Add sentence about SECURITY LABEL object ownership
Hi,
I noticed that we don't document that you need to own the object being
modified by SECURITY LABEL.
Page: https://www.postgresql.org/docs/current/sql-security-label.html
I've attached a patch that would have answered that question (for me)
without diving into the code.
Thanks,
Patrick
Attachments:
0001-Document-ownership-requirement-for-SECURITY-LABEL-v1.patchtext/x-patch; charset=UTF-8; name=0001-Document-ownership-requirement-for-SECURITY-LABEL-v1.patchDownload+4-1
On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
Hi,
I noticed that we don't document that you need to own the object being
modified by SECURITY LABEL.Page: https://www.postgresql.org/docs/current/sql-security-label.html
I've attached a patch that would have answered that question (for me)
without diving into the code.
--- a/doc/src/sgml/ref/security_label.sgml +++ b/doc/src/sgml/ref/security_label.sgml @@ -84,6 +84,10 @@ SECURITY LABEL [ FOR <replaceable class="parameter">provider</replaceable> ] ON based on object labels, rather than traditional discretionary access control (DAC) concepts such as users and groups. </para> + + <para> + You must own the database object to use the <command>SECURITY LABEL</command>. + </para> </refsect1><refsect1>
Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.
In general, +1 for documenting that.
Yours,
Laurenz Albe
On 6/5/25 4:21 PM, Laurenz Albe wrote:
+ + <para> + You must own the database object to use the <command>SECURITY LABEL</command>. + </para> </refsect1><refsect1>
Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.
We're calling check_object_ownership which errors out with:
aclcheck_error(ACLCHECK_NOT_OWNER, [...])
which in turn then aborts with "must be owner of [...]". But checking
the code, we do call has_privs_of_role, so you're absolutely right.
In doc/src/sgml/ref/alter_*.sgml we use the phrase "You must own the
[...]" to describe the privileges needed. Let me know if you want me to
change the wording.
While double checking I noticed that other docs don't have the extra
"the " before "<command>[...] " so I dropped that in my v2 patch.
Thanks for reviewing!
Patrick
Attachments:
0001-Document-ownership-requirement-for-SECURITY-LABEL-v2.patchtext/x-patch; charset=UTF-8; name=0001-Document-ownership-requirement-for-SECURITY-LABEL-v2.patchDownload+4-1
Laurenz Albe <laurenz.albe@cybertec.at> writes:
On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
I noticed that we don't document that you need to own the object being
modified by SECURITY LABEL.
Yeah, clearly a documentation oversight.
Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.
In general, +1 for documenting that.
Our standard boilerplate for this is, eg,
You must own the table to use <command>ALTER TABLE</command>.
I don't see a reason to do it differently here.
regards, tom lane
On Thu, 2025-06-05 at 11:19 -0400, Tom Lane wrote:
Laurenz Albe <laurenz.albe@cybertec.at> writes:
On Thu, 2025-06-05 at 15:29 +0200, Patrick Stählin wrote:
I noticed that we don't document that you need to own the object being
modified by SECURITY LABEL.Yeah, clearly a documentation oversight.
Wouldn't it be more accurate to say that you have to be a member of the owning role?
But perhaps that would be complicated enough to confuse many users.
In general, +1 for documenting that.Our standard boilerplate for this is, eg,
You must own the table to use <command>ALTER TABLE</command>.
I don't see a reason to do it differently here.
Objection withdrawn.
Yours,
Laurenz Albe