On Tue, Jul 28, 2015 at 04:04:29PM -0700, Joe Conway wrote: > On 07/27/2015 05:34 PM, Joe Conway wrote: > > On 07/27/2015 01:13 PM, Alvaro Herrera wrote: > >> Hmm, these are not ACL objects, so conceptually it seems cleaner > >> to use a different symbol for this. I think the catalog state > >> and the error messages would be a bit confusing otherwise. > > > > Ok -- done
> Pushed to HEAD and 9.5 I reviewed this commit, f781a0f "Create a pg_shdepend entry for each role in TO clause of policies." This commit rendered the http://www.postgresql.org/docs/devel/static/role-removal.html procedure[1] incomplete. Before dropping a role, one must additionally drop each policy mentioning the role in pg_policy.polroles: begin; create role alice; create table t (c int); grant select on table t to alice; create policy p0 on t to alice using (true); reassign owned by alice to current_user; drop owned by alice; drop role alice; rollback; shdepDropOwned() ignores SHARED_DEPENDENCY_POLICY entries. Should it instead remove the role from polroles, dropping the policy if that would empty polroles? (Which should change, the documented role-removal procedure or the DROP OWNED treatment of policies?) Independently, http://www.postgresql.org/docs/devel/static/sql-drop-owned.html deserves an update since it discusses every other object type having role dependencies. Thanks, nm [1] That page did not exist until 2015-10-07 (commit 1ea0c73), after the commit I'm reviewing here. -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
