Usage

Terminology

Access Control List (ACL)

pg_grant uses Access Control List, or ACL, to refer to a list of privileges in string form.

acl = ["alice=arw/alice", "bob=ar*/alice"]

ACL item

A single item in an Access Control List

acl_item = "alice=arw/alice"

Parsing

Single ACL items can be parsed using parse_acl_item():

>>> from pg_grant import parse_acl_item
>>> parse_acl_item("bob=arw*/alice")
Privileges(grantee='bob', grantor='alice', privs=['SELECT', 'INSERT'], privswgo=['UPDATE'])

Access Control Lists can be parsed using parse_acl():

>>> from pg_grant import parse_acl
>>> parse_acl(["alice=a/alice", "bob=a/alice"])
[Privileges(grantee='alice', grantor='alice', privs=['INSERT'], privswgo=[]),
 Privileges(grantee='bob', grantor='alice', privs=['INSERT'], privswgo=[])]

Querying

The pg_grant.query submodule has functions for loading ACLs for many types of database object. These functions use an SQLALchemy connection:

>>> from pg_grant import query as q
>>> q.get_all_table_acls(conn, schema="public")
[SchemaRelationInfo(oid=138067, name='table2', owner='alice', acl=['bob=arw/alice'], schema='public')
 ...]
>>> q.get_table_acl(conn, "table2")
SchemaRelationInfo(oid=138067, name='table2', owner='alice', acl=['bob=arw/alice'], schema='public')

All of the functions return an object or list of objects with acl attributes that can be parsed with parse_acl().

When an acl is None, it means that default privileges apply to the object:

>>> from pg_grant import PgObjectType, get_default_privileges
>>> from pg_grant import query as q
>>> q.get_table_acl(conn, "table2")
SchemaRelationInfo(oid=138067, name='table2', owner='alice', acl=None, schema='public')
>>> get_default_privileges(PgObjectType.TABLE, owner="alice")
[Privileges(grantee='alice', grantor='alice', privs=['ALL'], privswgo=[])]