Thread: Inherit Superuser Role Help

Inherit Superuser Role Help

From

Carlos Mennens

Date:

18 April 2013, 06:06:23

What am I missing here?

postgres=> SELECT current_user;
 current_user
--------------
 carlos
(1 row)

postgres=> CREATE DATABASE carlosdb;
ERROR:  permission denied to create database

postgres=> \du
                                    List of roles
 Role name |                          Attributes
   | Member of
-----------+--------------------------------------------------------------+-----------
 carlos    |
   | {dba}
 chris     |
   | {web}
 dba       | Superuser, Create role, Create DB, Cannot login, Replication | {}
 postgres  | Superuser, Create role, Create DB, Replication               | {}
 web       | Cannot login                                                 | {}

Shouldn't 'carlos' be a superuser based on him being a member of a
role which has createdb and superuser rights granted to it?

--
Carlos Mennens

Re: Inherit Superuser Role Help

From

Tom Lane

Date:

18 April 2013, 06:16:35

Carlos Mennens <carlos.mennens@gmail.com> writes:
> Shouldn't 'carlos' be a superuser based on him being a member of a
> role which has createdb and superuser rights granted to it?

No.  Superuserness is quite intentionally not inheritable.

It's perhaps a bit more debatable whether other role privilege bits such
as CREATEDB ought to be inheritable.  The position we've taken though
is that only grant-able rights inherit via GRANT ROLE.

This is documented under CREATE ROLE:

The INHERIT attribute governs inheritance of grantable privileges (that
is, access privileges for database objects and role memberships). It
does not apply to the special role attributes set by CREATE ROLE and
ALTER ROLE. For example, being a member of a role with CREATEDB
privilege does not immediately grant the ability to create databases,
even if INHERIT is set; it would be necessary to become that role via
SET ROLE before creating a database.

            regards, tom lane