Laurenz Albe <laurenz.a...@cybertec.at> writes:
> On Fri, 2019-11-15 at 13:41 -0500, Tom Lane wrote:
>> Laurenz Albe <laurenz.a...@cybertec.at> writes:
>>> On Wed, 2019-11-13 at 17:17 -0500, Tom Lane wrote:
>>>> It might be worth clarifying this point in section 5.7,
>>>> https://www.postgresql.org/docs/devel/ddl-priv.html
> I like your second sentence, but I think that "the right ... is inherent
> in being the ... owner" is unnecessarily complicated.
> Removing the "always" and "only" makes the apparent contradiction between
> the sentences less jarring to me.
I think it's important to emphasize that this is implicit in object
ownership.
Looking at the page again, I notice that there's a para a little further
down that overlaps quite a bit with what we're discussing here, but it's
about implicit grant options rather than the right to DROP. In the
attached, I reworded that too, and moved it because it's not fully
intelligible until we've explained grant options. Thoughts?
regards, tom lane
diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 9d6ec2c..0be0774 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -1578,8 +1578,10 @@ ALTER TABLE products RENAME TO items;
</para>
<para>
- The right to modify or destroy an object is always the privilege of
- the owner only.
+ The right to modify or destroy an object is inherent in being the
+ object's owner, and cannot be granted or revoked in itself.
+ (However, like all privileges, that right can be inherited by
+ members of the owning role; see <xref linkend="role-membership"/>.)
</para>
<para>
@@ -1614,17 +1616,11 @@ GRANT UPDATE ON accounts TO joe;
</para>
<para>
- To revoke a privilege, use the fittingly named
+ To revoke a previously-granted privilege, use the fittingly named
<xref linkend="sql-revoke"/> command:
<programlisting>
REVOKE ALL ON accounts FROM PUBLIC;
</programlisting>
- The special privileges of the object owner (i.e., the right to do
- <command>DROP</command>, <command>GRANT</command>, <command>REVOKE</command>, etc.)
- are always implicit in being the owner,
- and cannot be granted or revoked. But the object owner can choose
- to revoke their own ordinary privileges, for example to make a
- table read-only for themselves as well as others.
</para>
<para>
@@ -1639,6 +1635,13 @@ REVOKE ALL ON accounts FROM PUBLIC;
</para>
<para>
+ An object's owner can choose to revoke their own ordinary privileges,
+ for example to make a table read-only for themselves as well as others.
+ But owners are always treated as holding all grant options, so they
+ can always re-grant their own privileges.
+ </para>
+
+ <para>
The available privileges are:
<variablelist>
