MIME-Version: 1.0
References: <CAERznn-QWVpAvqnyF=rZfiuxkeDG0tym_rY+RuEkSPWvzgi67Q@mail.gmail.com>
 <ca3fe7b5-2399-4537-bba4-cd000907bda7@postgrespro.ru>
In-Reply-To: <ca3fe7b5-2399-4537-bba4-cd000907bda7@postgrespro.ru>
From: immerrr again <immerrr@gmail.com>
Date: Wed, 26 Nov 2025 00:00:02 +0100
Message-ID: <CAERznn-SBBqQ3YcdZk9U4mqVQPsVgLisi=EdFzY5Fb7hOQ4g_Q@mail.gmail.com>
Subject: Re: DROP ROLE blocked by pg_init_privs
To: Pavel Luzanov <p.luzanov@postgrespro.ru>
Cc: pgsql-general@lists.postgresql.org
Content-Type: multipart/alternative; boundary="0000000000000dccf80644733ec3"
Archived-At: <https://www.postgresql.org/message-id/CAERznn-SBBqQ3YcdZk9U4mqVQPsVgLisi%3DEdFzY5Fb7hOQ4g_Q%40mail.gmail.com>
Precedence: bulk

--0000000000000dccf80644733ec3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

Thank you for replying. Great to know about pg_read_all_data, will have a
look at that.

Re: it works, not sure, can't make it work on my side. Here's a full repro:

[nix-shell:~]$ docker run --rm -ti -p 5555:5432 -e
POSTGRES_PASSWORD=3Dpg_test_init_privs --name pg_test_init_privs -d
postgres:16.9
ae9fe66613867d4db6019bbc0806ef57b5bf7e8b83b10ee0dbb422c2d146d701

[nix-shell:~]$ psql postgres://postgres:pg_test_init_privs@localhost:5555
<<EOF
CREATE ROLE test_role;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO test_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO
test_role;
CREATE EXTENSION pg_stat_statements;
DROP ROLE test_role;
EOF

CREATE ROLE
GRANT
ALTER DEFAULT PRIVILEGES
CREATE EXTENSION
ERROR:  role "test_role" cannot be dropped because some objects depend on i=
t
DETAIL:  privileges for default privileges on new relations belonging to
role postgres in schema public
privileges for view pg_stat_statements_info
privileges for view pg_stat_statements

Is there some difference in the configuration that I'm not accounting for?

Thanks


On Tue, Nov 25, 2025 at 11:49=E2=80=AFPM Pavel Luzanov <p.luzanov@postgresp=
ro.ru>
wrote:

> Hi
>
> On 24.11.2025 18:59, immerrr again wrote:
>
> First time trying to configure a PG cluster by the book, I want to create=
 a
> role with read permissions on all current and future tables in the curren=
t
> db. It looks smth like this
>
> CREATE ROLE test_role;
> GRANT SELECT ON ALL TABLES IN SCHEMA public TO test_role;
> ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO test_=
role;
>
> I've been trying out different scenarios for the future, and currently ha=
ving
> a problem when trying to remove "test_role" after adding an extension.
>
>
> Hm, I have checked your example, it works as expected:
>
> postgres@postgres(16.9)=3D# CREATE ROLE test_role;
> CREATE ROLE
> postgres@postgres(16.9)=3D# GRANT SELECT ON ALL TABLES IN SCHEMA public T=
O
> test_role;
> GRANT
> postgres@postgres(16.9)=3D# ALTER DEFAULT PRIVILEGES IN SCHEMA public GRA=
NT
> SELECT ON TABLES TO test_role;
> ALTER DEFAULT PRIVILEGES
> postgres@postgres(16.9)=3D# CREATE EXTENSION pg_stat_statements;
> CREATE EXTENSION
>
> postgres@postgres(16.9)=3D# REVOKE SELECT ON ALL TABLES IN SCHEMA public
> FROM test_role;
> REVOKE
> postgres@postgres(16.9)=3D# ALTER DEFAULT PRIVILEGES IN SCHEMA public
> REVOKE SELECT ON TABLES FROM test_role;
> ALTER DEFAULT PRIVILEGES
> postgres@postgres(16.9)=3D# DROP ROLE test_role;
> DROP ROLE
> postgres@postgres(16.9)=3D# DROP EXTENSION pg_stat_statements;
> DROP EXTENSION
>
> In any case, since v14 you can use the predefined role pg_read_all_data.
>
> --
> Pavel Luzanov
> Postgres Professional: https://postgrespro.com
>
>
>

--0000000000000dccf80644733ec3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<br><br>Thank you for replying. Great to know about pg_=
read_all_data, will have a look at that.=C2=A0<div><br></div><div>Re: it wo=
rks, not sure, can&#39;t make it work on my side. Here&#39;s a full repro:<=
br><br><font face=3D"monospace" size=3D"1">[nix-shell:~]$ docker run --rm -=
ti -p 5555:5432 -e POSTGRES_PASSWORD=3Dpg_test_init_privs --name pg_test_in=
it_privs -d postgres:16.9<br>ae9fe66613867d4db6019bbc0806ef57b5bf7e8b83b10e=
e0dbb422c2d146d701<br><br>[nix-shell:~]$ psql postgres://postgres:pg_test_i=
nit_privs@localhost:5555 &lt;&lt;EOF<br>CREATE ROLE test_role;<br>GRANT SEL=
ECT ON ALL TABLES IN SCHEMA public TO test_role;<br>ALTER DEFAULT PRIVILEGE=
S IN SCHEMA public GRANT SELECT ON TABLES TO test_role;<br>CREATE EXTENSION=
 pg_stat_statements;<br>DROP ROLE test_role;<br>EOF</font><div><font face=
=3D"monospace" size=3D"1"><br>CREATE ROLE<br>GRANT<br>ALTER DEFAULT PRIVILE=
GES<br>CREATE EXTENSION<br>ERROR: =C2=A0role &quot;test_role&quot; cannot b=
e dropped because some objects depend on it<br>DETAIL: =C2=A0privileges for=
 default privileges on new relations belonging to role postgres in schema p=
ublic<br>privileges for view pg_stat_statements_info<br>privileges for view=
 pg_stat_statements</font><br><br></div></div><div>Is there some difference=
 in the configuration that I&#39;m not accounting for?</div><div><br></div>=
<div>Thanks</div></div><br><br><div class=3D"gmail_quote gmail_quote_contai=
ner"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, Nov 25, 2025 at 11:49=E2=
=80=AFPM Pavel Luzanov &lt;<a href=3D"mailto:p.luzanov@postgrespro.ru">p.lu=
zanov@postgrespro.ru</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex"><u></u>

 =20
   =20
 =20
  <div>
    <font size=3D"2">Hi</font><br>
    <br>
    <div>On 24.11.2025 18:59, immerrr again
      wrote:<span style=3D"white-space:pre-wrap">
</span></div>
    <blockquote type=3D"cite">
      <pre>First time trying to configure a PG cluster by the book, I want =
to create a
role with read permissions on all current and future tables in the current
db. It looks smth like this

CREATE ROLE test_role;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO test_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO test_ro=
le;

I&#39;ve been trying out different scenarios for the future, and currently =
having
a problem when trying to remove &quot;test_role&quot; after adding an exten=
sion.</pre>
    </blockquote>
    <br>
    <pre cols=3D"72"></pre>
    Hm, I have checked your example, it works as expected:<br>
    <br>
    <font face=3D"monospace">postgres@postgres(16.9)=3D# CREATE ROLE
      test_role;<br>
      CREATE ROLE<br>
      postgres@postgres(16.9)=3D# GRANT SELECT ON ALL TABLES IN SCHEMA
      public TO test_role;<br>
      GRANT<br>
      postgres@postgres(16.9)=3D# ALTER DEFAULT PRIVILEGES IN SCHEMA
      public GRANT SELECT ON TABLES TO test_role;<br>
      ALTER DEFAULT PRIVILEGES<br>
      postgres@postgres(16.9)=3D# CREATE EXTENSION pg_stat_statements;<br>
      CREATE EXTENSION<br>
      <br>
      postgres@postgres(16.9)=3D# REVOKE SELECT ON ALL TABLES IN SCHEMA
      public FROM test_role;<br>
      REVOKE<br>
      postgres@postgres(16.9)=3D# ALTER DEFAULT PRIVILEGES IN SCHEMA
      public REVOKE SELECT ON TABLES FROM test_role;<br>
      ALTER DEFAULT PRIVILEGES<br>
      postgres@postgres(16.9)=3D# DROP ROLE test_role;<br>
      DROP ROLE<br>
      postgres@postgres(16.9)=3D# DROP EXTENSION pg_stat_statements;<br>
      DROP EXTENSION<br>
    </font><br>
    In any case, since v14 you can use the predefined role
    pg_read_all_data.<br>
    <pre cols=3D"72">--=20
Pavel Luzanov
Postgres Professional: <a href=3D"https://postgrespro.com" target=3D"_blank=
">https://postgrespro.com</a></pre>
    <br>
  </div>

</blockquote></div>

--0000000000000dccf80644733ec3--