Request a Demo
Home   >   mailing lists

Superuser can't revoke role granted by non-superuser - Mailing list pgsql-bugs

From Alexander Kukushkin
Subject Superuser can't revoke role granted by non-superuser
Date
Msg-id CAFh8B=nCyWbxgD9uF5x7NV8y8PGvH_1t6wAfNQkjRnzEhN7OGA@mail.gmail.com
Whole thread Raw
Responses Re: Superuser can't revoke role granted by non-superuser
List pgsql-bugs
Tree view
Hi,

Here is a self-contained example with 17.2, however I assume that 16 and master will exhibit similar behaviour.

postgres=# create user a with createrole;
CREATE ROLE
postgres=# create user b with createrole;
CREATE ROLE
postgres=# set role a;
SET
postgres=> create user aa;
CREATE ROLE
postgres=> set role b;
SET
postgres=> create user bb;
CREATE ROLE
postgres=> grant bb to aa;
GRANT ROLE
postgres=> \drg
               List of role grants
 Role name | Member of |   Options    | Grantor  
-----------+-----------+--------------+----------
 a         | aa        | ADMIN        | postgres
 aa        | bb        | INHERIT, SET | b
 b         | bb        | ADMIN        | postgres
(3 rows)

postgres=> reset role;
RESET
postgres=# revoke bb from aa;
WARNING:  role "aa" has not been granted membership in role "bb" by role "postgres"
REVOKE ROLE
postgres=# \drg
               List of role grants
 Role name | Member of |   Options    | Grantor  
-----------+-----------+--------------+----------
 a         | aa        | ADMIN        | postgres
 aa        | bb        | INHERIT, SET | b
 b         | bb        | ADMIN        | postgres
(3 rows)

IMO, superusers should be able to revoke privileges it didn't grant.

Regards,
--
Alexander Kukushkin

pgsql-bugs by date:

Previous
From: Tom Lane
Date:
Subject: Re: BUG #18782: Inconsistent behaviour with triggers and row level security - depends on prior number of inserts
Next
From: Kirill Reshke
Date:
Subject: Re: Superuser can't revoke role granted by non-superuser