Re: Setting ACL

On 03/03/2020 19:02, Tom Lane wrote:
> Vik Fearing <vik@postgresfriends.org> writes:
>> I have a few questions about setting acl on SQL level.
>> Is it safe to do something like
>>     UPDATE pg_class SET relacl = $1 WHERE oid = $2;
>> ?
> 
>> I don't think it is because ExecGrant_* call updateAclDependencies after
>> they do the update and my own update would not do that.  But is it safe
>> to do my update if I'm not touching anything in pg_global?
> 
> Well, it'll work, but the system won't know about the role references
> in this ACL item, so for instance dropping the role wouldn't make the> ACL go away.  Which might cause you
dump/reloadissues later.
 

Ok, so not safe.  Should we remove makeaclitem() then?

>> And finally, would there be any interest in a function like
>> aclset("char", oid, aclitem[]) and does this properly?
> 
> Not really, when GRANT is already there ...

So I have to manually do a diff of the two acls and generate
GRANT/REVOKE statements?  That's not encouraging. :(
-- 
Vik Fearing