Re: [HACKERS] REVOKE [ADMIN OPTION FOR] ROLE

Mon, 27 Jul 2015 05:51:54 -0700 



On Thu, Jul 23, 2015 at 8:30 AM, Egor Rogov <e.ro...@postgrespro.ru> wrote:

So, the question: is it a documentation bug (as it seems to me), code bug,
or I missed something?

Your analysis looks right to me, but I don't know whether the code or
the documentation should be changed.  This claim was added by Tom Lane
in 2005 in commit 58d214e51fe50b10b4439da6ec263d54c155afbf.  It might
be worth checking whether the claim was true at that time and later
became false, or whether it was never true to begin with.
As far as I can see, modern revoke syntax for revoking membership in a role (along with "admin option") was introduced in commit 7762619 (by Tom Lane, 2005). Code for handling this command didn't pay attention for "restrict/cascade" keywords then, as it does not now. Before that, another syntax was in use: alter group groupname drop user username [, ...]. It did not include notion of "cascade" at all. I guess that "revoke role_name from role_name" inherited "[cascade|restrict]" section from general revoke command but never actually used it. And I see no point in changing this, because role membership is somewhat more static than privileges. 
So I would propose the attached fix for documentation.

Thanks,
Egor Rogov
Postgres Professional: http://www.postgrespro.com
Russian Postgres Company

diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml
index 36c286b..8417abe 100644
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -167,8 +167,10 @@ REVOKE [ ADMIN OPTION FOR ]
   </para>
 
   <para>
-   When revoking membership in a role, <literal>GRANT OPTION</> is instead
-   called <literal>ADMIN OPTION</>, but the behavior is similar.
+   If <literal>ADMIN OPTION FOR</> is specified, only the admin option is
+   revoked, not the group membership itself. When revoking membership in a
+   role or admin option, recursive revocation does not happen no matter
+   whether <literal>CASCADE</> is specified or not.
    Note also that this form of the command does not
    allow the noise word <literal>GROUP</>.
   </para>

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to