Re: Revoke Connect Privilege from Database not working

public inbox for pgsql-sql@postgresql.org  
help / color / mirror / Atom feed

From: David G. Johnston <david.g.johnston@gmail.com>
To: Ing. Marijo Kristo <marijo.kristo@icloud.com>
Cc: pgsql-sql@lists.postgresql.org
Subject: Re: Revoke Connect Privilege from Database not working
Date: Tue, 1 Apr 2025 07:15:13 -0700
Message-ID: <CAKFQuwZyJbnSBC2fW9bL-ftd6JR7jfwSdV83dsbE7vpWm4vqNQ@mail.gmail.com> (raw)
In-Reply-To: <6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com>
References: <18873-c148b32c0e501cc0@postgresql.org>
	<6C13A1CC-3841-4A5E-BC78-C8F9C5B120BB@icloud.com>

On Tue, Apr 1, 2025 at 4:59 AM Ing. Marijo Kristo <marijo.kristo@icloud.com>
wrote:

>
> >
> "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"=c/vault_admin
>
> > Same happens when trying to revoke with the vault admin user:
> >
> > disp_db=# select current_user;
> > current_user
> > --------------
> > vault_admin
> > (1 row)
> >
> > disp_db=# revoke connect on database "disp_db" from
> > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> > REVOKE
> > disp_db=# drop user
> > "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00";
> > ERROR:  role "dev_oidc-m-kristo-rewe-group-at-2025_02_28T09_06_30+00:00"
> > cannot be dropped because some objects depend on it
> > DETAIL:  privileges for database disp_db
>
>
If you include the "granted by" clause when you perform revoke everything
usually just works.

"If a superuser chooses to issue a GRANT or REVOKE command, the command is
performed as though it were issued by the owner of the affected object." [1]

The fact vault_admin is superuser overrides the fact that it is their
specific grant that is trying to be revoked.

David J.

[1] https://www.postgresql.org/docs/current/sql-revoke.html

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: pgsql-sql@postgresql.org
  Cc: david.g.johnston@gmail.com, marijo.kristo@icloud.com, pgsql-sql@lists.postgresql.org
  Subject: Re: Revoke Connect Privilege from Database not working
  In-Reply-To: <CAKFQuwZyJbnSBC2fW9bL-ftd6JR7jfwSdV83dsbE7vpWm4vqNQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox