Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ssia8-00ANHp-31 for pgsql-general@arkaria.postgresql.org; Mon, 23 Sep 2024 12:54:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1ssia6-008LAu-Ey for pgsql-general@arkaria.postgresql.org; Mon, 23 Sep 2024 12:54:22 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1ssia6-008LAl-2Q for pgsql-general@lists.postgresql.org; Mon, 23 Sep 2024 12:54:22 +0000 Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1ssia1-000fUI-Ng for pgsql-general@postgresql.org; Mon, 23 Sep 2024 12:54:21 +0000 Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-53653ff0251so4689421e87.0 for ; Mon, 23 Sep 2024 05:54:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727096058; x=1727700858; darn=postgresql.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SzNNxvtSXWKh4sTlBxLWmsOIXS7K7CSiuR4pKugrqsc=; b=j3J4wd4iXgNPP2lvg0sacPqZmTzBCJK5pvO1Dvab/9iuIALcmh6e1oVcv62NH+XHGw FfJ5WNZE5q7DcCZbWxgcvh1LFjcLgqP7xclwKCYjECJ6g9vtP8VH8KabK88V9linCSY1 dZ9PdAA9G4OHJnSDz5JuX+wuTfglwsKiHQ2kFqc5AwwGscj00fgQdjfLFmRuHqAE7GIe WO0C3Dwaoh1XKjhvzsiE8qa3z2SapBQ+zgfAcZy+ig9KIJUYC3PHBl1M436JhWKTmxTx QaY0r80Cds41ip+elW+icCE56uVvsLy54DjQ9Npt/b83EMtvrSylcI97ngxG/P82azkV Rsng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727096058; x=1727700858; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SzNNxvtSXWKh4sTlBxLWmsOIXS7K7CSiuR4pKugrqsc=; b=t/YLRUlZA6m225ndwirr6t0koPtwOJtdLcpEO8WaldVndl5NJlJf0R5xmPapuq+08U N8HhBepqjbBuhq6tlGBiSkuS9m9jeWbbHj3hy5MZpIrwx1CjdI+zGPrxlSA3Z9+kcqKH 9qmj0S56B/Y/d7CqrDcltj18xDrqbonRMwtrAj9Z+RAxXRXIp2GxoYWCyD0+qEkSOidC zahXvLJWinSODMBrwyPQ7TlSoZgYHrgerZny7QNX3aAsBiH1qXj8yBseo1nhDUaG1FFe 8MEUQYy9Y4/omd0EWEvfUyJmNafWLpNK057A1CZmoRnlsUZ+uzClXCiFJMMo17rNvd2d QEnQ== X-Forwarded-Encrypted: i=1; AJvYcCVyjIEA1B9ckwr/U1k1adjmDOBib5N/7RyAD18tM/Z3Tx0OeJzrhrVUY9WrfGJ3vbxsNemxA53b5kNChkUC@postgresql.org X-Gm-Message-State: AOJu0YzB5Ro1w6svmmcQX24jPLwXj8kNtL1fmffSMncJQFvKxwMruzbY QS6jsh6gK76N3Xo6JJzIMRRe2MYoymemfD1rbxeDTIbJ98Ml2pynW2PKODUbAURwfEyTptrvlBm PTBO/y3NYNPgELOY0XlXvzm2ye+U= X-Google-Smtp-Source: AGHT+IFiBB8Ow9MZRR6bKn0n6cNAfoLTDWqlifXqeSBJrPp7z6aqOV+XlF49XQUsWAzkJipel7n75cz0GoruxqNY8qY= X-Received: by 2002:a05:6512:220d:b0:533:4820:275a with SMTP id 2adb3069b0e04-536ac341138mr5351390e87.52.1727096057592; Mon, 23 Sep 2024 05:54:17 -0700 (PDT) MIME-Version: 1.0 References: <42cf78d42a376bf05ca9f5776ad29edc30e784d5.camel@cybertec.at> In-Reply-To: From: Dominique Devienne Date: Mon, 23 Sep 2024 14:54:03 +0200 Message-ID: Subject: Re: Why no pg_has_role(..., 'ADMIN')? To: Robert Haas Cc: Laurenz Albe , pgsql-general@postgresql.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On Fri, Sep 20, 2024 at 6:51=E2=80=AFPM Robert Haas = wrote: > On Fri, Sep 20, 2024 at 12:37=E2=80=AFPM Laurenz Albe wrote: > > That would be a useful addition, yes. > > I think this already exists. The full list of modes supported by > pg_has_role() is listed in convert_role_priv_string(). You can do > something like pg_has_role('alice', 'USAGE WITH ADMIN OPTION'). This > is not new: it worked in older releases too, but AFAIK it's never been > mentioned in the documentation. Thanks. Now that you mention it, and with Tom's message, I now recall seeing it before indeed. Just not close enough to pg_has_role() "immediate" doc, to notice it. > However, the precise rule for DROP ROLE in v16+ is not just that you > need to have ADMIN OPTION on the role. The rule is: > 1. You must have ADMIN OPTION on the target role. Easy now, thanks to your reminder. > 2. You must also have CREATEROLE. That's easy to check, and I already do, in fact. > 3. If the target role is SUPERUSER, you must be SUPERUSER. Doesn't apply in my case, most of the time, but also easy to check, and I already do in fact. > If I'm not wrong, pg_has_role(..., 'USAGE WITH ADMIN OPTION') will > test #1 for you, but not #2 or #3. It's perfect for what I want to do. Thanks again, --DD PS: I'm found [an old thread][1] from you around pg_has_role() and 'WITH ADMIN OPTION', but I'm not sure there was any resolution on that. Was the weirdness fixed? [1]: https://www.postgresql.org/message-id/flat/CA%2BTgmoYg6_j1brUcYWXwF4fR= %3DTOWpED%3DXj1QMSgKCi0%2Bh1dgjA%40mail.gmail.com