Thread: BUG #15275: Trigger don't take supperuser role into account to createrole
BUG #15275: Trigger don't take supperuser role into account to createrole
From
PG Bug reporting form
Date:
The following bug has been logged on the website: Bug reference: 15275 Logged by: Alexandre Marquis Email address: alexandre.marquis@mamot.gouv.qc.ca PostgreSQL version: 10.0 Operating system: Windows Description: I've got a trigger whose purpose is to create a postgres user every time an employee is added to my employee table. If I use my SUPERUSER account to add an employee it doesn't work because I've got NOCREATEROLE instead of CREATEROLE. But according to the CREATE ROLE docs at https://www.postgresql.org/docs/10/static/sql-createrole.html, " You must have CREATEROLE privilege or be a database superuser to use this command." so as a superuser this should work. Thx for the help!
Re: BUG #15275: Trigger don't take supperuser role into account tocreate role
From
Andres Freund
Date:
On 2018-07-11 17:14:17 +0000, PG Bug reporting form wrote: > The following bug has been logged on the website: > > Bug reference: 15275 > Logged by: Alexandre Marquis > Email address: alexandre.marquis@mamot.gouv.qc.ca > PostgreSQL version: 10.0 > Operating system: Windows > Description: > > I've got a trigger whose purpose is to create a postgres user every time an > employee is added to my employee table. If I use my SUPERUSER account to add > an employee it doesn't work because I've got NOCREATEROLE instead of > CREATEROLE. But according to the CREATE ROLE docs at > https://www.postgresql.org/docs/10/static/sql-createrole.html, " You must > have CREATEROLE privilege or be a database superuser to use this command." > so as a superuser this should work. I think you'll need to provide more context. Because the current implementation indeed works like the docs suggest: bool has_createrole_privilege(Oid roleid) { bool result = false; HeapTuple utup; /* Superusers bypass all permission checking. */ if (superuser_arg(roleid)) return true; utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid)); if (HeapTupleIsValid(utup)) { result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole; ReleaseSysCache(utup); } return result; } (note the superuser check). I suspect your problem is more likely related to the user that the trigger runs under? Greetings, Andres Freund