Postgres Pro
Downloads
Home   >   mailing lists

Thread: CREATEROLE Inheritance

CREATEROLE Inheritance

From
PG Doc comments form
Date:
The following documentation comment has been logged on the website:

Page: https://www.postgresql.org/docs/15/role-membership.html
Description:

Regarding this paragraph: "The role attributes LOGIN, SUPERUSER, CREATEDB,
and CREATEROLE can be thought of as special privileges, but they are never
inherited as ordinary privileges on database objects are. You must actually
SET ROLE to a specific role having one of these attributes in order to make
use of the attribute. Continuing the above example, we might choose to grant
CREATEDB and CREATEROLE to the admin role. Then a session connecting as role
joe would not have these privileges immediately, only after doing SET ROLE
admin."

I have checked this for CREATEROLE and this role attribute is definitely
inheritable. I've created a new user with CREATE ROLE and no additional
options. I've tried to create a role and could not. Then I made this user a
member of a role that have the CREATEROLE attribute set to TRUE (with GRANT
user_with_createrole TO new_user). With the same new user I could now create
new roles. This has to mean inheritance works for this attribute.

I am using DataGrip IDE and made sure in the output window that the program
does not issue a 'SET ROLE' command before attempting to create a role. So
creating a new role worked with the new user (by inheritance) without using
'SET ROLE' before.

Re: CREATEROLE Inheritance

From
Tom Lane
Date:
PG Doc comments form <noreply@postgresql.org> writes:
> I have checked this for CREATEROLE and this role attribute is definitely
> inheritable.

Does not look like that to me:

regression=# create user alice createrole;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> create user charlie;  -- should succeed
CREATE ROLE
regression=> \c - bob
You are now connected to database "regression" as user "bob".
regression=> create user delta;    -- should fail
ERROR:  permission denied to create role
DETAIL:  Only roles with the CREATEROLE attribute may create roles.
regression=> \c - postgres
You are now connected to database "regression" as user "postgres".
regression=# grant alice to bob;
GRANT ROLE
regression=# \c - bob
You are now connected to database "regression" as user "bob".
regression=> create user delta;    -- still fails
ERROR:  permission denied to create role
DETAIL:  Only roles with the CREATEROLE attribute may create roles.
regression=> set role alice;
SET
regression=> create user delta;    -- now it works
CREATE ROLE

(Those DETAIL messages are fairly new, but the behavior is the same
in older branches.)  The point is precisely that bob can't make
use of alice's CREATEROLE bit without having done SET ROLE.

It's not too clear to me what you did that led you to conclude
otherwise, but going through additional layers like an IDE could
well be confusing matters.

            regards, tom lane