: Removing the default grant of EXECUTE on functions/procedures to
PUBLIC
"Tefft, Michael J" <Michael. J. Tefft@ snapon. com> writes: > I was checking
pg_roles. acl_default to see if my role-level ALTER DEFAULT PRIVILEGES had been
effective. But I see the same content both before and after the ALTEr. Er, what?
"Tefft, Michael J"
<[email protected]<mailto:[email protected]>> writes:
> I was checking pg_roles.acl_default to see if my role-level ALTER DEFAULT
> PRIVILEGES had been effective. But I see the same content both before and
> after the ALTEr.
Er, what? There's no column named acl_default in pg_roles, nor any
other standard PG view.
psql's "\ddp" command is the most usual way to examine current
defaults:
regression=# create user joe;
CREATE ROLE
regression=# ALTER DEFAULT PRIVILEGES FOR USER joe REVOKE EXECUTE ON FUNCTIONS
FROM public;
ALTER DEFAULT PRIVILEGES
regression=# \ddp
Default access privileges
Owner | Schema | Type | Access privileges
-------+--------+----------+-------------------
joe | | function | joe=X/joe
(1 row)
regards, tom lane
