Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1u4LdW-000yse-Hf
	for pgsql-general@arkaria.postgresql.org; Mon, 14 Apr 2025 15:22:14 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1u4LdU-002BgX-S6
	for pgsql-general@arkaria.postgresql.org; Mon, 14 Apr 2025 15:22:13 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ddevienne@gmail.com>)
	id 1u4LdU-002Bfa-H2
	for pgsql-general@lists.postgresql.org; Mon, 14 Apr 2025 15:22:13 +0000
Received: from mail-oi1-x22c.google.com ([2607:f8b0:4864:20::22c])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.96)
	(envelope-from <ddevienne@gmail.com>)
	id 1u4LdS-0003Kc-0U
	for pgsql-general@lists.postgresql.org;
	Mon, 14 Apr 2025 15:22:12 +0000
Received: by mail-oi1-x22c.google.com with SMTP id 5614622812f47-3f8ae3ed8adso2575778b6e.3
        for <pgsql-general@lists.postgresql.org>; Mon, 14 Apr 2025 08:22:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1744644129; x=1745248929; darn=lists.postgresql.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=GcQ8lbXzuw8oUabXmBciuUsb1Y92tx3+nLfbUOpVomg=;
        b=akjUTfHI6Q5+Lqtax/pUCbOKujpQlo2rSCyS+qwp/mMi0ShVmluS9SYeR9D4wFJNIi
         CBM1w2TMlFIftj2jBu5ubn7UahnRAytuLCs7hyH7O94tNFKRAnpztDx+G3Pffxssiwny
         EiE5obE+AcR/f9YqPQTmYAgdSd3OiSJcxoLlDF71QNleJ70/EdS34/A33tPMVRQA84TY
         KiYO8kRfhUiDcE7jDOL8NZBDHWUgyIxhoZzRYYfrqKdibw5iF8+oDiGCtr/Rzz30kt+s
         ukF1vkZi+rmc4xgs3QuWj8JJ61qEH7O+3YcckCFpuWGEwYps/E3J2njdDJjbUiwo5hFx
         sEXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1744644129; x=1745248929;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=GcQ8lbXzuw8oUabXmBciuUsb1Y92tx3+nLfbUOpVomg=;
        b=IEVxBQxNPJDgJKDqlRkDbG70wL+0+HYcAl+9EXp2NCGBkeKAv+riVZwGszhYHqPKIb
         IREHs05xMg2A9D1jUxalW4uWBR98U/g7YAbNLn9TmzsKrwt7BTtgV+jsSiU5SVkEDQlX
         +TePRzYImyyiVPQngTzh/6nGDy+re5ym6oG/MaU6Kt6Bl0jtiZx3BdAZwNgH1o9JvY1P
         yC9yS0airJswuIjBCV3YIkw12bedyt2yAJq83TgTgzYsNfLbRZ9GCDyJDwhxnvB7Vbv6
         VFsVynWZOPXeOaBd2xJXquC//aFtfPl9rQvoxIJlgiSBsFYZotz4AdTaY6EPD0ZXJFV0
         6CQA==
X-Gm-Message-State: AOJu0YxJJAcStAV7TmEa/UdeIXRXQqdJzewRxZHiySjG27+IONGsHA6j
	gLATxHnIb8HPQkJ/H1SkyX/geSMcBIHFIygq+3As3M30uCWCQ3dfd59oOExA15HHPlmhyBqjFDT
	d5Fl3RHaHKqVaUWzY2/Xh85wvT/cSW5W4
X-Gm-Gg: ASbGncs96jX6I+pel1Os069G1g30gLbpdk2Zv28FR9SMmCJGaIbsm6ItfMwxcqph9sF
	fRWbbqppizxHa85orsHp8MuxsES5glb74YkGL5FPlMu+xz/K+Yuq4N+3qJt/JrstiSjueP1KNY0
	6GbsDHwuO23s4AZ6ESbRZUNARV
X-Google-Smtp-Source: AGHT+IFLqcpxI25vgY4XtytrsaCAR3Yimed+foVGazja+RuTFveLPiQTuMMctdm/ZndLCV1279y7sozv1bKwrpKvEwg=
X-Received: by 2002:a05:6808:2183:b0:3f9:a187:1f8e with SMTP id
 5614622812f47-400850df744mr7602776b6e.29.1744644128878; Mon, 14 Apr 2025
 08:22:08 -0700 (PDT)
MIME-Version: 1.0
From: Dominique Devienne <ddevienne@gmail.com>
Date: Mon, 14 Apr 2025 17:21:40 +0200
X-Gm-Features: ATxdqUHlfhoah7JloU49oV9AEmkC8vsAK3rnsuV3xnN71SWiU_lkZVwrESyOcxk
Message-ID: <CAFCRh-_z9V1hHgQ5kvZOKhQKA16YGR-8oPSyikTqbO=ZysCN1g@mail.gmail.com>
Subject: CREATE SCHEMA AUTHORIZATION and ALTER SCHEMA OWNER TO
To: pgsql-general@lists.postgresql.org
Content-Type: text/plain; charset="UTF-8"
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/CAFCRh-_z9V1hHgQ5kvZOKhQKA16YGR-8oPSyikTqbO%3DZysCN1g%40mail.gmail.com>
Precedence: bulk

Hi. I'm on v16+.
The DB owner ROLE has CREATEROLE, and obviously CREATE on the DB.
So it can both CREATE SCHEMA, and CREATE ROLE.
Yet it cannot CREATE SCHEMA AUTHORIZATION, and gets an

ERROR:  must be able to SET ROLE "..."

Yet because this is v16+, thus the DB owner has ADMIN OPTION on the
ROLEs is created,
so it can grant itself those ROLEs, to be able to CREATE SCHEMA AUTHORIZATION.

acme=> create schema "PRJ1" authorization "OWNER1";
ERROR:  must be able to SET ROLE "OWNER1"
acme=> grant "OWNER1" to current_role;
GRANT ROLE
acme=> create schema "PRJ1" authorization "OWNER1";
CREATE SCHEMA

So basically, admin_option trumps set_option in this case.
So shouldn't admin_option be enough to create schemas on behalf of
roles one created?
Is this one of those things to got overlooked when v16 "tightened" CREATEROLE?

It's a PITA to have to be a MEMBER of the role one wants to create
schemas on behalf of.
Could the rules of CREATE SCHEMA AUTHORIZATION be relaxed a little?

On a related subject, ALTER SCHEMA OWNER TO mentions the new owner
must have CREATE on the database. Why? Seems like the owner set via
CREATE SCHEMA AUTHORIZATION does not have that requirement, so why
would it be any different from ALTER SCHEMA OWNER TO? Isn't it the
whole point of allowing some roles who lack CREATE on the DB to own
schemas, but delegating the creation (via SECURITY DEFINER procs for
example) to ROLEs you can create those schemas?

Thanks for insights on this. --DD