sql: Support for ALTER DEFAULT PRIVILEGES #65604
Assignees
Labels
C-enhancement
Solution expected to add code/behavior + preserve backward-compat (pg compat issues are exception)
O-community
Originated from the community
T-sql-foundations
SQL Foundations Team (formerly SQL Schema + SQL Sessions)
Comments
ghost
added
the
C-enhancement
|
Hello, I am Blathers. I am here to help you get the issue triaged. It looks like you have not filled out the issue in the format of any of our templates. To best assist you, we advise you to use one of these templates. I was unable to automatically find someone to ping. If we have not gotten back to your issue within a few business days, you can try the following:
🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
blathers-crl
bot
added
O-community
|
Thanks for this request @cybros7! We'll use this issue to track any changes we make here. cc @RichardJCai |
rafiss
added
T-sql-foundations
rafiss
changed the title
jeffswenson
pushed a commit
to jeffswenson/cockroach
that referenced
this issue
Jul 26, 2021
66785: sql: support default privileges at the database level r=RichardJCai a=RichardJCai fixes cockroachdb#65604 sql: support default privileges at the database level This only adds default privileges stored on the database, we can add support for storing default privileges on schemas afterwards (shouldn't be a huge add onto this). Hopefully we can wait for cockroachdb#55793 so we don't need special logic to handle the public schema. This PR does not yet address handling having USAGE on types as a default privilege for the public role. Migration is not addressed yet, this PR still maintains backwards compatibility with how we "inherited" privileges before. Also sorry to the reviewers about the size of the PR, a lot of lines do come from tests however, specifically parse test. Hopefully it shouldn't be too bad. Release note (sql change): Added support for ALTER DEFAULT PRIVILEGES and default privileges stored on databases. All objects created in a database will have the privilege set defined by the default privileges for that type of object on the database. The types of objects are TABLES, SEQUENCES, SCHEMAS, TYPES. Example: ALTER DEFAULT PRIVILEGES GRANT SELECT ON TABLES TO foo makes it such that all tables created by the user that executed the ALTER DEFAULT PRIVILEGES command will have SELECT privilege on the table for user foo. Additionally, one can specify a role. Example: ALTER DEFAULT PRIVILEGES FOR ROLE bar GRANT SELECT ON TABLES TO foo. All tables created by bar will have SELECT privilege for foo. If a role is not specified, it uses the current user. See: https://www.postgresql.org/docs/current/sql-alterdefaultprivileges.html Currently, default privileges are not supported on the schema. Specifying a schema like ALTER DEFAULT PRIVILEGES IN SCHEMA s will error. WITH GRANT OPTION is ignored. GRANT OPTION FOR is also ignored. Co-authored-by: richardjcai <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently Cockroach does not support a statement similar to ALTER DEFAULT PRIVILEGES to alter the default privileges given to a role for all new tables added to a specific schema.
Describe the solution you'd like
Support for a statement with similar functionality to ALTER DEFAULT PRIVILEGES.
Describe alternatives you've considered
The current approaches of giving permissions on tables to users have some drawbacks:
GRANT <PRIVILEGES> ON TABLE <db>.<schema>.* TO <ROLE>;would only grant permissions on existing tables.SELECTto a role for all tables in a given schema then theSELECTwould also be granted on a DB level.Epic CRDB-2586
The text was updated successfully, but these errors were encountered: