Re: pg_dumpall can't be restored with different bootstrap superuser

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Álvaro Rodríguez <[email protected]>
To: Nathan Bossart <[email protected]>
Cc: Tom Lane <[email protected]>
Cc: Euler Taveira <[email protected]>
Cc: [email protected]
Cc: Javier Maellas <[email protected]>
Cc: Diego Revenga <[email protected]>
Cc: [email protected]
Subject: Re: pg_dumpall can't be restored with different bootstrap superuser
Date: Wed, 6 May 2026 09:15:00 +0200
Message-ID: <CA+C_kKWfTMwh-vMVAXVdhW=OQ2GUpr845TYpU8rqKe5HcgvtEQ@mail.gmail.com> (raw)
In-Reply-To: <afpHwTR1IJypF1md@nathan>
References: <CA+C_kKWHMP4c56jx1BPvP1jmjp2pmBu0Cw07fPVECUmkJSnT4w@mail.gmail.com>
	<[email protected]>
	<[email protected]>
	<afpHwTR1IJypF1md@nathan>

On Tue, May 05, 2026 at 03:10:47PM -0400, Tom Lane wrote:
> I don't think that pg_dumpall is to be blamed; this is the backend's
> fault.  I thought we had made this better in dd1398f13, but it still
> seems rather bogus:
>
> [...]
> regression=# grant a to b granted by super;
> ERROR:  permission denied to grant privileges as role "super"
> DETAIL:  The grantor must have the ADMIN option on role "a".
>
> Surely a superuser should be considered to have admin options
> on everything.

For what it's worth, this lines up with my and my team's thinking on
this issue. The idea that there are two "tiers" of superusers
(bootstrap and the rest) seems to run against a) the general rule of
making permissions obvious and explicitly grantable, and b) the very
own definition of superuser as David pointed out. The fact that there
is no reasonable way of fixing the pg_dumpall output even if we wanted
to (bar, I guess, renaming the bootstrap superuser) seems to indicate
that something is off with the permission model on this.

Álvaro

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
  Subject: Re: pg_dumpall can't be restored with different bootstrap superuser
  In-Reply-To: <CA+C_kKWfTMwh-vMVAXVdhW=OQ2GUpr845TYpU8rqKe5HcgvtEQ@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox