Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1iV0wu-0000SE-FD
	for pgsql-hackers@arkaria.postgresql.org; Wed, 13 Nov 2019 22:17:16 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.89)
	(envelope-from <pgsql-hackers-owner+archive@lists.postgresql.org>)
	id 1iV0ws-0002dt-VG
	for pgsql-hackers@arkaria.postgresql.org; Wed, 13 Nov 2019 22:17:14 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1iV0ws-0002dj-LO
	for pgsql-hackers@lists.postgresql.org; Wed, 13 Nov 2019 22:17:14 +0000
Received: from sss.pgh.pa.us ([66.207.139.130])
	by magus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256)
	(Exim 4.89)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1iV0wp-0002ix-H7
	for pgsql-hackers@postgresql.org; Wed, 13 Nov 2019 22:17:14 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.14.4/8.14.4) with ESMTP id xADMH6g5006809;
	Wed, 13 Nov 2019 17:17:07 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Laurenz Albe <laurenz.albe@cybertec.at>
cc: pgsql-hackers@postgresql.org
Subject: Re: Role membership and DROP
In-reply-to: <504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at>
References: <504497aca66bf34bdcdd90bd0bcebdc3a33f577b.camel@cybertec.at>
Comments: In-reply-to Laurenz Albe <laurenz.albe@cybertec.at>
	message dated "Wed, 13 Nov 2019 22:36:11 +0100"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <6807.1573683426.1@sss.pgh.pa.us>
Date: Wed, 13 Nov 2019 17:17:06 -0500
Message-ID: <6808.1573683426@sss.pgh.pa.us>
List-Id: <pgsql-hackers.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-hackers@lists.postgresql.org>
List-Owner: <mailto:pgsql-hackers-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-hackers>
Precedence: bulk

Laurenz Albe <laurenz.albe@cybertec.at> writes:
> I realized only today that if role A is a member of role B,
> A can ALTER and DROP objects owned by B.
> I don't have a problem with that, but the documentation seems to
> suggest otherwise.  For example, for DROP TABLE:

>    Only the table owner, the schema owner, and superuser can drop a table.

Generally, if you are a member of a role, that means you are the role for
privilege-test purposes.  I'm not on board with adding "(or a member of
that role)" to every place it could conceivably be added; I think that
would be more annoying than helpful.

It might be worth clarifying this point in section 5.7,

https://www.postgresql.org/docs/devel/ddl-priv.html

but let's not duplicate that in every ref/ page.

			regards, tom lane