Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1soV46-00BiDy-Oz
	for pgsql-general@arkaria.postgresql.org; Wed, 11 Sep 2024 21:39:55 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1soV46-008cTw-El
	for pgsql-general@arkaria.postgresql.org; Wed, 11 Sep 2024 21:39:54 +0000
Received: from makus.postgresql.org ([2001:4800:3e1:1::229])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1soV46-008cTo-3W
	for pgsql-general@lists.postgresql.org; Wed, 11 Sep 2024 21:39:54 +0000
Received: from sss.pgh.pa.us ([68.162.161.243])
	by makus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <tgl@sss.pgh.pa.us>)
	id 1soV43-000hHD-2B
	for pgsql-general@lists.postgresql.org; Wed, 11 Sep 2024 21:39:52 +0000
Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1])
	by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 48BLdmDG3908086;
	Wed, 11 Sep 2024 17:39:48 -0400
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Dominique Devienne <ddevienne@gmail.com>
cc: pgsql-general@lists.postgresql.org
Subject: Re: Backward compat issue with v16 around ROLEs
In-reply-to: <CAFCRh-8+PGGTuqg=rSKA533D0dqYAgq69UzSqMm67VEW02nZyQ@mail.gmail.com>
References: <CAFCRh-8+PGGTuqg=rSKA533D0dqYAgq69UzSqMm67VEW02nZyQ@mail.gmail.com>
Comments: In-reply-to Dominique Devienne <ddevienne@gmail.com>
	message dated "Wed, 11 Sep 2024 16:41:58 +0200"
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3908084.1726090788.1@sss.pgh.pa.us>
Date: Wed, 11 Sep 2024 17:39:48 -0400
Message-ID: <3908085.1726090788@sss.pgh.pa.us>
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/3908085.1726090788%40sss.pgh.pa.us>
Precedence: bulk

Dominique Devienne <ddevienne@gmail.com> writes:
> Hi. I'm going around in circles trying to solve an issue with our
> system when running against a PostgreSQL v16 server. Which is linked
> to the weakening of CREATEROLE to have more granular permissions.

I'm not entirely sure, but I think the relevant v16 change is that
CREATEROLE used to imply having ADMIN on every (non-superuser) role.
Now it doesn't, and you have to actually have a WITH ADMIN OPTION
grant.  You do automatically get WITH ADMIN OPTION on roles you
create yourself --- but in this example, dd_owner did not create
dd_admin.

			regards, tom lane