Re: BUG #15275: Trigger don't take supperuser role into account tocreate role - Mailing list pgsql-bugs

From Andres Freund
Subject Re: BUG #15275: Trigger don't take supperuser role into account tocreate role
Date
Msg-id 20180711172116.2j57u5gwqbnx2n7y@alap3.anarazel.de
Whole thread Raw
In response to BUG #15275: Trigger don't take supperuser role into account to createrole  (PG Bug reporting form <noreply@postgresql.org>)
List pgsql-bugs
On 2018-07-11 17:14:17 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
> 
> Bug reference:      15275
> Logged by:          Alexandre Marquis
> Email address:      alexandre.marquis@mamot.gouv.qc.ca
> PostgreSQL version: 10.0
> Operating system:   Windows
> Description:        
> 
> I've got a trigger whose purpose is to create a postgres user every time an
> employee is added to my employee table. If I use my SUPERUSER account to add
> an employee it doesn't work because I've got NOCREATEROLE instead of
> CREATEROLE. But according to the CREATE ROLE docs at
> https://www.postgresql.org/docs/10/static/sql-createrole.html, " You must
> have CREATEROLE privilege or be a database superuser to use this command."
> so as a superuser this should work.

I think you'll need to provide more context. Because the current
implementation indeed works like the docs suggest:

bool
has_createrole_privilege(Oid roleid)
{
    bool        result = false;
    HeapTuple    utup;

    /* Superusers bypass all permission checking. */
    if (superuser_arg(roleid))
        return true;

    utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
    if (HeapTupleIsValid(utup))
    {
        result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
        ReleaseSysCache(utup);
    }
    return result;
}

(note the superuser check).

I suspect your problem is more likely related to the user that the
trigger runs under?

Greetings,

Andres Freund


pgsql-bugs by date:

Previous
From: PG Bug reporting form
Date:
Subject: BUG #15275: Trigger don't take supperuser role into account to createrole
Next
From: PG Bug reporting form
Date:
Subject: BUG #15276: pl/pgSQL function caches wrong plan