Bryn Llewellyn <b...@yugabyte.com> writes:
> If user "x" owns function "s.f()", and if you want user "z" to be able to
> execute it, then this alone is insufficient:
> grant execute on function s.f() to z;
> The attempt by "z" to execute "s.f()" this draws the 42501 error, "permission
> denied for schema s". But this _is_ sufficient:
> grant usage on schema s to z;
> revoke execute on function s.f() from z; -- Yes, really!
> *This surprises me*
It shouldn't. Per the docs, the default permissions on a function
include GRANT EXECUTE TO PUBLIC. Revoking the never-granted-in-the-
first-place permission to z doesn't remove the PUBLIC permission.
So, if you want to be selective about who can use your functions,
you should revoke the PUBLIC permission and then grant out
permissions to individual roles.
regards, tom lane
