Re: CREATEROLE users vs. role properties - Mailing list pgsql-hackers

From tushar
Subject Re: CREATEROLE users vs. role properties
Date
Msg-id CAC6VRob4ZLga-JJUsNimh-mxs6YeiSFGv2H7B660_Zz7TGRv6w@mail.gmail.com
Whole thread Raw
In response to Re: CREATEROLE users vs. role properties  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: CREATEROLE users vs. role properties
List pgsql-hackers


On Thu, Jan 19, 2023 at 8:34 PM Robert Haas <robertmhaas@gmail.com> wrote:
On Thu, Jan 19, 2023 at 6:15 AM tushar <tushar.ahuja@enterprisedb.com> wrote:
> postgres=# create role fff with createrole;
> CREATE ROLE
> postgres=# create role xxx;
> CREATE ROLE
> postgres=# set role fff;
> SET
> postgres=> alter role xxx with createrole;
> ERROR:  permission denied
> postgres=>

Here fff would need ADMIN OPTION on xxx to be able to make modifications to it.

See https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb

Thanks, Robert, that was helpful.

Please refer to this scenario where I am able to give createrole privileges but not replication  privilege to role

postgres=# create role t1 createrole;
CREATE ROLE
postgres=# create role t2 replication;
CREATE ROLE
postgres=# create role t3;
CREATE ROLE
postgres=# grant t3 to t1,t2 with admin option;
GRANT ROLE
postgres=# set session authorization t1;
SET
postgres=> alter role t3 createrole ;
ALTER ROLE

postgres=> set session authorization t2;
SET
postgres=> alter role t3 replication;
ERROR:  permission denied

This same behavior was observed in v14 as well but why i am able to give createrole grant but not replication?

regards,



 

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: run pgindent on a regular basis / scripted manner
Next
From: Reid Thompson
Date:
Subject: Re: Add the ability to limit the amount of memory that can be allocated to backends.