Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1up8Aj-00HBoa-2d for pgsql-general@arkaria.postgresql.org; Thu, 21 Aug 2025 16:29:54 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1up8Ah-00HXRZ-Es for pgsql-general@arkaria.postgresql.org; Thu, 21 Aug 2025 16:29:52 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1up8Ah-00HXRR-43 for pgsql-general@lists.postgresql.org; Thu, 21 Aug 2025 16:29:51 +0000 Received: from mail-ot1-x335.google.com ([2607:f8b0:4864:20::335]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1up8Af-0017Y2-0n for pgsql-general@lists.postgresql.org; Thu, 21 Aug 2025 16:29:51 +0000 Received: by mail-ot1-x335.google.com with SMTP id 46e09a7af769-74381df0c04so631882a34.0 for ; Thu, 21 Aug 2025 09:29:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1755793787; x=1756398587; darn=lists.postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DchTjPfAU5e4fiCCdzBaXy89/styGsgUoE9v2rpm44s=; b=R5dYwaLsxuXGgFt7m3IrdW+d4pgCZBDZawvE1ubCj7/NxgK3F0HNLNgFcL4hQDUkOJ woQGVBZRSkekJutjOEnY/a6Tdbi2KmmA9hb7lFrJz7aJe9uc0fFsYHQYxaDwN7B1apVb ZMYina79Smw9lFg/G7gn3u/CwI7BHjC3XQ5Lrj2cDh5PRG/UU7yz1xt4GM8Q3jIAnDYW 7x8YqBr2ng/JuKsrIoLDOFntCZ/AYlWYDDZn2aeLpwv0j14zwkOujyOOHmxKWPtM/eUC FEuxOwjJ/M1Z+aQrAsSKUg/6FtCB889kBvmi1DNVw7wMbk/DiPSrY9aXIpjNybQS8Zak gQpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1755793787; x=1756398587; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DchTjPfAU5e4fiCCdzBaXy89/styGsgUoE9v2rpm44s=; b=kESRwcqtjRs3cvA004PUjLlwKO2ttYo/F1zS+7V3DlwepTRTYe5V6nqhBcs//23OUu qLc4NEs9eoKLCz3sr8KsYnv+73EjnDtpbLI2tSaWszscGjY41qDmPuOHDclKlBYINYUr dCr7SNo1Jr7sHyz4WDXgR8AsC/8kmDBKvRn4c/ucfzZbWwUqedl32wnCJklNT0VxSie4 hKAriSJsmCC5HrjyxmDGOVrSi92aSD0MaJJULjMKHdnJ4p/BO25dnuE3u3Bpb6umfv2e AXvylz6+FIfM2Eig8GMSL2BqTF7JoeO75qlUlr1kM/IA1Rl+AqsTX/5sGBan6m61owBj MtXQ== X-Forwarded-Encrypted: i=1; AJvYcCXWpVmaplZsD8IX4y6aQO2i1nYtB1Q6jE58qvbif9jjtScWXd0+iXxmpgo6uY//kD4SR4rJ4ZHRFMzlB3UM@lists.postgresql.org X-Gm-Message-State: AOJu0Yw3L6meQIL0TPvCMiN4KRNwLZCOKkQ6teIsO/EkD6f8MENnL+bf DLxBPO1MH/SzLT/lv/w6yk9Z220+F6CE+oB6YO5JCHWPrQ2S1mGCXQO4LKJCi4oVF684UVzrVC7 fiD/9F7SVzoZtsII/VoOvWixbstNsnXIvPYf0 X-Gm-Gg: ASbGnctF3x8IEVmlcXLgYX1awlyOi6DUT9l9IvWj9qjgPB8XyMEA5eILSRTHSI3ID0B x6rmOtQ8bBHp3nnBNE7Z9FHDcIM9FUOtlkgbCNgImt6X2ed71UnLhSDOMCgFOUHaHysui8yQUVP P6v4CHnTQsD9dbQpqDYdQ9+ekQkqS1Rm9E3j3u8w/x6xxeLZR0Q7yuiZG1UB2COyO90wCYvqVUB uzw3o2XBIKd2PCrWtvw X-Google-Smtp-Source: AGHT+IEP2d8YjkuAmaEnv9q3KFp3oq1IHUWXWD/B9GjfCtpuvXh5EdrPRP9XyD96ELbava4RR1o4G8Z/LMC8DopIU4E= X-Received: by 2002:a05:6808:508b:b0:435:7445:9b54 with SMTP id 5614622812f47-43785272d3fmr51665b6e.7.1755793787199; Thu, 21 Aug 2025 09:29:47 -0700 (PDT) MIME-Version: 1.0 References: <3662a9b9-3e58-4977-8bd1-e1ed0e25b2a8@aklaver.com> In-Reply-To: From: Dominique Devienne Date: Thu, 21 Aug 2025 18:29:36 +0200 X-Gm-Features: Ac12FXwgYgjhGgPFcnkxln_S93a3O25EqvShTTZScXJV8muXfo-Uz5xRUBCtG-U Message-ID: Subject: Re: Q: GRANT ... WITH ADMIN on PG 17 To: Karsten Hilbert Cc: Adrian Klaver , pgsql-general@lists.postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Thu, Aug 21, 2025 at 6:00=E2=80=AFPM Karsten Hilbert wrote: > Am Thu, Aug 21, 2025 at 08:46:00AM -0700 schrieb Adrian Klaver: > > https://rhaas.blogspot.com/2023/01/surviving-without-superuser-coming-t= o.html > > Thanks, I did, but did not find the answer to: Is there a > way for a role that can manage membership in a group role to > not itself be a member of that group role ? Yes and no. Depends what you mean by MEMBER... You can be ADMIN of a ROLE, yet not have SET or INHERIT on that ROLE. As ADMIN you can grant yourself those SET and INHERIT, sure. But still, with only ADMIN, you can't SET ROLE. So are you a MEMBER? In the pg_has_role(), you are. In reality, not so much. In fact, I argued (after the fact it broke my architecture, introducing cyc= les) that have just ADMIN shouldn't have considered it a MEMBER of the role. But that ship had sailed already. 1 year later, we're finally catching up. I truly hope v18 won't reserve us similar backward-compatibility breaks. Read the docs for pg_auth_members. pg_has_role(). create role. If you have CREATEROLE, and do a CREATE ROLE foo, you'll have ADMIN on foo, but not SET or INHERIT (but you can grant them to yourse= lf). Also look at pg_auth_members.grantor::regrole::text and you'll see that the postgres SUPERUSER itself gave you that ADMIN grant. But if you grant yours= elf the role, it's a separate pg_auth_members row, and you're now the grantor. So I didn't spend time studying your specific use case. That's your job :). But given my painful experience of the past year, I'd answer yes to your question, on logical grounds. If you see what I mean. --DD