public inbox for [email protected]
help / color / mirror / Atom feedFrom: David G. Johnston <[email protected]>
To: Tom Lane <[email protected]>
Cc: Dominique Devienne <[email protected]>
Cc: [email protected] <[email protected]>
Subject: Re: DROP ROLE as SUPERUSER
Date: Thu, 20 Feb 2025 09:20:54 -0700
Message-ID: <CAKFQuwa4iiw9zei549ROy1VaWTWT5dM1Ubw9aH7TdmbQS2iiGw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <CAFCRh-_3+E3-pmdH+i5jUE-8Z1jJWxxdP3EcFjTbHVWM+oEweg@mail.gmail.com>
<CAKFQuwb-pHsxJF22fAp2Vb1jwbQxTVxXhuLzjaocsB5LEUEb5w@mail.gmail.com>
<[email protected]>
On Thu, Feb 20, 2025 at 9:05 AM Tom Lane <[email protected]> wrote:
> "David G. Johnston" <[email protected]> writes:
> > On Thursday, February 20, 2025, Dominique Devienne <[email protected]>
> > wrote:
> >> Hi. Today I was surprised that REVOKE ALL ON DATABASE FROM ROLE silently
> >> did nothing, even with CASCADE, when I was running it as SUPERUSER,
> >> preventing DROP'ing the ROLE. I had to manually SET ROLE to the
> GRANTOR, do
> >> the REVOKE, which DID something this time, and then I could DROP the
> role.
>
> > This has nothing to do with power/permissions. It is about not
> specifying
> > “granted by” in your SQL command and thus failing to fully and correctly
> > specify the single permission you want to revoke.
>
> It used to be that if a superuser issued GRANT/REVOKE, the operation
> was silently done as the owner of the affected object.
>
That is still the case according to the docs (REVOKE):
"If a superuser chooses to issue a GRANT or REVOKE command, the command is
performed as though it were issued by the owner of the affected object."
The docs seem to be missing reasonable exposition regarding "granted by".
The clause isn't even formally mentioned on the page; though I suppose it
is because it is delegated to the GRANT page specification. Though the
description there says it is basically an ignored compatibility clause -
not something that a superuser can use to make things more explicit than
using SET ROLE (not sure if it can ATM...).
David J.
view thread (8+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: DROP ROLE as SUPERUSER
In-Reply-To: <CAKFQuwa4iiw9zei549ROy1VaWTWT5dM1Ubw9aH7TdmbQS2iiGw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox