Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit dce9881

Browse files
committed
Doc: fix old oversights in GRANT/REVOKE documentation.
The GRANTED BY clause in GRANT/REVOKE ROLE has been there since 2005 but was never documented. I'm not sure now whether that was just an oversight or was intentional (given the limited capability of the option). But seeing that pg_dumpall does emit code that uses this option, it seems like not documenting it at all is a bad idea. Also, when we upgraded the syntax to allow CURRENT_USER/SESSION_USER as the privilege recipient, the role form of GRANT was incorrectly not modified to show that, and REVOKE's docs weren't touched at all. Although I'm not that excited about GRANTED BY, the other oversight seems serious enough to justify a back-patch. Discussion: https://postgr.es/m/3070.1581526786@sss.pgh.pa.us
1 parent 997563d commit dce9881

File tree

2 files changed

+47
-19
lines changed

2 files changed

+47
-19
lines changed

doc/src/sgml/ref/grant.sgml

+20-4
Original file line numberDiff line numberDiff line change
@@ -79,14 +79,16 @@ GRANT { USAGE | ALL [ PRIVILEGES ] }
7979
ON TYPE <replaceable>type_name</replaceable> [, ...]
8080
TO <replaceable class="parameter">role_specification</replaceable> [, ...] [ WITH GRANT OPTION ]
8181

82+
GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replaceable class="parameter">role_specification</replaceable> [, ...]
83+
[ WITH ADMIN OPTION ]
84+
[ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
85+
8286
<phrase>where <replaceable class="parameter">role_specification</replaceable> can be:</phrase>
8387

8488
[ GROUP ] <replaceable class="parameter">role_name</replaceable>
8589
| PUBLIC
8690
| CURRENT_USER
8791
| SESSION_USER
88-
89-
GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replaceable class="parameter">role_name</replaceable> [, ...] [ WITH ADMIN OPTION ]
9092
</synopsis>
9193
</refsynopsisdiv>
9294

@@ -236,10 +238,17 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
236238
or revoke membership in any role that is not a superuser.
237239
</para>
238240

241+
<para>
242+
If <literal>GRANTED BY</literal> is specified, the grant is recorded as
243+
having been done by the specified role. Only database superusers may
244+
use this option, except when it names the same role executing the command.
245+
</para>
246+
239247
<para>
240248
Unlike the case with privileges, membership in a role cannot be granted
241-
to <literal>PUBLIC</literal>. Note also that this form of the command does not
242-
allow the noise word <literal>GROUP</literal>.
249+
to <literal>PUBLIC</literal>. Note also that this form of the command
250+
does not allow the noise word <literal>GROUP</literal>
251+
in <replaceable class="parameter">role_specification</replaceable>.
243252
</para>
244253
</refsect2>
245254
</refsect1>
@@ -398,6 +407,13 @@ GRANT admins TO joe;
398407
to roles.
399408
</para>
400409

410+
<para>
411+
The SQL standard allows the <literal>GRANTED BY</literal> option to
412+
be used in all forms of <command>GRANT</command>. PostgreSQL only
413+
supports it when granting role membership, and even then only superusers
414+
may use it in nontrivial ways.
415+
</para>
416+
401417
<para>
402418
The SQL standard provides for a <literal>USAGE</literal> privilege
403419
on other kinds of objects: character sets, collations,

doc/src/sgml/ref/revoke.sgml

+27-15
Original file line numberDiff line numberDiff line change
@@ -26,88 +26,96 @@ REVOKE [ GRANT OPTION FOR ]
2626
[, ...] | ALL [ PRIVILEGES ] }
2727
ON { [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
2828
| ALL TABLES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }
29-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
29+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
3030
[ CASCADE | RESTRICT ]
3131

3232
REVOKE [ GRANT OPTION FOR ]
3333
{ { SELECT | INSERT | UPDATE | REFERENCES } ( <replaceable class="parameter">column_name</replaceable> [, ...] )
3434
[, ...] | ALL [ PRIVILEGES ] ( <replaceable class="parameter">column_name</replaceable> [, ...] ) }
3535
ON [ TABLE ] <replaceable class="parameter">table_name</replaceable> [, ...]
36-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
36+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
3737
[ CASCADE | RESTRICT ]
3838

3939
REVOKE [ GRANT OPTION FOR ]
4040
{ { USAGE | SELECT | UPDATE }
4141
[, ...] | ALL [ PRIVILEGES ] }
4242
ON { SEQUENCE <replaceable class="parameter">sequence_name</replaceable> [, ...]
4343
| ALL SEQUENCES IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }
44-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
44+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
4545
[ CASCADE | RESTRICT ]
4646

4747
REVOKE [ GRANT OPTION FOR ]
4848
{ { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
4949
ON DATABASE <replaceable>database_name</replaceable> [, ...]
50-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
50+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
5151
[ CASCADE | RESTRICT ]
5252

5353
REVOKE [ GRANT OPTION FOR ]
5454
{ USAGE | ALL [ PRIVILEGES ] }
5555
ON DOMAIN <replaceable>domain_name</replaceable> [, ...]
56-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
56+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
5757
[ CASCADE | RESTRICT ]
5858

5959
REVOKE [ GRANT OPTION FOR ]
6060
{ USAGE | ALL [ PRIVILEGES ] }
6161
ON FOREIGN DATA WRAPPER <replaceable>fdw_name</replaceable> [, ...]
62-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
62+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
6363
[ CASCADE | RESTRICT ]
6464

6565
REVOKE [ GRANT OPTION FOR ]
6666
{ USAGE | ALL [ PRIVILEGES ] }
6767
ON FOREIGN SERVER <replaceable>server_name</replaceable> [, ...]
68-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
68+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
6969
[ CASCADE | RESTRICT ]
7070

7171
REVOKE [ GRANT OPTION FOR ]
7272
{ EXECUTE | ALL [ PRIVILEGES ] }
7373
ON { { FUNCTION | PROCEDURE | ROUTINE } <replaceable>function_name</replaceable> [ ( [ [ <replaceable class="parameter">argmode</replaceable> ] [ <replaceable class="parameter">arg_name</replaceable> ] <replaceable class="parameter">arg_type</replaceable> [, ...] ] ) ] [, ...]
7474
| ALL { FUNCTIONS | PROCEDURES | ROUTINES } IN SCHEMA <replaceable>schema_name</replaceable> [, ...] }
75-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
75+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
7676
[ CASCADE | RESTRICT ]
7777

7878
REVOKE [ GRANT OPTION FOR ]
7979
{ USAGE | ALL [ PRIVILEGES ] }
8080
ON LANGUAGE <replaceable>lang_name</replaceable> [, ...]
81-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
81+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
8282
[ CASCADE | RESTRICT ]
8383

8484
REVOKE [ GRANT OPTION FOR ]
8585
{ { SELECT | UPDATE } [, ...] | ALL [ PRIVILEGES ] }
8686
ON LARGE OBJECT <replaceable class="parameter">loid</replaceable> [, ...]
87-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
87+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
8888
[ CASCADE | RESTRICT ]
8989

9090
REVOKE [ GRANT OPTION FOR ]
9191
{ { CREATE | USAGE } [, ...] | ALL [ PRIVILEGES ] }
9292
ON SCHEMA <replaceable>schema_name</replaceable> [, ...]
93-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
93+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
9494
[ CASCADE | RESTRICT ]
9595

9696
REVOKE [ GRANT OPTION FOR ]
9797
{ CREATE | ALL [ PRIVILEGES ] }
9898
ON TABLESPACE <replaceable>tablespace_name</replaceable> [, ...]
99-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
99+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
100100
[ CASCADE | RESTRICT ]
101101

102102
REVOKE [ GRANT OPTION FOR ]
103103
{ USAGE | ALL [ PRIVILEGES ] }
104104
ON TYPE <replaceable>type_name</replaceable> [, ...]
105-
FROM { [ GROUP ] <replaceable class="parameter">role_name</replaceable> | PUBLIC } [, ...]
105+
FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
106106
[ CASCADE | RESTRICT ]
107107

108108
REVOKE [ ADMIN OPTION FOR ]
109-
<replaceable class="parameter">role_name</replaceable> [, ...] FROM <replaceable class="parameter">role_name</replaceable> [, ...]
109+
<replaceable class="parameter">role_name</replaceable> [, ...] FROM <replaceable class="parameter">role_specification</replaceable> [, ...]
110+
[ GRANTED BY <replaceable class="parameter">role_specification</replaceable> ]
110111
[ CASCADE | RESTRICT ]
112+
113+
<phrase>where <replaceable class="parameter">role_specification</replaceable> can be:</phrase>
114+
115+
[ GROUP ] <replaceable class="parameter">role_name</replaceable>
116+
| PUBLIC
117+
| CURRENT_USER
118+
| SESSION_USER
111119
</synopsis>
112120
</refsynopsisdiv>
113121

@@ -169,8 +177,12 @@ REVOKE [ ADMIN OPTION FOR ]
169177
<para>
170178
When revoking membership in a role, <literal>GRANT OPTION</literal> is instead
171179
called <literal>ADMIN OPTION</literal>, but the behavior is similar.
180+
This form of the command also allows a <literal>GRANTED BY</literal>
181+
option, but that option is currently ignored (except for checking
182+
the existence of the named role).
172183
Note also that this form of the command does not
173-
allow the noise word <literal>GROUP</literal>.
184+
allow the noise word <literal>GROUP</literal>
185+
in <replaceable class="parameter">role_specification</replaceable>.
174186
</para>
175187
</refsect1>
176188

0 commit comments

Comments
 (0)