Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tl93m-009eJ5-Uj
	for pgsql-general@arkaria.postgresql.org; Thu, 20 Feb 2025 16:05:58 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1tl93j-008ymY-VT
	for pgsql-general@arkaria.postgresql.org; Thu, 20 Feb 2025 16:05:56 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tl93j-008ymP-Kg
	for pgsql-general@lists.postgresql.org; Thu, 20 Feb 2025 16:05:55 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1tl93h-001vNx-31
	for pgsql-general@lists.postgresql.org;
	Thu, 20 Feb 2025 16:05:54 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 51KG5osV2705564;
	Thu, 20 Feb 2025 11:05:50 -0500
From: Tom Lane <tgl@sss.pgh.pa.us>
To: "David G. Johnston" <david.g.johnston@gmail.com>
cc: Dominique Devienne <ddevienne@gmail.com>,
        "pgsql-general@lists.postgresql.org" <pgsql-general@lists.postgresql.org>
Subject: Re: DROP ROLE as SUPERUSER
In-reply-to: <CAKFQuwb-pHsxJF22fAp2Vb1jwbQxTVxXhuLzjaocsB5LEUEb5w@mail.gmail.com>
References: <CAFCRh-_3+E3-pmdH+i5jUE-8Z1jJWxxdP3EcFjTbHVWM+oEweg@mail.gmail.com> <CAKFQuwb-pHsxJF22fAp2Vb1jwbQxTVxXhuLzjaocsB5LEUEb5w@mail.gmail.com>
Comments: In-reply-to "David G. Johnston" <david.g.johnston@gmail.com>
	message dated "Thu, 20 Feb 2025 08:55:21 -0700"
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-ID: <2705562.1740067550.1@sss.pgh.pa.us>
Content-Transfer-Encoding: 8bit
Date: Thu, 20 Feb 2025 11:05:50 -0500
Message-ID: <2705563.1740067550@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/2705563.1740067550%40sss.pgh.pa.us>
Precedence: bulk

"David G. Johnston" <david.g.johnston@gmail.com> writes:
> On Thursday, February 20, 2025, Dominique Devienne <ddevienne@gmail.com>
> wrote:
>> Hi. Today I was surprised that REVOKE ALL ON DATABASE FROM ROLE silently
>> did nothing, even with CASCADE, when I was running it as SUPERUSER,
>> preventing DROP'ing the ROLE. I had to manually SET ROLE to the GRANTOR, do
>> the REVOKE, which DID something this time, and then I could DROP the role.

> This has nothing to do with power/permissions.  It is about not specifying
> “granted by” in your SQL command and thus failing to fully and correctly
> specify the single permission you want to revoke.

It used to be that if a superuser issued GRANT/REVOKE, the operation
was silently done as the owner of the affected object.  That was
always a bit of a wart, since among other things it meant that the
object owner could undo it.  Now you have to say "GRANTED BY <owner>"
to get that effect.  I'm not entirely sure, but I think this is closer
to what the SQL standard says.

			regards, tom lane