Andrus <kobruleht2@hot.ee> writes:
> Postgres 16 has user ingmar which is marked as superuser and has create
> role rights:
> CREATE ROLE ingmar WITH
> LOGIN
> SUPERUSER
> INHERIT
> CREATEDB
> CREATEROLE
> NOREPLICATION
> BYPASSRLS
> ENCRYPTED PASSWORD 'md5aaaaaaa790012b7aa47017f124e263d8';
> GRANT "240316_owner" TO ingmar;
> GRANT eeva_owner TO ingmar WITH ADMIN OPTION;
Those GRANTs are quite unnecessary when the grantee is a superuser.
Superuser roles always pass every privilege check.
> User ingmar creates role "ingmar.e" using
> CREATE ROLE "ingmar.e" LOGIN
> and tries to grant eeva_owner role to it using
> GRANT "eeva_owner" TO "ingmar.e"
> This command throws error
> ERROR: permission denied to grant role "eeva_owner"
Works for me. For that matter, given the GRANT WITH ADMIN OPTION,
it works even if "ingmar" isn't a superuser.
I'm betting you weren't actually operating as the "ingmar" role
when you did that, but since you didn't show your steps in any
detail, it's hard to say where you went wrong.
regards, tom lane
