On Mon, Jun 27, 2022 at 11:37:19PM -0700, Noah Misch wrote:
> On Tue, May 10, 2022 at 11:44:15AM -0400, Bruce Momjian wrote:
> > I have completed the first draft of the PG 15 release notes
>
> > <!--
> > Author: Noah Misch <n...@leadboat.com>
> > 2021-09-09 [b073c3ccd] Revoke PUBLIC CREATE from public schema, now owned
> > by pg
> > -->
> >
> > <listitem>
> > <para>
> > Remove <literal>PUBLIC</literal> creation permission on the <link
> > linkend="ddl-schemas-public"><literal>public</literal> schema</link>
> > (Noah Misch)
> > </para>
> >
> > <para>
> > This is a change in the default for newly-created databases in
> > existing clusters and for new clusters; <literal>USAGE</literal>
>
> If you dump/reload an unmodified v14 template1 (as pg_dumpall and pg_upgrade
> do), your v15 template1 will have a v14 ACL on its public schema. At that
> point, the fate of "newly-created databases in existing clusters" depends on
> whether you clone template1 or template0. Does any of that detail belong
> here, or does the existing text suffice?
I think it is very confusing to have template0 have one value and
template1 have a different one, but as I understand it template0 will
only be used for pg_dump comparison, and that will keep template1 with
the same permissions, so I guess it is okay.
> > permissions on the <literal>public</literal> schema has not
> > been changed. Databases restored from previous Postgres releases
> > will be restored with their current permissions. Users wishing
> > to have the old permissions on new objects will need to grant
>
> The phrase "old permissions on new objects" doesn't sound right to me, but I'm
> not sure why. I think you're aiming for the fact that this is just a default;
> one can still change the ACL to anything, including to the old default. If
> these notes are going to mention the old default like they do so far, I think
> they should also urge readers to understand
> https://www.postgresql.org/docs/devel/ddl-schemas.html#DDL-SCHEMAS-PATTERNS
> before returning to the old default. What do you think?
Agreed, the new text is:
Users wishing to have the former permissions will need to grant
<literal>CREATE</literal> permission for <literal>PUBLIC</literal> on
the <literal>public</literal> schema; this change can be made on
<literal>template1</literal> to cause all new databases to have these
permissions.
>
> > <literal>CREATE</literal> permission for <literal>PUBLIC</literal>
> > on the <literal>public</literal> schema; this change can be made
> > on <literal>template1</literal> to cause all new databases
> > to have these permissions. <literal>template1</literal>
> > permissions for <application>pg_dumpall</application> and
> > <application>pg_upgrade</application>?
>
> pg_dumpall will change template1. I think pg_upgrade will too, and neither
> program will change template0.
Okay, I will remove that question mark sentence.
> > </para>
> > </listitem>
> >
> > <!--
> > Author: Noah Misch <n...@leadboat.com>
> > 2021-09-09 [b073c3ccd] Revoke PUBLIC CREATE from public schema, now owned
> > by pg
> > -->
> >
> > <listitem>
> > <para>
> > Change the owner of the <literal>public</literal> schema to
> > <literal>pg_database_owner</literal> (Noah Misch)
> > </para>
> >
> > <para>
> > Previously it was the literal user name of the database owner.
>
> It was the bootstrap superuser.
Okay, text updated, thanks. Applied patch attached.
--
Bruce Momjian <br...@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Indecision is a decision. Inaction is an action. Mark Batterson
diff --git a/doc/src/sgml/release-15.sgml b/doc/src/sgml/release-15.sgml
index 6da3f89d08..47ac329e79 100644
--- a/doc/src/sgml/release-15.sgml
+++ b/doc/src/sgml/release-15.sgml
@@ -63,13 +63,11 @@ Author: Noah Misch <n...@leadboat.com>
permissions on the <literal>public</literal> schema has not
been changed. Databases restored from previous Postgres releases
will be restored with their current permissions. Users wishing
- to have the old permissions on new objects will need to grant
+ to have the former permissions will need to grant
<literal>CREATE</literal> permission for <literal>PUBLIC</literal>
on the <literal>public</literal> schema; this change can be made
on <literal>template1</literal> to cause all new databases
- to have these permissions. <literal>template1</literal>
- permissions for <application>pg_dumpall</application> and
- <application>pg_upgrade</application>?
+ to have these permissions.
</para>
</listitem>
@@ -85,7 +83,7 @@ Author: Noah Misch <n...@leadboat.com>
</para>
<para>
- Previously it was the literal user name of the database owner.
+ Previously it was the literal user name of the bootstrap superuser.
Databases restored from previous Postgres releases will be restored
with their current owner specification.
</para>
