Re: Add sentence about SECURITY LABEL object ownership
On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote: > Hi, > > I noticed that we don't document that you need to own the object being > modified by SECURITY LABEL. > > Page: https://www.postgresql.org/docs/current/sql-security-label.html > > I've attached a patch that would have answered that question (for me) > without diving into the code. > --- a/doc/src/sgml/ref/security_label.sgml > +++ b/doc/src/sgml/ref/security_label.sgml > @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR class="parameter">provider ] ON > based on object labels, rather than traditional discretionary access > control > (DAC) concepts such as users and groups. > > + > + > + You must own the database object to use the SECURITY > LABEL. > + > > > Wouldn't it be more accurate to say that you have to be a member of the owning role? But perhaps that would be complicated enough to confuse many users. In general, +1 for documenting that. Yours, Laurenz Albe
Add sentence about SECURITY LABEL object ownership
Hi, I noticed that we don't document that you need to own the object being modified by SECURITY LABEL. Page: https://www.postgresql.org/docs/current/sql-security-label.html I've attached a patch that would have answered that question (for me) without diving into the code. Thanks, PatrickFrom 318a37a35f1b9f1915ae03df869fb51b04f1353e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patrick=20St=C3=A4hlin?= Date: Thu, 5 Jun 2025 15:10:01 +0200 Subject: [PATCH] Document ownership requirement for SECURITY LABEL Clarify that you need ownership of objects you issue SECURITY LABEL on. --- doc/src/sgml/ref/security_label.sgml | 4 1 file changed, 4 insertions(+) diff --git a/doc/src/sgml/ref/security_label.sgml b/doc/src/sgml/ref/security_label.sgml index e5e5fb483e9..ddcf92c967e 100644 --- a/doc/src/sgml/ref/security_label.sgml +++ b/doc/src/sgml/ref/security_label.sgml @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR provider ] ON based on object labels, rather than traditional discretionary access control (DAC) concepts such as users and groups. + + + You must own the database object to use the SECURITY LABEL. + -- 2.48.1
Re: Add sentence about SECURITY LABEL object ownership
On Thu, 2025-06-05 at 11:19 -0400, Tom Lane wrote: > Laurenz Albe writes: > > On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote: > > > I noticed that we don't document that you need to own the object being > > > modified by SECURITY LABEL. > > Yeah, clearly a documentation oversight. > > > Wouldn't it be more accurate to say that you have to be a member of the > > owning role? > > But perhaps that would be complicated enough to confuse many users. > > In general, +1 for documenting that. > > Our standard boilerplate for this is, eg, > >You must own the table to use ALTER TABLE. > > I don't see a reason to do it differently here. Objection withdrawn. Yours, Laurenz Albe
Re: Add sentence about SECURITY LABEL object ownership
Laurenz Albe writes: > On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote: >> I noticed that we don't document that you need to own the object being >> modified by SECURITY LABEL. Yeah, clearly a documentation oversight. > Wouldn't it be more accurate to say that you have to be a member of the > owning role? > But perhaps that would be complicated enough to confuse many users. > In general, +1 for documenting that. Our standard boilerplate for this is, eg, You must own the table to use ALTER TABLE. I don't see a reason to do it differently here. regards, tom lane
