On Mon, Jun 6, 2022 at 7:41 PM Stephen Frost <sfrost@snowman.net> wrote: > > In terms of how that's then used, yeah, it's during REVOKE because a > REVOKE is only able to 'find' role authorization descriptors which match > the triple of role revoked, grantee, grantor (though there's a caveat in > that the 'grantor' role could be the current role, or the current user).
What is supposed to happen if someone tries to execute DROP ROLE on a role that has previously been used as a grantor?
Upthread, I proposed that "drop role baz" should fail here
I concur with this.
I think that the grantor owns the grant, and that REASSIGNED OWNED should be able to move those grants to someone else.