Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqWSp-007qrs-6c for pgsql-general@arkaria.postgresql.org; Mon, 25 Aug 2025 12:38:20 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uqWSo-00974I-62 for pgsql-general@arkaria.postgresql.org; Mon, 25 Aug 2025 12:38:18 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uqWSn-009749-PQ for pgsql-general@lists.postgresql.org; Mon, 25 Aug 2025 12:38:18 +0000 Received: from mail-oi1-x22a.google.com ([2607:f8b0:4864:20::22a]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uqWSl-001lDb-37 for pgsql-general@lists.postgresql.org; Mon, 25 Aug 2025 12:38:17 +0000 Received: by mail-oi1-x22a.google.com with SMTP id 5614622812f47-437b9db57d6so77297b6e.0 for ; Mon, 25 Aug 2025 05:38:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756125494; x=1756730294; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Ot2a/HEHTKTrc46/Pk32hLg8Vl/z/rC4FrngInTgUBI=; b=lljhxusG4qQ/Qf1kPj6CMZhocuq60jj/PEOhN4IT5ISWtztHHygjAsN0VArO3oknwU C6ugkKIpxMGk845Ar4HeGqSvLR9FVAsJy7d9bV7xoNcFrZYvdcH/MtQyhWqoBXura8nv vfiX9qUH4hVi79H3CNSWqIY4jTHIpxKaaNuZ1oiMhaONP6vmEjv4AaXLykXadITZ8dZr MTX5RArKvLQqa1nX4JPW0gTzDv/16IQa4T95EVXLSWi7X4gyuEd+b3f7fWVddLSUAiNr qtfPxpUdq3J5Zf0726ZbU+fwnCtjD0fev3B8lNRugEnh/8h6o/exlxWJuC6BGkExuNaZ BPJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756125494; x=1756730294; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ot2a/HEHTKTrc46/Pk32hLg8Vl/z/rC4FrngInTgUBI=; b=St796uOtbp8sRX7oOrcnklJvLD+1J8uuls2slSIQY1gu7u3LhVCYp2pXWWxZp8yCbv vy9RBERiqog0EUVwJyXdMqaHF2mlLwx9oPP9w/uyyD3NC4ZRcEtFPcvKRAfy8H+fWYrx +UIgUrXzWbE1voju6zLU6O4eY8e/kJa5jkGAMtknlyUo6Ct9iC42nznROlQk7dnxQCHy U87z43tdjJwHmeaDV5yb4EkCBTBFbcj7bfWWhXF71VfK+7q7TdnkdRebfapWixuuWZHI /ABbOxwSDLGys/eYm24f7t2y8lYJpZvVU6+FqaHyIhZX4G+sL6DbtxWo6tSPIet4j+2I Czcw== X-Forwarded-Encrypted: i=1; AJvYcCXN25q4+TWBoeVvxn0rLoJtDtdxzHuthQ3Uk0WVcKEf95dJCUxYvEDJLAXari4Mdl6kgbG2dQsKeZTOQc5F@lists.postgresql.org X-Gm-Message-State: AOJu0YzIfgPKBzQyC8g2AfGA3Xmlvab/Mmq5P1ed+YPgFUHdJ8QHk0Lw dQTH6NHTjVOCaCDuO68++BNwSv+Cn4BLQ+PuORTJ0qYul4PIudf+9oFle1BdeVGdS13R8UUcZ4R qECgbxA+FBLCvdRcThVHLjRLMIS7z/MnxCg== X-Gm-Gg: ASbGnctTjOvkoGi+XY39l2oWvDh7C5s1tGY6fnClG07OAGRfMT/fd78PK53uwLTSoUi Micma6HW9CFTsZTC92p3iPd9SGa+6lzQp3fZjoSHunRZ5OvZyLJfiwgMk9WX8UenaGogcTnj7LO ZOtaJ4JDzbRvvDn+on/kVuJB5bLOjsv1s3/31OONBvtrFmcgcTgFPwe64DsdVjGiMR/VXRj8Vrt OfoFiF1sWQUW6D9mP3b X-Google-Smtp-Source: AGHT+IHev38iSMKi+cu3lfyx5xRLOmZjghq/XPMDTmQycYBSRaFB2FS/EE2gKmwBRCJau89a4OzUpAXgYW2XTtQAVqg= X-Received: by 2002:a05:6808:3305:b0:437:75ea:6c76 with SMTP id 5614622812f47-4377db5eeeamr6548863b6e.25.1756125493618; Mon, 25 Aug 2025 05:38:13 -0700 (PDT) MIME-Version: 1.0 References: <03be331512b0a52423b86e70018b39b5d2966f52.camel@cybertec.at> In-Reply-To: From: Dominique Devienne Date: Mon, 25 Aug 2025 14:38:02 +0200 X-Gm-Features: Ac12FXwb4G2johnyFbBcyBELxsAFcNbMlu5tl1Rk5fftLA9MXRs9ZXwKIzUEYDw Message-ID: Subject: Re: Q: GRANT ... WITH ADMIN on PG 17 To: Pavel Luzanov Cc: Laurenz Albe , Karsten Hilbert , pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Mon, Aug 25, 2025 at 2:22=E2=80=AFPM Pavel Luzanov wrote: >> On 22.08.2025 11:40, Laurenz Albe wrote: >> Yes, that should work as follows: [...] > [...] A safer option is to use security definer function to grant members= hip FWIW, it's basically what I did. My primary "admin" application role lost CREATEROLE, and instead gained EXECUTE on security-definer procs from a new lower-level role (with CREATEROLE), in a new separate schema, which does all create/drop roles or grant/revoke DDLs. Which has the added benefits to enforce naming conventions for roles, to enforce grants are only between our "per-DB" roles, and made it easy to generate an audit-log for all those DDLs. So the v16 ROLE changes created a BIG MESS for us, slowing us down quite a bit, but we ended up with a much better "v2" architecture, so it was not all a loss... YMMV. So +1 to Pavel. --DD