20 files changed, 205 insertions, 152 deletions
diff --git a/src/backend/commands/aggregatecmds.c b/src/backend/commands/aggregatecmds.c
index 088a9bf6e5c..1d9b25b5b0a 100644
--- a/src/backend/commands/aggregatecmds.c
+++ b/src/backend/commands/aggregatecmds.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/aggregatecmds.c,v 1.11 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/aggregatecmds.c,v 1.12 2003/08/01 00:15:19 tgl Exp $
  *
  * DESCRIPTION
  *	  The "DefineFoo" routines take the parse tree and pick out the
@@ -64,7 +64,8 @@ DefineAggregate(List *names, List *parameters)
 	/* Check we have creation rights in target namespace */
 	aclresult = pg_namespace_aclcheck(aggNamespace, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(aggNamespace));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(aggNamespace));
 
 	foreach(pl, parameters)
 	{
@@ -191,7 +192,8 @@ RemoveAggregate(RemoveAggrStmt *stmt)
 	if (!pg_proc_ownercheck(procOid, GetUserId()) &&
 		!pg_namespace_ownercheck(((Form_pg_proc) GETSTRUCT(tup))->pronamespace,
 								 GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(aggName));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+					   NameListToString(aggName));
 
 	/* find_aggregate_func already checked it is an aggregate */
 
@@ -269,12 +271,14 @@ RenameAggregate(List *name, TypeName *basetype, const char *newname)
 
 	/* must be owner */
 	if (!pg_proc_ownercheck(procOid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(name));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+					   NameListToString(name));
 
 	/* must have CREATE privilege on namespace */
 	aclresult = pg_namespace_aclcheck(namespaceOid, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceOid));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceOid));
 
 	/* rename */
 	namestrcpy(&(((Form_pg_proc) GETSTRUCT(tup))->proname), newname);
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 7c49e40d5cb..b377635099e 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/alter.c,v 1.3 2003/07/22 19:00:07 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/alter.c,v 1.4 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -102,7 +102,7 @@ ExecRenameStmt(RenameStmt *stmt)
 													  GetUserId(),
 													  ACL_CREATE);
 					if (aclresult != ACLCHECK_OK)
-						aclcheck_error(aclresult,
+						aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
 									   get_namespace_name(namespaceId));
 
 					renamerel(relid, stmt->newname);
diff --git a/src/backend/commands/cluster.c b/src/backend/commands/cluster.c
index 17080fd0202..18f6bfcf6b5 100644
--- a/src/backend/commands/cluster.c
+++ b/src/backend/commands/cluster.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/cluster.c,v 1.111 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/cluster.c,v 1.112 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -69,7 +69,6 @@ static void copy_heap_data(Oid OIDNewHeap, Oid OIDOldHeap, Oid OIDOldIndex);
 static List *get_indexattr_list(Relation OldHeap, Oid OldIndex);
 static void rebuild_indexes(Oid OIDOldHeap, List *indexes);
 static void swap_relfilenodes(Oid r1, Oid r2);
-static bool check_cluster_permitted(Oid relOid);
 static List *get_tables_to_cluster(MemoryContext cluster_context);
 
 
@@ -115,10 +114,9 @@ cluster(ClusterStmt *stmt)
 		tableOid = RelationGetRelid(rel);
 
 		/* Check permissions */
-		if (!check_cluster_permitted(tableOid))
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission denied")));
+		if (!pg_class_ownercheck(tableOid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+						   RelationGetRelationName(rel));
 
 		if (stmt->indexname == NULL)
 		{
@@ -279,7 +277,7 @@ cluster_rel(RelToCluster *rvtc, bool recheck)
 			return;
 
 		/* Check that the user still owns the relation */
-		if (!check_cluster_permitted(rvtc->tableOid))
+		if (!pg_class_ownercheck(rvtc->tableOid, GetUserId()))
 			return;
 
 		/*
@@ -851,17 +849,6 @@ swap_relfilenodes(Oid r1, Oid r2)
 }
 
 /*
- * Checks if the user is allowed to cluster (ie, owns) the relation.
- * Superusers are allowed to cluster any table.
- */
-static bool
-check_cluster_permitted(Oid relOid)
-{
-	/* Superusers bypass this check */
-	return pg_class_ownercheck(relOid, GetUserId());
-}
-
-/*
  * Get a list of tables that the current user owns and
  * have indisclustered set.  Return the list in a List * of rvsToCluster
  * with the tableOid and the indexOid on which the table is already
@@ -894,7 +881,8 @@ get_tables_to_cluster(MemoryContext cluster_context)
 	while ((indexTuple = heap_getnext(scan, ForwardScanDirection)) != NULL)
 	{
 		index = (Form_pg_index) GETSTRUCT(indexTuple);
-		if (!check_cluster_permitted(index->indrelid))
+
+		if (!pg_class_ownercheck(index->indrelid, GetUserId()))
 			continue;
 
 		/*
diff --git a/src/backend/commands/comment.c b/src/backend/commands/comment.c
index 62c09e3fce9..ecd50bdb367 100644
--- a/src/backend/commands/comment.c
+++ b/src/backend/commands/comment.c
@@ -7,7 +7,7 @@
  * Copyright (c) 1996-2001, PostgreSQL Global Development Group
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/comment.c,v 1.66 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/comment.c,v 1.67 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -295,7 +295,8 @@ CommentRelation(int objtype, List *relname, char *comment)
 
 	/* Check object security */
 	if (!pg_class_ownercheck(RelationGetRelid(relation), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(relation));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(relation));
 
 	/* Next, verify that the relation type matches the intent */
 
@@ -373,7 +374,8 @@ CommentAttribute(List *qualname, char *comment)
 	/* Check object security */
 
 	if (!pg_class_ownercheck(RelationGetRelid(relation), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(relation));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(relation));
 
 	/* Now, fetch the attribute number from the system cache */
 
@@ -449,7 +451,8 @@ CommentDatabase(List *qualname, char *comment)
 
 	/* Check object security */
 	if (!pg_database_ownercheck(oid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, database);
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_DATABASE,
+					   database);
 
 	/* Create the comment with the pg_database oid */
 	CreateComments(oid, RelOid_pg_database, 0, comment);
@@ -487,7 +490,8 @@ CommentNamespace(List *qualname, char *comment)
 
 	/* Check object security */
 	if (!pg_namespace_ownercheck(oid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, namespace);
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_NAMESPACE,
+					   namespace);
 
 	/* pg_namespace doesn't have a hard-coded OID, so must look it up */
 	classoid = get_system_catalog_relid(NamespaceRelationName);
@@ -600,7 +604,8 @@ CommentRule(List *qualname, char *comment)
 	/* Check object security */
 	aclcheck = pg_class_aclcheck(reloid, GetUserId(), ACL_RULE);
 	if (aclcheck != ACLCHECK_OK)
-		aclcheck_error(aclcheck, rulename);
+		aclcheck_error(aclcheck, ACL_KIND_CLASS,
+					   get_rel_name(reloid));
 
 	/* pg_rewrite doesn't have a hard-coded OID, so must look it up */
 	classoid = get_system_catalog_relid(RewriteRelationName);
@@ -638,7 +643,8 @@ CommentType(List *typename, char *comment)
 	/* Check object security */
 
 	if (!pg_type_ownercheck(oid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, TypeNameToString(tname));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TYPE,
+					   TypeNameToString(tname));
 
 	/* Call CreateComments() to create/drop the comments */
 
@@ -673,7 +679,8 @@ CommentAggregate(List *aggregate, List *arguments, char *comment)
 	/* Next, validate the user's attempt to comment */
 
 	if (!pg_proc_ownercheck(oid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(aggregate));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+					   NameListToString(aggregate));
 
 	/* Call CreateComments() to create/drop the comments */
 
@@ -701,7 +708,8 @@ CommentProc(List *function, List *arguments, char *comment)
 	/* Now, validate the user's ability to comment on this function */
 
 	if (!pg_proc_ownercheck(oid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(function));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+					   NameListToString(function));
 
 	/* Call CreateComments() to create/drop the comments */
 
@@ -731,7 +739,8 @@ CommentOperator(List *opername, List *arguments, char *comment)
 
 	/* Valid user's ability to comment on this operator */
 	if (!pg_oper_ownercheck(oid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(opername));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPER,
+					   NameListToString(opername));
 
 	/* pg_operator doesn't have a hard-coded OID, so must look it up */
 	classoid = get_system_catalog_relid(OperatorRelationName);
@@ -777,7 +786,8 @@ CommentTrigger(List *qualname, char *comment)
 	/* Check object security */
 
 	if (!pg_class_ownercheck(RelationGetRelid(relation), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(relation));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(relation));
 
 	/*
 	 * Fetch the trigger tuple from pg_trigger.  There can be only one
@@ -854,7 +864,8 @@ CommentConstraint(List *qualname, char *comment)
 	/* Check object security */
 
 	if (!pg_class_ownercheck(RelationGetRelid(relation), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(relation));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(relation));
 
 	/*
 	 * Fetch the constraint tuple from pg_constraint.  There may be more
diff --git a/src/backend/commands/conversioncmds.c b/src/backend/commands/conversioncmds.c
index a502e9b0a07..b917c527aca 100644
--- a/src/backend/commands/conversioncmds.c
+++ b/src/backend/commands/conversioncmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/conversioncmds.c,v 1.8 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/conversioncmds.c,v 1.9 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -55,7 +55,8 @@ CreateConversionCommand(CreateConversionStmt *stmt)
 	/* Check we have creation rights in target namespace */
 	aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceId));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceId));
 
 	/* Check the encoding names */
 	from_encoding = pg_char_to_encoding(from_encoding_name);
@@ -82,7 +83,8 @@ CreateConversionCommand(CreateConversionStmt *stmt)
 	/* Check we have EXECUTE rights for the function */
 	aclresult = pg_proc_aclcheck(funcoid, GetUserId(), ACL_EXECUTE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, NameListToString(func_name));
+		aclcheck_error(aclresult, ACL_KIND_PROC,
+					   NameListToString(func_name));
 
 	/*
 	 * All seem ok, go ahead (possible failure would be a duplicate
@@ -150,13 +152,16 @@ RenameConversion(List *name, const char *newname)
 						newname, get_namespace_name(namespaceOid))));
 
 	/* must be owner */
-    if (!superuser() && ((Form_pg_conversion) GETSTRUCT(tup))->conowner != GetUserId())
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(name));
+    if (!superuser() &&
+		((Form_pg_conversion) GETSTRUCT(tup))->conowner != GetUserId())
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CONVERSION,
+					   NameListToString(name));
 
 	/* must have CREATE privilege on namespace */
 	aclresult = pg_namespace_aclcheck(namespaceOid, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceOid));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceOid));
 
 	/* rename */
 	namestrcpy(&(((Form_pg_conversion) GETSTRUCT(tup))->conname), newname);
diff --git a/src/backend/commands/copy.c b/src/backend/commands/copy.c
index 976fdaa8616..fa91439a579 100644
--- a/src/backend/commands/copy.c
+++ b/src/backend/commands/copy.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/copy.c,v 1.204 2003/07/22 19:00:07 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/copy.c,v 1.205 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -730,7 +730,8 @@ DoCopy(const CopyStmt *stmt)
 	aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(),
 								  required_access);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, RelationGetRelationName(rel));
+		aclcheck_error(aclresult, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 	if (!pipe && !superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
diff --git a/src/backend/commands/dbcommands.c b/src/backend/commands/dbcommands.c
index 93701c2a59e..70678b26b08 100644
--- a/src/backend/commands/dbcommands.c
+++ b/src/backend/commands/dbcommands.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/dbcommands.c,v 1.118 2003/07/28 00:09:14 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/dbcommands.c,v 1.119 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -180,7 +180,7 @@ createdb(const CreatedbStmt *stmt)
 		if (!superuser() && !have_createdb_privilege())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission denied")));
+					 errmsg("permission denied to create database")));
 	}
 	else
 	{
@@ -189,7 +189,7 @@ createdb(const CreatedbStmt *stmt)
 		if (!superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission denied")));
+					 errmsg("must be superuser to create database for another user")));
 	}
 
 	/* don't call this in a transaction block */
@@ -239,7 +239,7 @@ createdb(const CreatedbStmt *stmt)
 		if (!superuser() && GetUserId() != src_owner)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission to copy \"%s\" denied",
+					 errmsg("permission denied to copy database \"%s\"",
 							dbtemplate)));
 	}
 
@@ -481,9 +481,8 @@ dropdb(const char *dbname)
 				 errmsg("database \"%s\" does not exist", dbname)));
 
 	if (GetUserId() != db_owner && !superuser())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_DATABASE,
+					   dbname);
 
 	/*
 	 * Disallow dropping a DB that is marked istemplate.  This is just to
@@ -633,13 +632,14 @@ RenameDatabase(const char *oldname, const char *newname)
 
 	/* must be owner */
 	if (!pg_database_ownercheck(HeapTupleGetOid(tup), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, oldname);
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_DATABASE,
+					   oldname);
 
 	/* must have createdb */
 	if (!have_createdb_privilege())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("permission denied to rename database")));
 
 	/* rename */
 	newtup = heap_copytuple(tup);
@@ -690,9 +690,8 @@ AlterDatabaseSet(AlterDatabaseSetStmt *stmt)
 
 	if (!(superuser()
 		  || ((Form_pg_database) GETSTRUCT(tuple))->datdba == GetUserId()))
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_DATABASE,
+					  stmt->dbname);
 
 	MemSet(repl_repl, ' ', sizeof(repl_repl));
 	repl_repl[Anum_pg_database_datconfig - 1] = 'r';
diff --git a/src/backend/commands/functioncmds.c b/src/backend/commands/functioncmds.c
index 9f17eff84fa..7a6a3775d64 100644
--- a/src/backend/commands/functioncmds.c
+++ b/src/backend/commands/functioncmds.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/functioncmds.c,v 1.30 2003/07/28 00:09:14 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/functioncmds.c,v 1.31 2003/08/01 00:15:19 tgl Exp $
  *
  * DESCRIPTION
  *	  These routines take the parse tree and pick out the
@@ -118,7 +118,8 @@ compute_return_type(TypeName *returnType, Oid languageOid,
 		aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
 										  ACL_CREATE);
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, get_namespace_name(namespaceId));
+			aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+						   get_namespace_name(namespaceId));
 		rettype = TypeShellMake(typname, namespaceId);
 		Assert(OidIsValid(rettype));
 	}
@@ -414,7 +415,8 @@ CreateFunction(CreateFunctionStmt *stmt)
 	/* Check we have creation rights in target namespace */
 	aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceId));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceId));
 
 	/* defaults attributes */
 	isStrict = false;
@@ -447,13 +449,15 @@ CreateFunction(CreateFunctionStmt *stmt)
 
 		aclresult = pg_language_aclcheck(languageOid, GetUserId(), ACL_USAGE);
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, NameStr(languageStruct->lanname));
+			aclcheck_error(aclresult, ACL_KIND_LANGUAGE,
+						   NameStr(languageStruct->lanname));
 	}
 	else
 	{
 		/* if untrusted language, must be superuser */
 		if (!superuser())
-			aclcheck_error(ACLCHECK_NO_PRIV, NameStr(languageStruct->lanname));
+			aclcheck_error(ACLCHECK_NO_PRIV, ACL_KIND_LANGUAGE,
+						   NameStr(languageStruct->lanname));
 	}
 
 	languageValidator = languageStruct->lanvalidator;
@@ -546,7 +550,8 @@ RemoveFunction(RemoveFuncStmt *stmt)
 	if (!pg_proc_ownercheck(funcOid, GetUserId()) &&
 		!pg_namespace_ownercheck(((Form_pg_proc) GETSTRUCT(tup))->pronamespace,
 								 GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(functionName));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+					   NameListToString(functionName));
 
 	if (((Form_pg_proc) GETSTRUCT(tup))->proisagg)
 		ereport(ERROR,
@@ -681,12 +686,14 @@ RenameFunction(List *name, List *argtypes, const char *newname)
 
 	/* must be owner */
 	if (!pg_proc_ownercheck(procOid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(name));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_PROC,
+					   NameListToString(name));
 
 	/* must have CREATE privilege on namespace */
 	aclresult = pg_namespace_aclcheck(namespaceOid, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceOid));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceOid));
 
 	/* rename */
 	namestrcpy(&(procForm->proname), newname);
diff --git a/src/backend/commands/indexcmds.c b/src/backend/commands/indexcmds.c
index 0f6a9e28f0d..4cd66fd1b5d 100644
--- a/src/backend/commands/indexcmds.c
+++ b/src/backend/commands/indexcmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/indexcmds.c,v 1.102 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/indexcmds.c,v 1.103 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -135,7 +135,8 @@ DefineIndex(RangeVar *heapRelation,
 		aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
 										  ACL_CREATE);
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, get_namespace_name(namespaceId));
+			aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+						   get_namespace_name(namespaceId));
 	}
 
 	/*
@@ -621,13 +622,13 @@ ReindexIndex(RangeVar *indexRelation, bool force /* currently unused */ )
 		if (!allowSystemTableMods)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("\"%s\" is a system index",
+					 errmsg("permission denied: \"%s\" is a system index",
 							indexRelation->relname),
 					 errhint("Do REINDEX in standalone postgres with -O -P options.")));
 		if (!IsIgnoringSystemIndexes())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("\"%s\" is a system index",
+					 errmsg("permission denied: \"%s\" is a system index",
 							indexRelation->relname),
 					 errhint("Do REINDEX in standalone postgres with -P -O options.")));
 	}
@@ -710,9 +711,8 @@ ReindexDatabase(const char *dbname, bool force, bool all)
 				 errmsg("can only reindex the currently open database")));
 
 	if (!pg_database_ownercheck(MyDatabaseId, GetUserId()))
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_DATABASE,
+					   dbname);
 
 	if (!allowSystemTableMods)
 		ereport(ERROR,
diff --git a/src/backend/commands/lockcmds.c b/src/backend/commands/lockcmds.c
index a2dfb6d805b..13a9c3a52bd 100644
--- a/src/backend/commands/lockcmds.c
+++ b/src/backend/commands/lockcmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/lockcmds.c,v 1.5 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/lockcmds.c,v 1.6 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -56,7 +56,8 @@ LockTableCommand(LockStmt *lockstmt)
 										  ACL_UPDATE | ACL_DELETE);
 
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, get_rel_name(reloid));
+			aclcheck_error(aclresult, ACL_KIND_CLASS,
+						   get_rel_name(reloid));
 
 		rel = relation_open(reloid, lockstmt->mode);
 
diff --git a/src/backend/commands/opclasscmds.c b/src/backend/commands/opclasscmds.c
index ca2d9298945..60b041466f1 100644
--- a/src/backend/commands/opclasscmds.c
+++ b/src/backend/commands/opclasscmds.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/opclasscmds.c,v 1.14 2003/07/28 00:09:14 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/opclasscmds.c,v 1.15 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -78,7 +78,8 @@ DefineOpClass(CreateOpClassStmt *stmt)
 	/* Check we have creation rights in target namespace */
 	aclresult = pg_namespace_aclcheck(namespaceoid, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceoid));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceoid));
 
 	/* Get necessary info about access method */
 	tup = SearchSysCache(AMNAME,
@@ -117,7 +118,8 @@ DefineOpClass(CreateOpClassStmt *stmt)
 	/* XXX this is unnecessary given the superuser check above */
 	/* Check we have ownership of the datatype */
 	if (!pg_type_ownercheck(typeoid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, format_type_be(typeoid));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TYPE,
+					   format_type_be(typeoid));
 #endif
 
 	/* Storage datatype is optional */
@@ -178,7 +180,8 @@ DefineOpClass(CreateOpClassStmt *stmt)
 				aclresult = pg_proc_aclcheck(funcOid, GetUserId(),
 											 ACL_EXECUTE);
 				if (aclresult != ACLCHECK_OK)
-					aclcheck_error(aclresult, get_func_name(funcOid));
+					aclcheck_error(aclresult, ACL_KIND_PROC,
+								   get_func_name(funcOid));
 				operators[item->number - 1] = operOid;
 				recheck[item->number - 1] = item->recheck;
 				break;
@@ -200,7 +203,8 @@ DefineOpClass(CreateOpClassStmt *stmt)
 				aclresult = pg_proc_aclcheck(funcOid, GetUserId(),
 											 ACL_EXECUTE);
 				if (aclresult != ACLCHECK_OK)
-					aclcheck_error(aclresult, get_func_name(funcOid));
+					aclcheck_error(aclresult, ACL_KIND_PROC,
+								   get_func_name(funcOid));
 				procedures[item->number - 1] = funcOid;
 				break;
 			case OPCLASS_ITEM_STORAGETYPE:
@@ -536,7 +540,7 @@ RemoveOpClass(RemoveOpClassStmt *stmt)
 	if (!pg_opclass_ownercheck(opcID, GetUserId()) &&
 		!pg_namespace_ownercheck(((Form_pg_opclass) GETSTRUCT(tuple))->opcnamespace,
 								 GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER,
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPCLASS,
 					   NameListToString(stmt->opclassname));
 
 	ReleaseSysCache(tuple);
@@ -699,12 +703,14 @@ RenameOpClass(List *name, const char *access_method, const char *newname)
 
 	/* must be owner */
 	if (!pg_opclass_ownercheck(opcOid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(name));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPCLASS,
+					   NameListToString(name));
 
 	/* must have CREATE privilege on namespace */
 	aclresult = pg_namespace_aclcheck(namespaceOid, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(namespaceOid));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(namespaceOid));
 
 	/* rename */
 	namestrcpy(&(((Form_pg_opclass) GETSTRUCT(tup))->opcname), newname);
diff --git a/src/backend/commands/operatorcmds.c b/src/backend/commands/operatorcmds.c
index bc4724f4738..6a4d479c121 100644
--- a/src/backend/commands/operatorcmds.c
+++ b/src/backend/commands/operatorcmds.c
@@ -9,7 +9,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/operatorcmds.c,v 1.9 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/operatorcmds.c,v 1.10 2003/08/01 00:15:19 tgl Exp $
  *
  * DESCRIPTION
  *	  The "DefineFoo" routines take the parse tree and pick out the
@@ -87,7 +87,8 @@ DefineOperator(List *names, List *parameters)
 	/* Check we have creation rights in target namespace */
 	aclresult = pg_namespace_aclcheck(oprNamespace, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(oprNamespace));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(oprNamespace));
 
 	/*
 	 * loop over the definition list and extract the information we need.
@@ -224,7 +225,8 @@ RemoveOperator(RemoveOperStmt *stmt)
 	if (!pg_oper_ownercheck(operOid, GetUserId()) &&
 		!pg_namespace_ownercheck(((Form_pg_operator) GETSTRUCT(tup))->oprnamespace,
 								 GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, NameListToString(operatorName));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_OPER,
+					   NameListToString(operatorName));
 
 	ReleaseSysCache(tup);
 
diff --git a/src/backend/commands/proclang.c b/src/backend/commands/proclang.c
index ea7c5c65709..69000b29bc7 100644
--- a/src/backend/commands/proclang.c
+++ b/src/backend/commands/proclang.c
@@ -7,7 +7,7 @@
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/proclang.c,v 1.46 2003/07/18 23:20:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/proclang.c,v 1.47 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -266,7 +266,7 @@ RenameLanguage(const char *oldname, const char *newname)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to rename procedural language")));
 
 	/* rename */
 	namestrcpy(&(((Form_pg_language) GETSTRUCT(tup))->lanname), newname);
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 808401c48f2..5ad81634f41 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.13 2003/07/28 00:09:14 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/schemacmds.c,v 1.14 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -91,7 +91,8 @@ CreateSchemaCommand(CreateSchemaStmt *stmt)
 	 */
 	aclresult = pg_database_aclcheck(MyDatabaseId, saved_userid, ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_database_name(MyDatabaseId));
+		aclcheck_error(aclresult, ACL_KIND_DATABASE,
+					   get_database_name(MyDatabaseId));
 
 	if (!allowSystemTableMods && IsReservedName(schemaName))
 		ereport(ERROR,
@@ -181,7 +182,8 @@ RemoveSchema(List *names, DropBehavior behavior)
 
 	/* Permission check */
 	if (!pg_namespace_ownercheck(namespaceId, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, namespaceName);
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_NAMESPACE,
+					   namespaceName);
 
 	/*
 	 * Do the deletion.  Objects contained in the schema are removed by
@@ -255,12 +257,14 @@ RenameSchema(const char *oldname, const char *newname)
 
 	/* must be owner */
 	if (!pg_namespace_ownercheck(HeapTupleGetOid(tup), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, oldname);
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_NAMESPACE,
+					   oldname);
 
 	/* must have CREATE privilege on database */
 	aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_database_name(MyDatabaseId));
+		aclcheck_error(aclresult, ACL_KIND_DATABASE,
+					   get_database_name(MyDatabaseId));
 
 	if (!allowSystemTableMods && IsReservedName(newname))
 		ereport(ERROR,
diff --git a/src/backend/commands/sequence.c b/src/backend/commands/sequence.c
index cb2106a3603..7ce7810fbca 100644
--- a/src/backend/commands/sequence.c
+++ b/src/backend/commands/sequence.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/sequence.c,v 1.98 2003/07/28 00:09:14 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/sequence.c,v 1.99 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -314,9 +314,10 @@ AlterSequence(AlterSeqStmt *stmt)
 	/* open and AccessShareLock sequence */
 	init_sequence(stmt->sequence, &elm, &seqrel);
 
-	/* Allow DROP to sequence owner only*/
+	/* allow DROP to sequence owner only */
 	if (!pg_class_ownercheck(elm->relid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, stmt->sequence->relname);
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   stmt->sequence->relname);
 
 	/* lock page' buffer and read tuple into new sequence structure */
 	seq = read_info(elm, seqrel, &buf);
@@ -417,7 +418,7 @@ nextval(PG_FUNCTION_ARGS)
 	if (pg_class_aclcheck(elm->relid, GetUserId(), ACL_UPDATE) != ACLCHECK_OK)
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("%s.nextval: permission denied",
+				 errmsg("permission denied for sequence %s",
 						sequence->relname)));
 
 	if (elm->last != elm->cached)		/* some numbers were cached */
@@ -609,7 +610,7 @@ currval(PG_FUNCTION_ARGS)
 	if (pg_class_aclcheck(elm->relid, GetUserId(), ACL_SELECT) != ACLCHECK_OK)
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("%s.currval: permission denied",
+				 errmsg("permission denied for sequence %s",
 						sequence->relname)));
 
 	if (elm->increment == 0)	/* nextval/read_info were not called */
@@ -652,7 +653,7 @@ do_setval(RangeVar *sequence, int64 next, bool iscalled)
 	if (pg_class_aclcheck(elm->relid, GetUserId(), ACL_UPDATE) != ACLCHECK_OK)
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("%s.setval: permission denied",
+				 errmsg("permission denied for sequence %s",
 						sequence->relname)));
 
 	/* lock page' buffer and read tuple */
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
index 11b93759b8a..b3108053d9d 100644
--- a/src/backend/commands/tablecmds.c
+++ b/src/backend/commands/tablecmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/tablecmds.c,v 1.75 2003/07/20 21:56:32 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/tablecmds.c,v 1.76 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -162,7 +162,8 @@ DefineRelation(CreateStmt *stmt, char relkind)
 		aclresult = pg_namespace_aclcheck(namespaceId, GetUserId(),
 										  ACL_CREATE);
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, get_namespace_name(namespaceId));
+			aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+						   get_namespace_name(namespaceId));
 	}
 
 	/*
@@ -382,12 +383,13 @@ TruncateRelation(const RangeVar *relation)
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(relid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -576,7 +578,7 @@ MergeAttributes(List *schema, List *supers, bool istemp,
 		 * demand that creator of a child table own the parent.
 		 */
 		if (!pg_class_ownercheck(RelationGetRelid(relation), GetUserId()))
-			aclcheck_error(ACLCHECK_NOT_OWNER,
+			aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
 						   RelationGetRelationName(relation));
 
 		/*
@@ -1139,12 +1141,12 @@ renameatt(Oid myrelid,
 	 * normally, only the owner of a class can change its schema.
 	 */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER,
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
 					   RelationGetRelationName(targetrelation));
 	if (!allowSystemTableMods && IsSystemRelation(targetrelation))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(targetrelation))));
 
 	/*
@@ -1349,7 +1351,7 @@ renamerel(Oid myrelid, const char *newrelname)
 	if (!allowSystemTableMods && IsSystemRelation(targetrelation))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(targetrelation))));
 
 	relkind = targetrelation->rd_rel->relkind;
@@ -1681,12 +1683,13 @@ AlterTableAddColumn(Oid myrelid,
 	 * normally, only the owner of a class can change its schema.
 	 */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -1966,12 +1969,13 @@ AlterTableAlterColumnDropNotNull(Oid myrelid, bool recurse,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -2109,12 +2113,13 @@ AlterTableAlterColumnSetNotNull(Oid myrelid, bool recurse,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -2236,12 +2241,13 @@ AlterTableAlterColumnDefault(Oid myrelid, bool recurse,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -2341,7 +2347,8 @@ AlterTableAlterColumnFlags(Oid myrelid, bool recurse,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	/*
 	 * we allow statistics case for system tables
@@ -2349,7 +2356,7 @@ AlterTableAlterColumnFlags(Oid myrelid, bool recurse,
 	if (*flagType != 'S' && !allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -2506,12 +2513,13 @@ AlterTableAlterOids(Oid myrelid, bool recurse, bool setOid)
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -2639,12 +2647,13 @@ AlterTableDropColumn(Oid myrelid, bool recurse, bool recursing,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -2819,12 +2828,13 @@ AlterTableAddConstraint(Oid myrelid, bool recurse,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	if (recurse)
@@ -3120,18 +3130,20 @@ AlterTableAddForeignKeyConstraint(Relation rel, FkConstraint *fkconstraint)
 	aclresult = pg_class_aclcheck(RelationGetRelid(pkrel), GetUserId(),
 								  ACL_REFERENCES);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, RelationGetRelationName(pkrel));
+		aclcheck_error(aclresult, ACL_KIND_CLASS,
+					   RelationGetRelationName(pkrel));
 
 	if (!allowSystemTableMods && IsSystemRelation(pkrel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(pkrel))));
 
 	aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(),
 								  ACL_REFERENCES);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, RelationGetRelationName(rel));
+		aclcheck_error(aclresult, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (isTempNamespace(RelationGetNamespace(pkrel)) &&
 		!isTempNamespace(RelationGetNamespace(rel)))
@@ -3804,12 +3816,13 @@ AlterTableDropConstraint(Oid myrelid, bool recurse,
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(myrelid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
@@ -4071,7 +4084,8 @@ AlterTableCreateToastTable(Oid relOid, bool silent)
 
 	/* Permissions checks */
 	if (!pg_class_ownercheck(relOid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   RelationGetRelationName(rel));
 
 	/*
 	 * Toast table is shared if and only if its parent is.
diff --git a/src/backend/commands/trigger.c b/src/backend/commands/trigger.c
index 9cfa852aa83..6e5b38804ff 100644
--- a/src/backend/commands/trigger.c
+++ b/src/backend/commands/trigger.c
@@ -7,7 +7,7 @@
  * Portions Copyright (c) 1994, Regents of the University of California
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/trigger.c,v 1.152 2003/07/28 00:09:14 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/trigger.c,v 1.153 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -146,7 +146,7 @@ CreateTrigger(CreateTrigStmt *stmt, bool forConstraint)
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/* permission checks */
@@ -158,13 +158,15 @@ CreateTrigger(CreateTrigStmt *stmt, bool forConstraint)
 		aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(),
 									  ACL_REFERENCES);
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, RelationGetRelationName(rel));
+			aclcheck_error(aclresult, ACL_KIND_CLASS,
+						   RelationGetRelationName(rel));
 		if (constrrelid != InvalidOid)
 		{
 			aclresult = pg_class_aclcheck(constrrelid, GetUserId(),
 										  ACL_REFERENCES);
 			if (aclresult != ACLCHECK_OK)
-				aclcheck_error(aclresult, get_rel_name(constrrelid));
+				aclcheck_error(aclresult, ACL_KIND_CLASS,
+							   get_rel_name(constrrelid));
 		}
 	}
 	else
@@ -173,7 +175,8 @@ CreateTrigger(CreateTrigStmt *stmt, bool forConstraint)
 		aclresult = pg_class_aclcheck(RelationGetRelid(rel), GetUserId(),
 									  ACL_TRIGGER);
 		if (aclresult != ACLCHECK_OK)
-			aclcheck_error(aclresult, RelationGetRelationName(rel));
+			aclcheck_error(aclresult, ACL_KIND_CLASS,
+						   RelationGetRelationName(rel));
 	}
 
 	/*
@@ -481,7 +484,8 @@ DropTrigger(Oid relid, const char *trigname, DropBehavior behavior)
 						trigname, get_rel_name(relid))));
 
 	if (!pg_class_ownercheck(relid, GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, get_rel_name(relid));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+					   get_rel_name(relid));
 
 	object.classId = RelationGetRelid(tgrel);
 	object.objectId = HeapTupleGetOid(tup);
@@ -544,7 +548,7 @@ RemoveTriggerById(Oid trigOid)
 	if (!allowSystemTableMods && IsSystemRelation(rel))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("\"%s\" is a system catalog",
+				 errmsg("permission denied: \"%s\" is a system catalog",
 						RelationGetRelationName(rel))));
 
 	/*
diff --git a/src/backend/commands/typecmds.c b/src/backend/commands/typecmds.c
index 9aa7f02bfd8..275143c1517 100644
--- a/src/backend/commands/typecmds.c
+++ b/src/backend/commands/typecmds.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/typecmds.c,v 1.39 2003/07/20 21:56:33 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/typecmds.c,v 1.40 2003/08/01 00:15:19 tgl Exp $
  *
  * DESCRIPTION
  *	  The "DefineFoo" routines take the parse tree and pick out the
@@ -121,7 +121,8 @@ DefineType(List *names, List *parameters)
 	/* Check we have creation rights in target namespace */
 	aclresult = pg_namespace_aclcheck(typeNamespace, GetUserId(), ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(typeNamespace));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(typeNamespace));
 
 	/*
 	 * Type names must be one character shorter than other names, allowing
@@ -416,7 +417,8 @@ RemoveType(List *names, DropBehavior behavior)
 	if (!pg_type_ownercheck(typeoid, GetUserId()) &&
 		!pg_namespace_ownercheck(((Form_pg_type) GETSTRUCT(tup))->typnamespace,
 								 GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, TypeNameToString(typename));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TYPE,
+					   TypeNameToString(typename));
 
 	ReleaseSysCache(tup);
 
@@ -501,7 +503,8 @@ DefineDomain(CreateDomainStmt *stmt)
 	aclresult = pg_namespace_aclcheck(domainNamespace, GetUserId(),
 									  ACL_CREATE);
 	if (aclresult != ACLCHECK_OK)
-		aclcheck_error(aclresult, get_namespace_name(domainNamespace));
+		aclcheck_error(aclresult, ACL_KIND_NAMESPACE,
+					   get_namespace_name(domainNamespace));
 
 	/*
 	 * Domainnames, unlike typenames don't need to account for the '_'
@@ -789,7 +792,8 @@ RemoveDomain(List *names, DropBehavior behavior)
 	if (!pg_type_ownercheck(typeoid, GetUserId()) &&
 		!pg_namespace_ownercheck(((Form_pg_type) GETSTRUCT(tup))->typnamespace,
 								 GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, TypeNameToString(typename));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TYPE,
+					   TypeNameToString(typename));
 
 	/* Check that this is actually a domain */
 	typtype = ((Form_pg_type) GETSTRUCT(tup))->typtype;
@@ -1726,7 +1730,8 @@ domainOwnerCheck(HeapTuple tup, TypeName *typename)
 
 	/* Permission check: must own type */
 	if (!pg_type_ownercheck(HeapTupleGetOid(tup), GetUserId()))
-		aclcheck_error(ACLCHECK_NOT_OWNER, TypeNameToString(typename));
+		aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_TYPE,
+					   TypeNameToString(typename));
 }
 
 /*
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 7f85f0581b6..36416a5232f 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -6,7 +6,7 @@
  * Portions Copyright (c) 1996-2002, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.121 2003/07/28 00:09:14 tgl Exp $
+ * $Header: /cvsroot/pgsql/src/backend/commands/user.c,v 1.122 2003/08/01 00:15:19 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -601,7 +601,7 @@ CreateUser(CreateUserStmt *stmt)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to create users")));
 
 	if (strcmp(stmt->user, "public") == 0)
 		ereport(ERROR,
@@ -1023,7 +1023,7 @@ DropUser(DropUserStmt *stmt)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to drop users")));
 
 	/*
 	 * Scan the pg_shadow relation to find the usesysid of the user to be
@@ -1194,7 +1194,7 @@ RenameUser(const char *oldname, const char *newname)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to rename users")));
 
 	/* rename */
 	namestrcpy(&(((Form_pg_shadow) GETSTRUCT(tup))->usename), newname);
@@ -1307,7 +1307,7 @@ CreateGroup(CreateGroupStmt *stmt)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to create groups")));
 
 	if (strcmp(stmt->name, "public") == 0)
 		ereport(ERROR,
@@ -1434,7 +1434,7 @@ AlterGroup(AlterGroupStmt *stmt, const char *tag)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to alter groups")));
 
 	/*
 	 * Secure exclusive lock to protect our update of the flat group file.
@@ -1678,7 +1678,7 @@ DropGroup(DropGroupStmt *stmt)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to drop groups")));
 
 	/*
 	 * Secure exclusive lock to protect our update of the flat group file.
@@ -1742,7 +1742,7 @@ RenameGroup(const char *oldname, const char *newname)
 	if (!superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied")));
+				 errmsg("must be superuser to rename groups")));
 
 	/* rename */
 	namestrcpy(&(((Form_pg_group) GETSTRUCT(tup))->groname), newname);
diff --git a/src/backend/commands/view.c b/src/backend/commands/view.c
index 2319e400f1f..e12ae0af686 100644
--- a/src/backend/commands/view.c
+++ b/src/backend/commands/view.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/commands/view.c,v 1.74 2003/07/20 21:56:34 tgl Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/commands/view.c,v 1.75 2003/08/01 00:15:20 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -114,7 +114,8 @@ DefineVirtualRelation(const RangeVar *relation, List *tlist, bool replace)
 							RelationGetRelationName(rel))));
 
 		if (!pg_class_ownercheck(viewOid, GetUserId()))
-			aclcheck_error(ACLCHECK_NOT_OWNER, RelationGetRelationName(rel));
+			aclcheck_error(ACLCHECK_NOT_OWNER, ACL_KIND_CLASS,
+						   RelationGetRelationName(rel));
 
 		/*
 		 * Create a tuple descriptor to compare against the existing view,