diff options
| author | Jeff Davis <jdavis@postgresql.org> | 2023-01-13 14:14:54 -0800 |
|---|---|---|
| committer | Jeff Davis <jdavis@postgresql.org> | 2023-01-13 14:33:19 -0800 |
| commit | c44f6334ca6ff6d242d9eb6742441bc4e1294067 (patch) | |
| tree | 96737157311289cfc4ffbebe74ada84016423a76 /doc/src | |
| parent | b7ae03953690a1dee455ba3823cc8f71a72cbe1d (diff) | |
| download | postgresql-c44f6334ca6ff6d242d9eb6742441bc4e1294067.tar.gz postgresql-c44f6334ca6ff6d242d9eb6742441bc4e1294067.zip | |
Simplify permissions for LOCK TABLE.
The prior behavior was confusing and hard to document. For instance,
if you had UPDATE privileges, you could lock a table in any lock mode
except ACCESS SHARE mode.
Now, if granted a privilege to lock at a given mode, one also has
privileges to lock at a less-conflicting mode. MAINTAIN, UPDATE,
DELETE, and TRUNCATE privileges allow any lock mode. INSERT privileges
allow ROW EXCLUSIVE (or below). SELECT privileges allow ACCESS SHARE.
Reviewed-by: Nathan Bossart
Discussion: https://postgr.es/m/9550c76535404a83156252b25a11babb4792ea1e.camel%40j-davis.com
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/ref/lock.sgml | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/doc/src/sgml/ref/lock.sgml b/doc/src/sgml/ref/lock.sgml index d9c5bf9a1d4..8524182211d 100644 --- a/doc/src/sgml/ref/lock.sgml +++ b/doc/src/sgml/ref/lock.sgml @@ -165,18 +165,19 @@ LOCK [ TABLE ] [ ONLY ] <replaceable class="parameter">name</replaceable> [ * ] <title>Notes</title> <para> - To lock a table, one must ordinarily have the <literal>MAINTAIN</literal> - privilege on the table or be the table's owner, a superuser, or a role - with privileges of the - <link linkend="predefined-roles-table"><literal>pg_maintain</literal></link> - role. <literal>LOCK TABLE ... IN ACCESS SHARE MODE</literal> is allowed - with <literal>SELECT</literal> privileges on the target - table. <literal>LOCK TABLE ... IN ROW EXCLUSIVE MODE</literal> is allowed - with <literal>INSERT</literal>, <literal>UPDATE</literal>, <literal>DELETE</literal>, - or <literal>TRUNCATE</literal> privileges on the target table. All other - forms of <command>LOCK</command> are allowed with - table-level <literal>UPDATE</literal>, <literal>DELETE</literal>, - or <literal>TRUNCATE</literal> privileges. + To lock a table, the user must have the right privilege for the specified + <replaceable class="parameter">lockmode</replaceable>, or be the table's + owner, a superuser, or a role with privileges of the <link + linkend="predefined-roles-table"><literal>pg_maintain</literal></link> + role. If the user has <literal>MAINTAIN</literal>, + <literal>UPDATE</literal>, <literal>DELETE</literal>, or + <literal>TRUNCATE</literal> privileges on the table, any <replaceable + class="parameter">lockmode</replaceable> is permitted. If the user has + <literal>INSERT</literal> privileges on the table, <literal>ROW EXCLUSIVE + MODE</literal> (or a less-conflicting mode as described in <xref + linkend="explicit-locking"/>) is permitted. If a user has + <literal>SELECT</literal> privileges on the table, <literal>ACCESS SHARE + MODE</literal> is permitted. </para> <para> |