From ef7422510e93266e5aa9bb926d6747d5f2ae21f4 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter_e@gmx.net>
Date: Thu, 23 Jan 2003 23:39:07 +0000
Subject: Grant options, and cascading revoke.  Grant options are allowed only
 for users right now, not groups.  Extension of has_foo_privileges functions
 to query the grant options.  Extension of aclitem type to store grantor.

---
 doc/src/sgml/func.sgml       |  8 +++++-
 doc/src/sgml/ref/grant.sgml  | 43 ++++++++++++++++------------
 doc/src/sgml/ref/revoke.sgml | 67 +++++++++++++++++++++++++++++---------------
 doc/src/sgml/release.sgml    |  3 +-
 4 files changed, 78 insertions(+), 43 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/func.sgml b/doc/src/sgml/func.sgml
index 830d71779a5..b3de02ef067 100644
--- a/doc/src/sgml/func.sgml
+++ b/doc/src/sgml/func.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/func.sgml,v 1.135 2003/01/23 01:22:59 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/func.sgml,v 1.136 2003/01/23 23:38:51 petere Exp $
 PostgreSQL documentation
 -->
 
@@ -5786,6 +5786,12 @@ SELECT has_table_privilege('myschema.mytable', 'select');
     <literal>USAGE</literal>.
    </para>
 
+  <para>
+   To evaluate whether a user holds a grant option on the privilege,
+   append <literal> WITH GRANT OPTION</literal> to the privilege key
+   word; for example <literal>'UPDATE WITH GRANT OPTION'</literal>.
+  </para>
+
   <para>
    <xref linkend="functions-misc-schema-table"> shows functions that
    determine whether a certain object is <firstterm>visible</> in the
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index d8830498c69..5457a950ed1 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.31 2002/11/21 23:34:43 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.32 2003/01/23 23:38:53 petere Exp $
 PostgreSQL documentation
 -->
 
@@ -19,23 +19,23 @@ PostgreSQL documentation
 GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
     [,...] | ALL [ PRIVILEGES ] }
     ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
-    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
 
 GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
     ON DATABASE <replaceable>dbname</replaceable> [, ...]
-    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
 
 GRANT { EXECUTE | ALL [ PRIVILEGES ] }
     ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
-    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
 
 GRANT { USAGE | ALL [ PRIVILEGES ] }
     ON LANGUAGE <replaceable>langname</replaceable> [, ...]
-    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
 
 GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
     ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
-    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...] [ WITH GRANT OPTION ]
 </synopsis>
  </refsynopsisdiv>
 
@@ -63,13 +63,18 @@ GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
 
   <para>
    There is no need to grant privileges to the creator of an object,
-   as the creator has all privileges by default.
-   (The creator could, however, choose to revoke
-   some of his own privileges for safety.)  Note that the ability to
-   grant and revoke privileges is inherent in the creator and cannot
-   be lost.  The right to drop an object, or to alter it in any way
-   not described by a grantable right, is likewise inherent in the
-   creator, and cannot be granted or revoked.
+   as the creator has all privileges by default.  (The creator could,
+   however, choose to revoke some of his own privileges for safety.)
+   Note that the right to drop an object, or to alter it in any way is
+   not described by a grantable right; it is inherent in the creator,
+   and cannot be granted or revoked.
+  </para>
+
+  <para>
+   If <literal>WITH GRANT OPTION</literal> is specified, the recipient
+   of the privilege may in turn grant it to others.  By default this
+   is not possible.  Grant options can only be granted to individual
+   users, not groups or <literal>PUBLIC</literal>.
   </para>
 
   <para>
@@ -269,7 +274,7 @@ lusitania=> \dp mytable
         Access privileges for database "lusitania"
  Schema |  Table  |           Access privileges
 --------+---------+---------------------------------------
- public | mytable | {=r,miriam=arwdRxt,"group todos=arw"}
+ public | mytable | {=r/postgres,miriam=arwdRxt/postgres,"group todos=arw/postgres"}
 (1 row)
 </programlisting>
     The entries shown by <command>\dp</command> are interpreted thus:
@@ -290,6 +295,9 @@ lusitania=> \dp mytable
                   C -- CREATE
                   T -- TEMPORARY
             arwdRxt -- ALL PRIVILEGES (for tables)
+                  * -- grant option for preceding privilege
+
+              /yyyy -- user who granted this privilege
 </programlisting>
 
     The above example display would be seen by user <literal>miriam</> after
@@ -346,13 +354,12 @@ GRANT ALL PRIVILEGES ON kinds TO manuel;
    </para>
 
    <para>
-    The <acronym>SQL92</acronym> syntax for GRANT allows setting
-    privileges for individual columns within a table, and allows
-    setting a privilege to grant the same privileges to others:
+    The <acronym>SQL</acronym> syntax for <literal>GRANT</literal>
+    allows setting privileges for individual columns within a table:
 
 <synopsis>
 GRANT <replaceable class="PARAMETER">privilege</replaceable> [, ...]
-    ON <replaceable class="PARAMETER">object</replaceable> [ ( <replaceable class="PARAMETER">column</replaceable> [, ...] ) ] [, ...]
+    ON <replaceable class="PARAMETER">table</replaceable> [ ( <replaceable class="PARAMETER">column</replaceable> [, ...] ) ] [, ...]
     TO { PUBLIC | <replaceable class="PARAMETER">username</replaceable> [, ...] } [ WITH GRANT OPTION ]
 </synopsis>
    </para>
diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml
index 345024bb7cc..e2ec87d5e7f 100644
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.24 2003/01/10 11:02:51 petere Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.25 2003/01/23 23:38:53 petere Exp $
 PostgreSQL documentation
 -->
 
@@ -16,31 +16,36 @@ PostgreSQL documentation
 
  <refsynopsisdiv>
 <synopsis>
-REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
+REVOKE [ GRANT OPTION FOR ]
+    { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
     [,...] | ALL [ PRIVILEGES ] }
     ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
-    [ RESTRICT ]
+    [ CASCADE | RESTRICT ]
 
-REVOKE { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
+REVOKE [ GRANT OPTION FOR ]
+    { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
     ON DATABASE <replaceable>dbname</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
-    [ RESTRICT ]
+    [ CASCADE | RESTRICT ]
 
-REVOKE { EXECUTE | ALL [ PRIVILEGES ] }
+REVOKE [ GRANT OPTION FOR ]
+    { EXECUTE | ALL [ PRIVILEGES ] }
     ON FUNCTION <replaceable>funcname</replaceable> ([<replaceable>type</replaceable>, ...]) [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
-    [ RESTRICT ]
+    [ CASCADE | RESTRICT ]
 
-REVOKE { USAGE | ALL [ PRIVILEGES ] }
+REVOKE [ GRANT OPTION FOR ]
+    { USAGE | ALL [ PRIVILEGES ] }
     ON LANGUAGE <replaceable>langname</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
-    [ RESTRICT ]
+    [ CASCADE | RESTRICT ]
 
-REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
+REVOKE [ GRANT OPTION FOR ]
+    { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
     ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
-    [ RESTRICT ]
+    [ CASCADE | RESTRICT ]
 </synopsis>
  </refsynopsisdiv>
 
@@ -70,8 +75,22 @@ REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
   </para>
 
   <para>
-   The <literal>RESTRICT</literal> key word is currently only noise.
-   See also the compatibility notes below.
+   If <literal>GRANT OPTION FOR</literal> is specified, only the grant
+   option for the privilege is revoked, not the privilege itself.
+  </para>
+
+  <para>
+   If a user holds a privilege with grant option and has granted it to
+   other users then the privileges held by those other users are
+   called dependent privileges. If the privilege or the grant option
+   held by the first user is being revoked and dependent privileges
+   exist, those dependent privileges are also revoked if
+   <literal>CASCADE</literal> is specified, else the revoke action
+   will fail.  This recursive revocation only affects privileges that
+   were granted through a chain of users that is traceable to the user
+   that is the subject of this <literal>REVOKE</literal> command.
+   Thus, the affected users may effectively keep the privilege if it
+   was also granted through other users.
   </para>
  </refsect1>
 
@@ -83,6 +102,16 @@ REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
    display the privileges granted on existing objects.  See also <xref
    linkend="sql-grant" endterm="sql-grant-title"> for information about the format.
   </para>
+
+  <para>
+   A user can only revoke privileges that were granted directly by
+   that user.  If, for example, user A has granted a privilege with
+   grant option to user B, and user B has in turned granted it to user
+   C, then user A cannot revoke the privilege directly from C.
+   Instead, user A could revoke the grant option from user B and use
+   the <literal>CASCADE</literal> option so that the privilege is
+   automatically revoked from user C.
+  </para>
  </refsect1>
 
  <refsect1 id="SQL-REVOKE-examples">
@@ -122,16 +151,8 @@ REVOKE [ GRANT OPTION FOR ] { SELECT | INSERT | UPDATE | DELETE | REFERENCES }
     FROM { PUBLIC | <replaceable class="parameter">username</replaceable> [, ...] }
     { RESTRICT | CASCADE }
 </synopsis>
-   </para>
-
-   <para> 
-    If user1 gives a privilege WITH GRANT OPTION to user2,
-    and user2 gives it to user3 then user1 can revoke
-    this privilege in cascade using the CASCADE keyword.
-    If user1 gives a privilege WITH GRANT OPTION to user2,
-    and user2 gives it to user3, then if user1 tries to revoke
-    this privilege it fails if he specifies the RESTRICT
-    keyword.
+    One of <literal>RESTRICT</literal> or <literal>CASCADE</literal>
+    is required.
    </para>
   </refsect2>
  </refsect1>
diff --git a/doc/src/sgml/release.sgml b/doc/src/sgml/release.sgml
index 2911e1828f9..18d71f5866b 100644
--- a/doc/src/sgml/release.sgml
+++ b/doc/src/sgml/release.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.179 2003/01/20 18:54:44 tgl Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/release.sgml,v 1.180 2003/01/23 23:38:51 petere Exp $
 -->
 
 <appendix id="release">
@@ -38,6 +38,7 @@ ON COMMIT options for temp tables
 extra_float_digits option allows pg_dump to dump float data accurately
 Long options for psql and pg_dump are now available on all platforms
 Read-only transactions
+Object owners can allow grantees to grant the privilege to others (grant option)
 ]]></literallayout>
 
  </sect1>
-- 
cgit v1.2.3