Thread: Bug in Role support?

Hi

I wanted to try out the new role support in 8.1. My goal is to create
two roles, dev and admin, and make all other users member of those two
roles. The users shall then issue either "set role dev" (if the want
to to development work), or "set role admin" (in the rare case where
they need superuser access).

I did the following:

create role dev with nosuperuser nocreaterole createdb noinherit nologin ;
create role admin with superuser noinherit nologin ;
create role fgp with nosuperuser nocreaterole nocreatedb noinherit login ;
grant dev to fgp ;
grant admin to fgp ;

The last statement fails with "role "admin" is a member of role "fgp" -
but I believe it is not.

pg_auth_members looks like this:
  roleid | member | grantor | admin_option
--------+--------+---------+--------------
   16391 |  16393 |      10 | f

16391 is dev, 16392 is admin, 16393 is fgp

So, "admin" isn't even mentioned in pg_auth_members..

Did I do something wrong, or is this really a bug?

greetings, Florian Pflug

"Florian G. Pflug" <fgp@phlo.org> writes:
> grant admin to fgp ;

> The last statement fails with "role "admin" is a member of role "fgp" -
> but I believe it is not.

> Did I do something wrong, or is this really a bug?

Looks like a bug to me too.  I think it's coming from the fact that
is_member_of_role() thinks superusers are members of every role
ex officio ... which is true for permission checking purposes but
we don't want that rule applied here.  Will fix.

            regards, tom lane