From b0bcf8aab2da6710ff8842b86fed93571e143cc8 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Sun, 21 Apr 2002 00:26:44 +0000
Subject: Restructure AclItem representation so that we can have more than
 eight different privilege bits (might as well make use of the space we were
 wasting on padding).  EXECUTE and USAGE bits for procedures, languages now
 are separate privileges instead of being overlaid on SELECT.  Add privileges
 for namespaces and databases.  The GRANT and REVOKE commands work for these
 object types, but we don't actually enforce the privileges yet...

---
 doc/src/sgml/catalogs.sgml   | 11 +++++++--
 doc/src/sgml/ref/grant.sgml  | 54 +++++++++++++++++++++++++++++++++++++++-----
 doc/src/sgml/ref/revoke.sgml | 12 ++++++++--
 3 files changed, 67 insertions(+), 10 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/catalogs.sgml b/doc/src/sgml/catalogs.sgml
index 66fedbce36..980c215536 100644
--- a/doc/src/sgml/catalogs.sgml
+++ b/doc/src/sgml/catalogs.sgml
@@ -1,6 +1,6 @@
 <!--
  Documentation of the system catalogs, directed toward PostgreSQL developers
- $Header: /cvsroot/pgsql/doc/src/sgml/catalogs.sgml,v 2.42 2002/04/16 23:08:09 tgl Exp $
+ $Header: /cvsroot/pgsql/doc/src/sgml/catalogs.sgml,v 2.43 2002/04/21 00:26:42 tgl Exp $
  -->
 
 <chapter id="catalogs">
@@ -825,7 +825,7 @@
       <entry>
        If true then this database can be used in the
        <quote>TEMPLATE</quote> clause of <command>CREATE
-       DATABASE</command> to create the new database as a clone of
+       DATABASE</command> to create a new database as a clone of
        this one.
       </entry>
      </row>
@@ -890,6 +890,13 @@
       <entry></entry>
       <entry>Session defaults for run-time configuration variables</entry>
      </row>
+
+     <row>
+      <entry>datacl</entry>
+      <entry><type>aclitem[]</type></entry>
+      <entry></entry>
+      <entry>Access permissions</entry>
+     </row>
     </tbody>
    </tgroup>
   </table>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index 720c553957..70e9d581c8 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.21 2002/02/21 22:39:36 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/grant.sgml,v 1.22 2002/04/21 00:26:42 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -18,7 +18,11 @@ PostgreSQL documentation
 <synopsis>
 GRANT { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
     [,...] | ALL [ PRIVILEGES ] }
-    ON [ TABLE ] <replaceable class="PARAMETER">objectname</replaceable> [, ...]
+    ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+GRANT { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
+    ON DATABASE <replaceable>dbname</replaceable> [, ...]
     TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 
 GRANT { EXECUTE | ALL [ PRIVILEGES ] }
@@ -28,6 +32,10 @@ GRANT { EXECUTE | ALL [ PRIVILEGES ] }
 GRANT { USAGE | ALL [ PRIVILEGES ] }
     ON LANGUAGE <replaceable>langname</replaceable> [, ...]
     TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+GRANT { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
+    ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
+    TO { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 </synopsis>
  </refsynopsisdiv>
 
@@ -36,7 +44,8 @@ GRANT { USAGE | ALL [ PRIVILEGES ] }
 
   <para>
    The <command>GRANT</command> command gives specific permissions on
-   an object (table, view, sequence, function, procedural language) to
+   an object (table, view, sequence, database, function, procedural language,
+   or schema) to
    one or more users or groups of users.  These permissions are added
    to those already granted, if any.
   </para>
@@ -144,6 +153,29 @@ GRANT { USAGE | ALL [ PRIVILEGES ] }
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term>CREATE</term>
+     <listitem>
+      <para>
+       For databases, allows new schemas to be created in the database.
+      </para>
+      <para>
+       For schemas, allows new objects to be created within the specified
+       schema.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term>TEMPORARY</term>
+     <term>TEMP</term>
+     <listitem>
+      <para>
+       Allows temporary tables to be created while using the database.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term>EXECUTE</term>
      <listitem>
@@ -159,10 +191,16 @@ GRANT { USAGE | ALL [ PRIVILEGES ] }
      <term>USAGE</term>
      <listitem>
       <para>
-       Allows the use of the specified procedural language for the
-       creation of functions in that language.  This is the only type
+       For procedural languages, allows the use of the specified language for
+       the creation of functions in that language.  This is the only type
        of privilege that is applicable to procedural languages.
       </para>
+      <para>
+       For schemas, allows the use of objects contained in the specified 
+       schema (assuming that the objects' own privilege requirements are
+       met).  Essentially this allows the grantee to <quote>look up</>
+       objects within the schema.
+      </para>
      </listitem>
     </varlistentry>
 
@@ -226,7 +264,11 @@ GRANT { USAGE | ALL [ PRIVILEGES ] }
                   R -- RULE
                   x -- REFERENCES
                   t -- TRIGGER
-            arwdRxt -- ALL PRIVILEGES
+                  X -- EXECUTE
+                  U -- USAGE
+                  C -- CREATE
+                  T -- TEMPORARY
+            arwdRxt -- ALL PRIVILEGES (for tables)
 </programlisting>
    </para>
 
diff --git a/doc/src/sgml/ref/revoke.sgml b/doc/src/sgml/ref/revoke.sgml
index 60c31a37c8..3bc30cfd49 100644
--- a/doc/src/sgml/ref/revoke.sgml
+++ b/doc/src/sgml/ref/revoke.sgml
@@ -1,5 +1,5 @@
 <!--
-$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.21 2002/02/21 22:39:36 momjian Exp $
+$Header: /cvsroot/pgsql/doc/src/sgml/ref/revoke.sgml,v 1.22 2002/04/21 00:26:42 tgl Exp $
 PostgreSQL documentation
 -->
 
@@ -18,7 +18,11 @@ PostgreSQL documentation
 <synopsis>
 REVOKE { { SELECT | INSERT | UPDATE | DELETE | RULE | REFERENCES | TRIGGER }
     [,...] | ALL [ PRIVILEGES ] }
-    ON [ TABLE ] <replaceable class="PARAMETER">object</replaceable> [, ...]
+    ON [ TABLE ] <replaceable class="PARAMETER">tablename</replaceable> [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+REVOKE { { CREATE | TEMPORARY | TEMP } [,...] | ALL [ PRIVILEGES ] }
+    ON DATABASE <replaceable>dbname</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 
 REVOKE { EXECUTE | ALL [ PRIVILEGES ] }
@@ -28,6 +32,10 @@ REVOKE { EXECUTE | ALL [ PRIVILEGES ] }
 REVOKE { USAGE | ALL [ PRIVILEGES ] }
     ON LANGUAGE <replaceable>langname</replaceable> [, ...]
     FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
+
+REVOKE { { CREATE | USAGE } [,...] | ALL [ PRIVILEGES ] }
+    ON SCHEMA <replaceable>schemaname</replaceable> [, ...]
+    FROM { <replaceable class="PARAMETER">username</replaceable> | GROUP <replaceable class="PARAMETER">groupname</replaceable> | PUBLIC } [, ...]
 </synopsis>
  </refsynopsisdiv>
 
-- 
cgit v1.2.1