Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1soOvY-00AzFj-0n for pgsql-general@arkaria.postgresql.org; Wed, 11 Sep 2024 15:06:41 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1soOvX-00297r-Lr for pgsql-general@arkaria.postgresql.org; Wed, 11 Sep 2024 15:06:39 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1soOvX-00297j-9v for pgsql-general@lists.postgresql.org; Wed, 11 Sep 2024 15:06:39 +0000 Received: from mail-oa1-x33.google.com ([2001:4860:4864:20::33]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1soOvU-000eXN-Ac for pgsql-general@lists.postgresql.org; Wed, 11 Sep 2024 15:06:37 +0000 Received: by mail-oa1-x33.google.com with SMTP id 586e51a60fabf-277c861d9f6so3703527fac.2 for ; Wed, 11 Sep 2024 08:06:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1726067195; x=1726671995; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/qg08eOSiFy/KYzyvTXin2PQa8X4+cZHhyaEVEne/MU=; b=RzwhA1kohEiOSJB6Nx8qVhTNVRXGJT5oU/ZUeUd5ZOa0J+AQVi6aOsSoxWPZSssVdd Kv8l9dayFLcFXHav/d1Z5EotmKoDR05D9hZwPzIUp+S5NwYDz5hMq+m/0Nm6xNvwloDi 2rLFTlISZrV+MoVSVPfFNsaNED9V2DEaQ+OKa7Jm6+mnevr8RNDJJOYsU1e/x+4qwPX/ rqXtkOXg1rRjHTBnKIfhPl+oalxL1nzaIWKWfsfpI61Le7ANvunPKDN8aJc7cCjhT/C+ I1LvBPp5Eh/dVSWVVRA3PrfWBF/+ciuGovAWf+j+D/Q056kxX9sw1fEgrU5DU4p827N1 44Yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726067195; x=1726671995; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/qg08eOSiFy/KYzyvTXin2PQa8X4+cZHhyaEVEne/MU=; b=pjEkaaUgfv+BycHftlHqSJ1+LWmEBWA/frrK+6z9bdKEEL6HzU6+WcwXALzuO0FEDO TK96HjiD2Simc8aImOTISjrAEKQYwa1qCArzkC4rnl6Wi8quJ1vM9U+j5lXHRfXwTrIY OcYSmuY81mPiuzTF/5b3a/WifEjRAAtl3j/OyTzwP1gTcSgE9db0m128wdcg9IFvQonM AtDyNwdSwh54da7BQmfX32cGlK2f9NZUv3Q4IW4Jbjg54R+VTclHQntGaxKKt/MlEIg/ ZG/kfK1rpq9PdA9MeLtf0m7ND8VHNlVc/MWybVbB5j/EyPzH34xKEAAqJWEp155FTnor Yn0w== X-Gm-Message-State: AOJu0YxLZH4bZHtAq2/W0fDm/FnCnhNQOoqAZ8sxrltvsA0uL83+elBP Uv05yenPe6q/487Mg8TLKxPkNiNKAF6ZNINOdNz+Z0I9ibgW4NiRkKmAjxfbRtYZbJPUEIugmwF BM6GHMSYRG8wuGDbefAYp2912XTjGMrpy X-Google-Smtp-Source: AGHT+IHACi23eP3XG5Cs05AkZi+27qym1uYMrPHfafUmeNa0r31j2pTR0etnjt2+56uWz0POlcp2EvYc4VhysUbrpkI= X-Received: by 2002:a05:6870:a406:b0:277:e286:88f5 with SMTP id 586e51a60fabf-27b82e59afbmr18311976fac.20.1726067195340; Wed, 11 Sep 2024 08:06:35 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a8a:e0e:0:b0:557:c384:fb61 with HTTP; Wed, 11 Sep 2024 08:06:34 -0700 (PDT) In-Reply-To: References: From: "David G. Johnston" Date: Wed, 11 Sep 2024 08:06:34 -0700 Message-ID: Subject: Re: Backward compat issue with v16 around ROLEs To: Dominique Devienne Cc: "pgsql-general@lists.postgresql.org" Content-Type: multipart/alternative; boundary="000000000000096fcd0621d956de" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000096fcd0621d956de Content-Type: text/plain; charset="UTF-8" On Wednesday, September 11, 2024, Dominique Devienne wrote: > > on v16: > > D:\pdgm\trunk\psc2>psql service=pau16 > psql (17beta3, server 16.1) > Type "help" for help. > > ddevienne=> create role dd_owner createrole; > CREATE ROLE > ddevienne=> create role dd_admin noinherit; > CREATE ROLE > ddevienne=> grant dd_owner to dd_admin; As the error indicates, this grant needs to be done with admin option. Since the with admin option exists in versions prior to v16 this change should work in all of your deployments. > GRANT ROLE > ddevienne=> set role dd_owner; > ERROR: permission denied to set role "dd_owner" > ddevienne=> grant dd_owner to current_user; > GRANT ROLE > ddevienne=> set role dd_owner; > SET > ddevienne=> create role dd_user; > CREATE ROLE > ddevienne=> grant dd_admin to dd_user; > ERROR: permission denied to grant role "dd_admin" > DETAIL: Only roles with the ADMIN option on role "dd_admin" may grant See comment above. > this role. > ddevienne=> > > David J. --000000000000096fcd0621d956de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wednesday, September 11, 2024, Dominique Devienne <ddevienne@gmail.com> wrote:

on v16:

D:\pdgm\trunk\psc2>psql service=3Dpau16
psql (17beta3, server 16.1)
Type "help" for help.

ddevienne=3D> create role dd_owner createrole;
CREATE ROLE
ddevienne=3D> create role dd_admin noinherit;
CREATE ROLE
ddevienne=3D> grant dd_owner to dd_admin;

As the error indicates, this grant needs to be done with admin option.

Since the with admin option exists in versions prior= to v16 this change should work in all of your deployments.
=C2= =A0
GRANT ROLE
ddevienne=3D> set role dd_owner;
ERROR:=C2=A0 permission denied to set role "dd_owner"
ddevienne=3D> grant dd_owner to current_user;
GRANT ROLE
ddevienne=3D> set role dd_owner;
SET
ddevienne=3D> create role dd_user;
CREATE ROLE
ddevienne=3D> grant dd_admin to dd_user;
ERROR:=C2=A0 permission denied to grant role "dd_admin"
DETAIL:=C2=A0 Only roles with the ADMIN option on role "dd_admin"= may grant

See comment above.
=C2= =A0
this role.
ddevienne=3D>


David J.
=C2=A0
--000000000000096fcd0621d956de--