On Sat, Nov 4, 2023 at 10:12:42PM +0100, Laurenz Albe wrote:
> On Sat, 2023-11-04 at 14:20 -0400, Bruce Momjian wrote:
> > Yes, I see your point. Updated patch attached.
>
> Almost perfect, except:
>
> + Change default privileges for objects created by
> + <replaceable>target_role</replaceable>; if omitted, the current
> + role is modified.
>
> It is not the role that is modified. Perhaps:
>
> [...]; if omitted, the current role is used.
Sure, attached. Here is the issue I have though, we are really not
changing default privileges for objects created in the future, we are
changing the role _now_ so future objects will have different default
privileges, right? I think wording like the above is kind of odd.
--
Bruce Momjian <br...@momjian.us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
diff --git a/doc/src/sgml/ref/alter_default_privileges.sgml b/doc/src/sgml/ref/alter_default_privileges.sgml
index 8a6006188d..c98091239c 100644
--- a/doc/src/sgml/ref/alter_default_privileges.sgml
+++ b/doc/src/sgml/ref/alter_default_privileges.sgml
@@ -90,23 +90,24 @@ REVOKE [ GRANT OPTION FOR ]
<para>
<command>ALTER DEFAULT PRIVILEGES</command> allows you to set the privileges
that will be applied to objects created in the future. (It does not
- affect privileges assigned to already-existing objects.) Currently,
- only the privileges for schemas, tables (including views and foreign
- tables), sequences, functions, and types (including domains) can be
- altered. For this command, functions include aggregates and procedures.
- The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
- equivalent in this command. (<literal>ROUTINES</literal> is preferred
- going forward as the standard term for functions and procedures taken
- together. In earlier PostgreSQL releases, only the
- word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
- default privileges for functions and procedures separately.)
+ affect privileges assigned to already-existing objects.) Privileges can be
+ set globally (i.e., for all objects created in the current database), or
+ just for objects created in specified schemas.
+ </para>
+
+ <para>
+ As a non-superuser, you can change default privileges only on objects created
+ by yourself or by roles that you are a member of. If you alter the default
+ privileges for a role, only objects created by that role will be affected.
+ It is not sufficient to be a member of that role; member roles must use
+ <command>SET ROLE</command> to assume the identity of the role for which
+ default privileges were altered.
</para>
<para>
- You can change default privileges only for objects that will be created by
- yourself or by roles that you are a member of. The privileges can be set
- globally (i.e., for all objects created in the current database),
- or just for objects created in specified schemas.
+ There is no way to change the default privileges for objects created by
+ any role. You have run <command>ALTER DEFAULT PRIVILEGES</command> for all
+ roles that can create objects whose default privileges should be modified.
</para>
<para>
@@ -118,6 +119,19 @@ REVOKE [ GRANT OPTION FOR ]
<command>ALTER DEFAULT PRIVILEGES</command>.
</para>
+ <para>
+ Currently,
+ only the privileges for schemas, tables (including views and foreign
+ tables), sequences, functions, and types (including domains) can be
+ altered. For this command, functions include aggregates and procedures.
+ The words <literal>FUNCTIONS</literal> and <literal>ROUTINES</literal> are
+ equivalent in this command. (<literal>ROUTINES</literal> is preferred
+ going forward as the standard term for functions and procedures taken
+ together. In earlier PostgreSQL releases, only the
+ word <literal>FUNCTIONS</literal> was allowed. It is not possible to set
+ default privileges for functions and procedures separately.)
+ </para>
+
<para>
Default privileges that are specified per-schema are added to whatever
the global default privileges are for the particular object type.
@@ -136,12 +150,9 @@ REVOKE [ GRANT OPTION FOR ]
<term><replaceable>target_role</replaceable></term>
<listitem>
<para>
- The name of an existing role of which the current role is a member.
- Default access privileges are not inherited, so member roles
- must use <command>SET ROLE</command> to access these privileges,
- or <command>ALTER DEFAULT PRIVILEGES</command> must be run for
- each member role. If <literal>FOR ROLE</literal> is omitted,
- the current role is assumed.
+ Change default privileges for objects created by
+ <replaceable>target_role</replaceable>; if omitted, the current
+ role is used.
</para>
</listitem>
</varlistentry>
