Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNb84-007zM7-2T for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 18:17:36 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vNb82-002h01-1o for pgsql-general@arkaria.postgresql.org; Mon, 24 Nov 2025 18:17:34 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vNYyP-001fAP-3B for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 15:59:30 +0000 Received: from mail-yx1-xb132.google.com ([2607:f8b0:4864:20::b132]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vNYyO-001Fq0-1R for pgsql-general@lists.postgresql.org; Mon, 24 Nov 2025 15:59:30 +0000 Received: by mail-yx1-xb132.google.com with SMTP id 956f58d0204a3-64107188baeso3901117d50.3 for ; Mon, 24 Nov 2025 07:59:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1763999966; x=1764604766; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=m9vS9nhd3IP5YSb89HXbFzkq0LAcjvtk757W9BlUwf8=; b=X0tXia6N+qIMWnfcc/gQJUqSS30wBgENTp60VVMIa2bGAFMsof5Zjsy/W+shL71Q44 WDZD93l7VteH/mw4eV1aB5Ep7sf+Rmr4zTDOJQh9NXbohWHwJNeyf63yYzPzP1ydKvpR ocjOF+bOaQqsCyVSX3shG8Ie2lptVTANdSgwqruQ5H7xYZgFBiqVJTim7/+35UPLpXnW CZhVPMR6q7Gdd4VFxlleI+pgOOiF3hIbTzyOBCDiu+gpEiqOzfwM8i/8v0daCBHIhqDL z9weFYnkAM+KUHZeCeTtkQMX2pouMUX+PoDcnm1ji5ihjuzGx1M96G4GghYbzPq9/+Df qqUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763999966; x=1764604766; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=m9vS9nhd3IP5YSb89HXbFzkq0LAcjvtk757W9BlUwf8=; b=fstRayhSzuE3Jqaj7iXrio171kBdcKKtQmsC4gQcS95LtBwVczkEgt5hBtlrjGuDjX OhD8rGi56KBn6ZRuOKtX+m85D8y0JNbHsrBu4b3cvGf5q4JriwouHnPYELPCfcadldXt z+qzrIAe9fd15Oy/t1fdv/K4V8Xck+1jIEF2qtUyG8//Gozu5c1GqKdCzvH0Y9KdwamK 1h7TJ2Med8KMiCeSefAdSyDd6mE6GeXJSDtdl+CcOc/sDlTqlKSC91FgkpD0ZcjhWHs0 HTa1IHNbjUP2txdfbIOKhMB3hgcssuuBpGxANiNHRRk1887gckbkM9/CMCNwzmuuB3T9 HRAQ== X-Gm-Message-State: AOJu0Yzlp2ncWihGlYvFu/qWQTtf99PxNxI1ZPON+CZ5oSXQ1Dw8Jj1n +6Dhv/ZMU0O8Xv8zC64GltZRz3EcZPDJr8hX+JqmlcJISkZv+d//QU7YDeW5eYtK3iLNBv8dNj+ 6IiBEboBOOBU21kB+/+0bs8qdo2+Xs+2z1n46 X-Gm-Gg: ASbGncsbi/keBgHuzjPRwXfkb42QMyfQmgTBUjGaFeNtaf4DBGdPIPGT+mgL+IsPtsE v/OVuGVhU0uQsPc3+zS1pXy+V1Ost2u3pWtbhIzAGQVuNYbwD35ub1nY7IJ3CskrZyhRH7jkO3i eYikAuB52pUm4vENF2Ov6bU8xKdC8XVxf0Y6qOJSfjXozQf4/3YoqlCRcOSyL67oTOLpKSWY5kt 0tU7MbS/7VNj+qlWx4SVq3qUgqSHMMFVM4VzFXNiy7kTr/ZTKE1+TV+H+qSs8a8sL+kTRg3 X-Google-Smtp-Source: AGHT+IHOQr6chLY5eN6FSUSkoZhK97btcig2dUNmn7bm8Uy+VDS4OjI09J9YwzW/0/oEHIE+GMcbUtb98HQ8TotxjzQ= X-Received: by 2002:a53:c043:0:10b0:640:dda6:e956 with SMTP id 956f58d0204a3-64302b104d5mr6743053d50.40.1763999966329; Mon, 24 Nov 2025 07:59:26 -0800 (PST) MIME-Version: 1.0 From: immerrr again Date: Mon, 24 Nov 2025 16:59:14 +0100 X-Gm-Features: AWmQ_bl1p3Ss4HPFIsP8nlAU07dJ-9ijbSk0PxtVSHxvKkdL6TSEWEgCQMQwzOk Message-ID: Subject: DROP ROLE blocked by pg_init_privs To: pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Hi everyone, First time trying to configure a PG cluster by the book, I want to create a role with read permissions on all current and future tables in the current db. It looks smth like this CREATE ROLE test_role; GRANT SELECT ON ALL TABLES IN SCHEMA public TO test_role; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO test_role; I've been trying out different scenarios for the future, and currently having a problem when trying to remove "test_role" after adding an extension. CREATE EXTENSION pg_stat_statements; DROP ROLE test_role; The error is as follows: role "test_role" cannot be dropped because some objects depend on it DETAIL: privileges for default privileges on new relations belonging to role postgres in schema public privileges for view pg_stat_statements_info initial privileges for view pg_stat_statements_info privileges for view pg_stat_statements initial privileges for view pg_stat_statements Time: 0.001s I revoke all permissions I know how, but it still won't let me drop "test_role": ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM test_role; REVOKE SELECT ON TABLE public.pg_stat_statements_info FROM test_role; REVOKE SELECT ON TABLE public.pg_stat_statements FROM test_role; Expectedly, the error still mentions initial privileges: role "test_role" cannot be dropped because some objects depend on it DETAIL: initial privileges for view pg_stat_statements_info initial privileges for view pg_stat_statements I haven't been able to find much information on initial privileges and how to manage them. I know that "REASSIGN OWNED BY" doesn't touch them, but "DROP OWNED BY" does, but I'm a bit worried that DROP can remove other non-ACL stuff that was actually created by the role. I have come up with a solution that lets me clean up the initial privileges, by repacking pg_init_privs.initprivs and and manually removing stuff from pg_shdepends, but it feels super hacky: UPDATE pg_init_privs -- repacks ['postgres=arwdDxtm/postgres', 'test_role=r/postgres', '=r/postgres'] -- into ['postgres=arwdDxtm/postgres', '=r/postgres'] SET initprivs = ( SELECT array_agg(aclitem) FROM ( SELECT makeaclitem( ip.grantee, ip.grantor, string_agg(ip.privilege_type, ','), ip.is_grantable ) as aclitem FROM aclexplode(initprivs) AS ip WHERE ip.grantee != (SELECT oid FROM pg_roles WHERE rolname = 'test_role') GROUP BY ip.grantor, ip.grantee, ip.is_grantable ) AS aclitems ) WHERE privtype = 'e' AND EXISTS ( SELECT 1 FROM aclexplode(initprivs) AS ip WHERE ip.grantee = (SELECT oid FROM pg_roles WHERE rolname = 'test_role') ); DELETE FROM pg_shdepend WHERE deptype = 'i' AND refclassid = 'pg_authid'::regclass AND refobjid = (SELECT oid FROM pg_roles WHERE rolname = 'test_role') So my questions are: - Am I doing something with the initial role configuration? - Is there a SQL command to drop the initial privileges safely? - If not, should there be one? Thanks!