Re: default privileges

On Sat, Apr 3, 2010 at 5:27 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I wrote:
>> Yeah.  The problem here is that once you've created an entry in
>> pg_default_acl, there is no way to make it go away.
>
> Actually that's not true: you can get rid of it with DROP OWNED BY.
> This fact is even documented in the ALTER DEFAULT PRIVILEGES manual
> page:
>
>        If you wish to drop a role that has had its global default
>        privileges altered, it is necessary to use DROP OWNED BY first,
>        to get rid of the default privileges entry for the role.
>

ah! i obviously didn't read the manual in detail :)

> Not sure if this is good enough or we need to provide some more-obvious
> way of dealing with it.
>

it's strange that a REVOKE doesn't clean what a GRANT did, and DROP
OWNED BY seems very dangerous (at least if i forgot to make REASSIGN
OWNED first).

we can let it as it is, but at least we can add a HINT for use DROP
OWNED BY having execute REASSIGN OWNED first...
or we can make what seems more reasonable, make the REVOKE clean the mess :)

if you prefer the second way i can try to prepare a patch

--
Atentamente,
Jaime Casanova
Soporte y capacitación de PostgreSQL
Asesoría y desarrollo de sistemas
Guayaquil - Ecuador
Cel. +59387171157