public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tom Lane <[email protected]>
To: Andrus <[email protected]>
Cc: pgsql-general <[email protected]>
Subject: Re: How to grant role to other user
Date: Tue, 03 Sep 2024 10:53:43 -0400
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
Andrus <[email protected]> writes:
> Postgres 16 has user ingmar which is marked as superuser and has create
> role rights:
> CREATE ROLE ingmar WITH
> LOGIN
> SUPERUSER
> INHERIT
> CREATEDB
> CREATEROLE
> NOREPLICATION
> BYPASSRLS
> ENCRYPTED PASSWORD 'md5aaaaaaa790012b7aa47017f124e263d8';
> GRANT "240316_owner" TO ingmar;
> GRANT eeva_owner TO ingmar WITH ADMIN OPTION;
Those GRANTs are quite unnecessary when the grantee is a superuser.
Superuser roles always pass every privilege check.
> User ingmar creates role "ingmar.e" using
> CREATE ROLE "ingmar.e" LOGIN
> and tries to grant eeva_owner role to it using
> GRANT "eeva_owner" TO "ingmar.e"
> This command throws error
> ERROR: permission denied to grant role "eeva_owner"
Works for me. For that matter, given the GRANT WITH ADMIN OPTION,
it works even if "ingmar" isn't a superuser.
I'm betting you weren't actually operating as the "ingmar" role
when you did that, but since you didn't show your steps in any
detail, it's hard to say where you went wrong.
regards, tom lane
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: How to grant role to other user
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox