In Oxla, ownership refers to the relationship where objects such as database, tables and schemas are owned by a specific role. Here are a few principles to keep in mind when thinking about ownership in Oxla:
DROP
an objectSELECT
, INSERT
, UPDATE
, DELETE
USAGE
, CREATE
In the following sections, you’ll learn how to check and change ownership but also find out more about what are the differences between ownership and role privileges.
To check ownerships in Oxla, a superuser can execute the following query:
Here’s the breakdown of the above output:
id
: role iddatabase
: database nameschema
: schema name (empty if object_type
is DATABASE)object_name
: object name (empty if object_type
is SCHEMA or DATABASE)object_type
: type of the objectTo change ownership, one needs to run the code below:
where:
OBJECT_NAME
: name of the object, whose ownership they want to changeROLE_NAME
: name of the role that will become the new owner of the specified objectIn Oxla, unlike PostgreSQL, object ownership and grants are independent entities. As mentioned above, for the purpose of grants validation, owner has all privileges available for a given resource. These privileges however, are not visible in oxla_internal.oxla_role_ns_grants
/ oxla_internal.oxla_role_table_grants
and cannot be revoked.
GRANT
/ REVOKE
operations can still be performed on object owner - they will result in creating / removing entries in oxla_internal.oxla_role_..._grants
tables, which are independent of data stored in oxla_internal.oxla_object_owner
. These grants do not matter anything as long as the user is the owner of a given resource, but they will take effect when the owner is changed.
Here are a few examples that demonstrate the behaviours described above, assuming there is a table1
and user1
role with USAGE
grant in public schema:
After the following operations user1
will no longer be the owner of table1
, but will have SELECT
grant on that table.
After the following operations user1
will still be able to SELECT
from table1
because of ownership, however REVOKE
does not change anything.
After the following operations user1
will not have access to table1
, however the owner has been changed and grant has been revoked.
In Oxla, ownership refers to the relationship where objects such as database, tables and schemas are owned by a specific role. Here are a few principles to keep in mind when thinking about ownership in Oxla:
DROP
an objectSELECT
, INSERT
, UPDATE
, DELETE
USAGE
, CREATE
In the following sections, you’ll learn how to check and change ownership but also find out more about what are the differences between ownership and role privileges.
To check ownerships in Oxla, a superuser can execute the following query:
Here’s the breakdown of the above output:
id
: role iddatabase
: database nameschema
: schema name (empty if object_type
is DATABASE)object_name
: object name (empty if object_type
is SCHEMA or DATABASE)object_type
: type of the objectTo change ownership, one needs to run the code below:
where:
OBJECT_NAME
: name of the object, whose ownership they want to changeROLE_NAME
: name of the role that will become the new owner of the specified objectIn Oxla, unlike PostgreSQL, object ownership and grants are independent entities. As mentioned above, for the purpose of grants validation, owner has all privileges available for a given resource. These privileges however, are not visible in oxla_internal.oxla_role_ns_grants
/ oxla_internal.oxla_role_table_grants
and cannot be revoked.
GRANT
/ REVOKE
operations can still be performed on object owner - they will result in creating / removing entries in oxla_internal.oxla_role_..._grants
tables, which are independent of data stored in oxla_internal.oxla_object_owner
. These grants do not matter anything as long as the user is the owner of a given resource, but they will take effect when the owner is changed.
Here are a few examples that demonstrate the behaviours described above, assuming there is a table1
and user1
role with USAGE
grant in public schema:
After the following operations user1
will no longer be the owner of table1
, but will have SELECT
grant on that table.
After the following operations user1
will still be able to SELECT
from table1
because of ownership, however REVOKE
does not change anything.
After the following operations user1
will not have access to table1
, however the owner has been changed and grant has been revoked.