How does GRANT privileges function when recursive privileges?What are reasonable privileges to grant typical...

Why do most space probes survive for far longer than they were designed for?

What happens if you declare more than $10,000 at the US border?

Someone wants me to use my credit card at a card-only gas/petrol pump in return for cash

Does anyone recognize this inequality?

Blender, bezier curve looks

Does limiting the number of sources help simplify the game for a new DM with new and experienced players?

Why don't the fuse connections in programmable ROM cause the whole matrix to be shorted together?

Father gets chickenpox, but doesn't infect his two children. How is this possible?

I have a single ethernet switch. Should I use spanning tree?

Drawing a function without knowing its definition

How can I learn to care less because it makes me sick?

How to know if I am a 'Real Developer'

Does a star need to be inside a galaxy?

How to explain one side of Super Earth is smoother than the other side?

Coworker is trying to get me to sign his petition to run for office. How to decline politely?

How aware are characters of their class in-universe?

Why do climate experts from the UN/IPCC never mention Grand Solar Minimum?

How to make clear what a part-humanoid character looks like when they're quite common in their world?

Is this an email from Apple or fraud?

Karatsuba multiplication

Was Rowling inspired by the railway station scene in Prince Caspian?

What does paperwork mean in this sentence?

What happens when the last remaining players refuse to kill each other?

Branching points detection in processed image



How does GRANT privileges function when recursive privileges?


What are reasonable privileges to grant typical users?Only “grant usage”, but can still select, drop, create?How do I give root@localhost permission to grant privileges in MySQL?Minimal grants for readonly single-table access on PostgreSQLConfused by GRANT ALL PRIVILEGES ON *.* (…) WITH GRANT OPTIONWhen are privileges listed in l and when not?Default privileges to execute functionCreate a user with privileges to create usersHow to restore the privileges of the user postgres in PostgreSQL?What are the minimal permissions required for the “Users and Privileges” tab in MySQL Workbench to function in MySQL 5.6













0















I'm trying to understand how does granting privileges work on SQL.



According to what I understand, one user has privilege as long as said user has been granted privilege by someone or owns the database. And the second condition I though was true, is that a user may have a certain privilege only if someone the privilege chain connects to the owner/admin of the table.



Now, I'm using PostgreSQL to test how this works in an actual DBMS.



For example, let's say we have a table t1 and the users u1, u2 and u3. Also let's assume u1 is the owner.




  • Now, u1 grants SELECT ON t1 TO u2 WITH GRANT OPTION

  • Then, u2 grants SELECT ON t1 TO u3 WITH GRANT OPTION

  • At last, u3 grants SELECT ON t1 TO u2 WITH GRANT OPTION


This should leave a sort of recursion of grants between u2 and u3. This means I can safely REVOKE the link between u1 and u2. According to SQL the privileges from u2 and u3 should be removed because they have no connection to the owner/admin of the table, but instead PostgreSQL allows this to happens and you can actually still issue SELECT on t1 even after the privilege was revoked.



So the question is, is this the expected behaviour on PostgreSQL/any RDBMS, or am I understanding wrong how SQL privileges should work. If someone could clarify this a bit for me, I would be thankful.



I was using these slides to understand. The last slide is the case I'm talking about.






postgresql permissions







share|improve this question









New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • The manual states: "For example, if table t1 is owned by role g1, of which role u1 is a member, then u1 can grant privileges on t1 to u2, but those privileges will appear to have been granted directly by g1"

    – a_horse_with_no_name
    2 hours ago











  • @a_horse_with_no_name Sure, but that happens when a certain role is member of another role. In this particular case each role has permits and if you grant them and check z t1 you will see that u2 granted r* to u3 and u3 granted r* to u2. PD: Thanks for the edit :)

    – Marcos Jota
    2 hours ago













  • What Postgres version? Tried to reproduce this on 11, and when trying to close the grant loop, I get ERROR: grant options cannot be granted back to your own grantor. If it works on older versions, I guess this means they recognised it as a bug and fixed it.

    – Nick Barnes
    5 mins ago


















0















I'm trying to understand how does granting privileges work on SQL.



According to what I understand, one user has privilege as long as said user has been granted privilege by someone or owns the database. And the second condition I though was true, is that a user may have a certain privilege only if someone the privilege chain connects to the owner/admin of the table.



Now, I'm using PostgreSQL to test how this works in an actual DBMS.



For example, let's say we have a table t1 and the users u1, u2 and u3. Also let's assume u1 is the owner.




  • Now, u1 grants SELECT ON t1 TO u2 WITH GRANT OPTION

  • Then, u2 grants SELECT ON t1 TO u3 WITH GRANT OPTION

  • At last, u3 grants SELECT ON t1 TO u2 WITH GRANT OPTION


This should leave a sort of recursion of grants between u2 and u3. This means I can safely REVOKE the link between u1 and u2. According to SQL the privileges from u2 and u3 should be removed because they have no connection to the owner/admin of the table, but instead PostgreSQL allows this to happens and you can actually still issue SELECT on t1 even after the privilege was revoked.



So the question is, is this the expected behaviour on PostgreSQL/any RDBMS, or am I understanding wrong how SQL privileges should work. If someone could clarify this a bit for me, I would be thankful.



I was using these slides to understand. The last slide is the case I'm talking about.






postgresql permissions







share|improve this question









New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





















  • The manual states: "For example, if table t1 is owned by role g1, of which role u1 is a member, then u1 can grant privileges on t1 to u2, but those privileges will appear to have been granted directly by g1"

    – a_horse_with_no_name
    2 hours ago











  • @a_horse_with_no_name Sure, but that happens when a certain role is member of another role. In this particular case each role has permits and if you grant them and check z t1 you will see that u2 granted r* to u3 and u3 granted r* to u2. PD: Thanks for the edit :)

    – Marcos Jota
    2 hours ago













  • What Postgres version? Tried to reproduce this on 11, and when trying to close the grant loop, I get ERROR: grant options cannot be granted back to your own grantor. If it works on older versions, I guess this means they recognised it as a bug and fixed it.

    – Nick Barnes
    5 mins ago
















0












0








0








I'm trying to understand how does granting privileges work on SQL.



According to what I understand, one user has privilege as long as said user has been granted privilege by someone or owns the database. And the second condition I though was true, is that a user may have a certain privilege only if someone the privilege chain connects to the owner/admin of the table.



Now, I'm using PostgreSQL to test how this works in an actual DBMS.



For example, let's say we have a table t1 and the users u1, u2 and u3. Also let's assume u1 is the owner.




  • Now, u1 grants SELECT ON t1 TO u2 WITH GRANT OPTION

  • Then, u2 grants SELECT ON t1 TO u3 WITH GRANT OPTION

  • At last, u3 grants SELECT ON t1 TO u2 WITH GRANT OPTION


This should leave a sort of recursion of grants between u2 and u3. This means I can safely REVOKE the link between u1 and u2. According to SQL the privileges from u2 and u3 should be removed because they have no connection to the owner/admin of the table, but instead PostgreSQL allows this to happens and you can actually still issue SELECT on t1 even after the privilege was revoked.



So the question is, is this the expected behaviour on PostgreSQL/any RDBMS, or am I understanding wrong how SQL privileges should work. If someone could clarify this a bit for me, I would be thankful.



I was using these slides to understand. The last slide is the case I'm talking about.






postgresql permissions







share|improve this question









New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I'm trying to understand how does granting privileges work on SQL.



According to what I understand, one user has privilege as long as said user has been granted privilege by someone or owns the database. And the second condition I though was true, is that a user may have a certain privilege only if someone the privilege chain connects to the owner/admin of the table.



Now, I'm using PostgreSQL to test how this works in an actual DBMS.



For example, let's say we have a table t1 and the users u1, u2 and u3. Also let's assume u1 is the owner.




  • Now, u1 grants SELECT ON t1 TO u2 WITH GRANT OPTION

  • Then, u2 grants SELECT ON t1 TO u3 WITH GRANT OPTION

  • At last, u3 grants SELECT ON t1 TO u2 WITH GRANT OPTION


This should leave a sort of recursion of grants between u2 and u3. This means I can safely REVOKE the link between u1 and u2. According to SQL the privileges from u2 and u3 should be removed because they have no connection to the owner/admin of the table, but instead PostgreSQL allows this to happens and you can actually still issue SELECT on t1 even after the privilege was revoked.



So the question is, is this the expected behaviour on PostgreSQL/any RDBMS, or am I understanding wrong how SQL privileges should work. If someone could clarify this a bit for me, I would be thankful.



I was using these slides to understand. The last slide is the case I'm talking about.






postgresql permissions




postgresql permissions






share|improve this question









New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 2 hours ago









a_horse_with_no_name

39.9k776112




39.9k776112






New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 3 hours ago









Marcos JotaMarcos Jota

1




1




New contributor




Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Marcos Jota is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.













  • The manual states: "For example, if table t1 is owned by role g1, of which role u1 is a member, then u1 can grant privileges on t1 to u2, but those privileges will appear to have been granted directly by g1"

    – a_horse_with_no_name
    2 hours ago











  • @a_horse_with_no_name Sure, but that happens when a certain role is member of another role. In this particular case each role has permits and if you grant them and check z t1 you will see that u2 granted r* to u3 and u3 granted r* to u2. PD: Thanks for the edit :)

    – Marcos Jota
    2 hours ago













  • What Postgres version? Tried to reproduce this on 11, and when trying to close the grant loop, I get ERROR: grant options cannot be granted back to your own grantor. If it works on older versions, I guess this means they recognised it as a bug and fixed it.

    – Nick Barnes
    5 mins ago





















  • The manual states: "For example, if table t1 is owned by role g1, of which role u1 is a member, then u1 can grant privileges on t1 to u2, but those privileges will appear to have been granted directly by g1"

    – a_horse_with_no_name
    2 hours ago











  • @a_horse_with_no_name Sure, but that happens when a certain role is member of another role. In this particular case each role has permits and if you grant them and check z t1 you will see that u2 granted r* to u3 and u3 granted r* to u2. PD: Thanks for the edit :)

    – Marcos Jota
    2 hours ago













  • What Postgres version? Tried to reproduce this on 11, and when trying to close the grant loop, I get ERROR: grant options cannot be granted back to your own grantor. If it works on older versions, I guess this means they recognised it as a bug and fixed it.

    – Nick Barnes
    5 mins ago



















The manual states: "For example, if table t1 is owned by role g1, of which role u1 is a member, then u1 can grant privileges on t1 to u2, but those privileges will appear to have been granted directly by g1"

– a_horse_with_no_name
2 hours ago





The manual states: "For example, if table t1 is owned by role g1, of which role u1 is a member, then u1 can grant privileges on t1 to u2, but those privileges will appear to have been granted directly by g1"

– a_horse_with_no_name
2 hours ago













@a_horse_with_no_name Sure, but that happens when a certain role is member of another role. In this particular case each role has permits and if you grant them and check z t1 you will see that u2 granted r* to u3 and u3 granted r* to u2. PD: Thanks for the edit :)

– Marcos Jota
2 hours ago







@a_horse_with_no_name Sure, but that happens when a certain role is member of another role. In this particular case each role has permits and if you grant them and check z t1 you will see that u2 granted r* to u3 and u3 granted r* to u2. PD: Thanks for the edit :)

– Marcos Jota
2 hours ago















What Postgres version? Tried to reproduce this on 11, and when trying to close the grant loop, I get ERROR: grant options cannot be granted back to your own grantor. If it works on older versions, I guess this means they recognised it as a bug and fixed it.

– Nick Barnes
5 mins ago







What Postgres version? Tried to reproduce this on 11, and when trying to close the grant loop, I get ERROR: grant options cannot be granted back to your own grantor. If it works on older versions, I guess this means they recognised it as a bug and fixed it.

– Nick Barnes
5 mins ago












0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "182"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






Marcos Jota is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f230108%2fhow-does-grant-privileges-function-when-recursive-privileges%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes








Marcos Jota is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















Marcos Jota is a new contributor. Be nice, and check out our Code of Conduct.













Marcos Jota is a new contributor. Be nice, and check out our Code of Conduct.












Marcos Jota is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Database Administrators Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f230108%2fhow-does-grant-privileges-function-when-recursive-privileges%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Parapolítica Índice Antecedentes El escándalo Proceso judicial Consecuencias Véase...

Image
Escándalo de la parapolíticaAbusos a los derechos humanos Colombia2006políticosparamilitaresproceso de desmovilizaciónAutodefensas Unidas de Colombiaextrema derechaautodefensasnarcotráficoCongreso de la Repúblicamasacresasesinatosdesplazamiento forzadoFiscalía General de la NaciónCorte Suprema de JusticiaÁlvaro Uribe VélezCongreso de los Estados UnidosDerechos Humanosconspiraciónextrema derechanarcotráficoCongresoFuerzas Armadas2002Representante a la CámaraGustavo PetroFiscalía GeneralLuis Camilo Osorio2005elecciones parlamentarias de 2006paramilitarismomayo de 2005Sucrejunio del mismo añoClara López ObregónPolo Democrático AlternativoSalvatore MancusodiciembreCésar GaviriaPartido Liberalenero de 2006Departamento Administrativo de SeguridadJorge Noguera CotesRafael GarcíaRevista SemanaMilánconcierto para delinquir22 de febrerojulio de 2006Corte ConstitucionalLey de Justicia y PazSalvatore Mancusocomputador portátilRodrigo Tovar PupoCosta AtlánticamasacresEdgardo Maya Villazónproceso ...
Read more

How to remove border from elements in the last row?Targeting flex items on the last rowHow to vertically wrap...

Image
Does the Idaho Potato Commission associate potato skins with healthy eating? Finitely generated matrix groups whose eigenvalues are all algebraic How dangerous is XSS How could indestructible materials be used in power generation? Getting extremely large arrows with tikzcd How to aggregate categorical data in R? What is this scratchy sound on the acoustic guitar called? How obscure is the use of 令 in 令和? What exactly is ineptocracy? How to travel to Japan while expressing milk? Can someone clarify Hamming's notion of important problems in relation to modern academia? ...
Read more

Tecnologías entrañables Índice Antecedentes Desarrollo Tecnologías Entrañables en la...

Tecnología en la sociedad desarrollo tecnológicoalienación tecnológicaMiguel Ángel QuintanillaMarxEllulOrtega y GassetMiguel Angel QuintanillaMartín ParselisDiego LawlerDarío SandroneJosé Antonio López Cerezo Las tecnologías entrañables son un conjunto de criterios para el desarrollo tecnológico orientados a evitar la alienación tecnológica. Estos criterios pueden ser aplicados en las instancias de diseño tecnológico, y también pueden ser utilizados en la evaluación de proyectos tecnológicos. Índice 1 Antecedentes 2 Desarrollo 3 Tecnologías Entrañables en la actualidad 4 Referencias Antecedentes La idea original de las Tecnologías Entrañables fue propuesta por Miguel Ángel Quintanilla, identificando el problema como sigue: Ya hemos aludido a la paradoja que supone el hecho de que, en general, cuanto más fácil de usar es una tecnología, más incomprensible resulta para el usuario: las tecnologías transparentes exigen ciudadanos ciegos. Hay que recon...
Read more