Improve privileges discussion (mostly, mention grant options).
This commit is contained in:
Tom Lane
parent
82433e913c
commit
27fedc8a5e
|
|
@ -1,4 +1,4 @@
|
|||
<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.28 2004/08/07 19:53:48 tgl Exp $ -->
|
||||
<!-- $PostgreSQL: pgsql/doc/src/sgml/ddl.sgml,v 1.29 2004/08/07 20:44:49 tgl Exp $ -->
|
||||
|
||||
<chapter id="ddl">
|
||||
<title>Data Definition</title>
|
||||
|
|
@ -1378,29 +1378,22 @@ ALTER TABLE products RENAME TO items;
|
|||
When you create a database object, you become its owner. By
|
||||
default, only the owner of an object can do anything with the
|
||||
object. In order to allow other users to use it,
|
||||
<firstterm>privileges</firstterm> must be granted. (There are also
|
||||
users that have the superuser privilege. Those users can always
|
||||
<firstterm>privileges</firstterm> must be granted. (However,
|
||||
users that have the superuser attribute can always
|
||||
access any object.)
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
To change the owner of a table, index, sequence, or view, use the
|
||||
<xref linkend="sql-altertable" endterm="sql-altertable-title">
|
||||
command.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
There are several different privileges: <literal>SELECT</>,
|
||||
<literal>INSERT</>, <literal>UPDATE</>, <literal>DELETE</>,
|
||||
<literal>RULE</>, <literal>REFERENCES</>, <literal>TRIGGER</>,
|
||||
<literal>CREATE</>, <literal>TEMPORARY</>, <literal>EXECUTE</>,
|
||||
<literal>USAGE</>, and <literal>ALL PRIVILEGES</>. For complete
|
||||
and <literal>USAGE</>. The privileges applicable to a particular
|
||||
object vary depending on the object's type (table, function, etc).
|
||||
For complete
|
||||
information on the different types of privileges supported by
|
||||
<productname>PostgreSQL</productname>, refer to the
|
||||
<xref linkend="sql-grant" endterm="sql-grant-title">
|
||||
reference page. The following sections
|
||||
<xref linkend="sql-grant"> reference page. The following sections
|
||||
and chapters will also show you how those privileges are used.
|
||||
</para>
|
||||
|
||||
|
|
@ -1409,23 +1402,30 @@ ALTER TABLE products RENAME TO items;
|
|||
the owner only.
|
||||
</para>
|
||||
|
||||
<note>
|
||||
<para>
|
||||
To change the owner of a table, index, sequence, or view, use the
|
||||
<xref linkend="sql-altertable"> command. There are corresponding
|
||||
<literal>ALTER</> commands for other object types.
|
||||
</para>
|
||||
</note>
|
||||
|
||||
<para>
|
||||
To assign privileges, the <command>GRANT</command> command is
|
||||
used. So, if <literal>joe</literal> is an existing user, and
|
||||
used. For example, if <literal>joe</literal> is an existing user, and
|
||||
<literal>accounts</literal> is an existing table, the privilege to
|
||||
update the table can be granted with
|
||||
<programlisting>
|
||||
GRANT UPDATE ON accounts TO joe;
|
||||
</programlisting>
|
||||
The user executing this command must be the owner of the table. To
|
||||
grant a privilege to a group, use
|
||||
To grant a privilege to a group, use this syntax:
|
||||
<programlisting>
|
||||
GRANT SELECT ON accounts TO GROUP staff;
|
||||
</programlisting>
|
||||
The special <quote>user</quote> name <literal>PUBLIC</literal> can
|
||||
be used to grant a privilege to every user on the system. Writing
|
||||
<literal>ALL</literal> in place of a specific privilege specifies that all
|
||||
privileges will be granted.
|
||||
<literal>ALL</literal> in place of a specific privilege grants all
|
||||
privileges that are relevant for the object type.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
|
|
@ -1434,13 +1434,24 @@ GRANT SELECT ON accounts TO GROUP staff;
|
|||
<programlisting>
|
||||
REVOKE ALL ON accounts FROM PUBLIC;
|
||||
</programlisting>
|
||||
The special privileges of the table owner (i.e., the right to do
|
||||
The special privileges of the object owner (i.e., the right to do
|
||||
<command>DROP</>, <command>GRANT</>, <command>REVOKE</>, etc.)
|
||||
are always implicit in being the owner,
|
||||
and cannot be granted or revoked. But the table owner can choose
|
||||
and cannot be granted or revoked. But the object owner can choose
|
||||
to revoke his own ordinary privileges, for example to make a
|
||||
table read-only for himself as well as others.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Ordinarily, only the object's owner (or a superuser) can grant or revoke
|
||||
privileges on an object. However, it is possible to grant a privilege
|
||||
<quote>with grant option</>, which gives the recipient the right to
|
||||
grant it in turn to others. If the grant option is subsequently revoked
|
||||
then all who received the privilege from that recipient (directly or
|
||||
through a chain of grants) will lose the privilege. For details see
|
||||
the <xref linkend="sql-grant"> and <xref linkend="sql-revoke"> reference
|
||||
pages.
|
||||
</para>
|
||||
</sect1>
|
||||
|
||||
<sect1 id="ddl-schemas">
|
||||
|
|
@ -1544,12 +1555,17 @@ CREATE SCHEMA myschema;
|
|||
<synopsis>
|
||||
<replaceable>schema</><literal>.</><replaceable>table</>
|
||||
</synopsis>
|
||||
(For brevity we will speak of tables only, but the same ideas apply
|
||||
to other kinds of named objects, such as types and functions.)
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Actually, the even more general syntax
|
||||
<synopsis>
|
||||
<replaceable>database</><literal>.</><replaceable>schema</><literal>.</><replaceable>table</>
|
||||
</synopsis>
|
||||
can be used too, but at present this is just for pro-forma compliance
|
||||
with the SQL standard; if you write a database name it must be the
|
||||
with the SQL standard. If you write a database name, it must be the
|
||||
same as the database you are connected to.
|
||||
</para>
|
||||
|
||||
|
|
@ -1862,7 +1878,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
|
|||
privileges to allow the other users to access them. Users can
|
||||
then refer to these additional objects by qualifying the names
|
||||
with a schema name, or they can put the additional schemas into
|
||||
their path, as they choose.
|
||||
their search path, as they choose.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
<!--
|
||||
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.41 2004/06/18 06:13:05 tgl Exp $
|
||||
$PostgreSQL: pgsql/doc/src/sgml/ref/grant.sgml,v 1.42 2004/08/07 20:44:50 tgl Exp $
|
||||
PostgreSQL documentation
|
||||
-->
|
||||
|
||||
|
|
@ -52,8 +52,8 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
|
|||
|
||||
<para>
|
||||
The <command>GRANT</command> command gives specific privileges on
|
||||
an object (table, view, sequence, database, function, procedural language,
|
||||
or schema) to
|
||||
an object (table, view, sequence, database, tablespace, function,
|
||||
procedural language, or schema) to
|
||||
one or more users or groups of users. These privileges are added
|
||||
to those already granted, if any.
|
||||
</para>
|
||||
|
|
|
|||
Loading…
Reference in New Issue