Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vO1rd-006fAy-0A
	for pgsql-general@arkaria.postgresql.org;
	Tue, 25 Nov 2025 22:50:25 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.96)
	(envelope-from <pgsql-general-owner+archive@lists.postgresql.org>)
	id 1vO1qc-00CMNH-0o
	for pgsql-general@arkaria.postgresql.org;
	Tue, 25 Nov 2025 22:49:22 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <p.luzanov@postgrespro.ru>)
	id 1vO1qb-00CMN9-2T
	for pgsql-general@lists.postgresql.org;
	Tue, 25 Nov 2025 22:49:22 +0000
Received: from mail.postgrespro.ru ([93.174.132.70])
	by magus.postgresql.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <p.luzanov@postgrespro.ru>)
	id 1vO1qZ-001VAJ-1q
	for pgsql-general@lists.postgresql.org;
	Tue, 25 Nov 2025 22:49:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=postgrespro.ru;
	s=mx2023; t=1764110957;
	bh=rXNZRmc2cOexFozU/mVrW1m6fIh9zp83E0nD3MRCB5w=;
	h=Message-ID:Date:User-Agent:Subject:To:References:From:In-Reply-To:
	 From;
	b=s1YmiP6jboMi8+Dc6C70Dqw5qn0W3NN9sL8wGl7AQIsDUBnJKskIeuAbuUXX1tLQl
	 9W3XjFvk2wCRfwg4vYuMq0a1M5usXZsJcgsgDBdEXgnsEnHOoWsYeVkrL75S9Lu2k8
	 X8dFGmekRp5g1SqKwI89vOl1N0QvJ0cjubq3EqoyrKrtvvfdF9JOdiq3UTdYJI8nzD
	 GBYNVOQe5grYQoUQ+vmliN504Mkh3qUOAm8Zm/1XuYx+Uh+zGISDN0PueK03b7nCdy
	 fNZmHp3/Q7rHcfcaKRrbqdqhx3Ps0jRqGR9uFkAcy5AFzSddIm0PMDY3CiJaS0Yq36
	 TqUqFsxFc/nGw==
Received: from [192.168.0.104] (unknown [62.217.186.239])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: p.luzanov@postgrespro.ru)
	by mail.postgrespro.ru (Postfix/587) with ESMTPSA id 93CD3606DB;
	Wed, 26 Nov 2025 01:49:17 +0300 (MSK)
Content-Type: multipart/alternative;
 boundary="------------CREnfVuxnBrIRJLFeylf9fwo"
Message-ID: <ca3fe7b5-2399-4537-bba4-cd000907bda7@postgrespro.ru>
Date: Wed, 26 Nov 2025 01:49:15 +0300
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: DROP ROLE blocked by pg_init_privs
To: immerrr again <immerrr@gmail.com>, pgsql-general@lists.postgresql.org
References: <CAERznn-QWVpAvqnyF=rZfiuxkeDG0tym_rY+RuEkSPWvzgi67Q@mail.gmail.com>
Content-Language: en-US
From: Pavel Luzanov <p.luzanov@postgrespro.ru>
In-Reply-To: <CAERznn-QWVpAvqnyF=rZfiuxkeDG0tym_rY+RuEkSPWvzgi67Q@mail.gmail.com>
X-KSMG-AntiPhishing: NotDetected, bases: 2025/11/25 21:57:00
X-KSMG-AntiSpam-Interceptor-Info: not scanned
X-KSMG-AntiSpam-Status: not scanned, disabled by settings
X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854, bases: 2025/11/25 20:07:00 #27973857
X-KSMG-AntiVirus-Status: NotDetected, skipped
X-KSMG-LinksScanning: not scanned, disabled by settings
X-KSMG-Message-Action: skipped
X-KSMG-Rule-ID: 1
List-Id: <pgsql-general.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:pgsql-general@lists.postgresql.org>
List-Owner: <mailto:pgsql-general-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/pgsql-general>
Archived-At: <https://www.postgresql.org/message-id/ca3fe7b5-2399-4537-bba4-cd000907bda7%40postgrespro.ru>
Precedence: bulk

This is a multi-part message in MIME format.
--------------CREnfVuxnBrIRJLFeylf9fwo
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi

On 24.11.2025 18:59, immerrr again wrote:
> First time trying to configure a PG cluster by the book, I want to create a
> role with read permissions on all current and future tables in the current
> db. It looks smth like this
>
> CREATE ROLE test_role;
> GRANT SELECT ON ALL TABLES IN SCHEMA public TO test_role;
> ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO test_role;
>
> I've been trying out different scenarios for the future, and currently having
> a problem when trying to remove "test_role" after adding an extension.

Hm, I have checked your example, it works as expected:

postgres@postgres(16.9)=# CREATE ROLE test_role;
CREATE ROLE
postgres@postgres(16.9)=# GRANT SELECT ON ALL TABLES IN SCHEMA public TO 
test_role;
GRANT
postgres@postgres(16.9)=# ALTER DEFAULT PRIVILEGES IN SCHEMA public 
GRANT SELECT ON TABLES TO test_role;
ALTER DEFAULT PRIVILEGES
postgres@postgres(16.9)=# CREATE EXTENSION pg_stat_statements;
CREATE EXTENSION

postgres@postgres(16.9)=# REVOKE SELECT ON ALL TABLES IN SCHEMA public 
FROM test_role;
REVOKE
postgres@postgres(16.9)=# ALTER DEFAULT PRIVILEGES IN SCHEMA public 
REVOKE SELECT ON TABLES FROM test_role;
ALTER DEFAULT PRIVILEGES
postgres@postgres(16.9)=# DROP ROLE test_role;
DROP ROLE
postgres@postgres(16.9)=# DROP EXTENSION pg_stat_statements;
DROP EXTENSION

In any case, since v14 you can use the predefined role pg_read_all_data.

-- 
Pavel Luzanov
Postgres Professional:https://postgrespro.com


--------------CREnfVuxnBrIRJLFeylf9fwo
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <font size="2">Hi</font><br>
    <br>
    <div class="moz-cite-prefix">On 24.11.2025 18:59, immerrr again
      wrote:<span style="white-space: pre-wrap">
</span></div>
    <blockquote type="cite"
cite="mid:CAERznn-QWVpAvqnyF=rZfiuxkeDG0tym_rY+RuEkSPWvzgi67Q@mail.gmail.com">
      <pre wrap="" class="moz-quote-pre">First time trying to configure a PG cluster by the book, I want to create a
role with read permissions on all current and future tables in the current
db. It looks smth like this

CREATE ROLE test_role;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO test_role;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO test_role;

I've been trying out different scenarios for the future, and currently having
a problem when trying to remove "test_role" after adding an extension.</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72"></pre>
    Hm, I have checked your example, it works as expected:<br>
    <br>
    <font face="monospace">postgres@postgres(16.9)=# CREATE ROLE
      test_role;<br>
      CREATE ROLE<br>
      postgres@postgres(16.9)=# GRANT SELECT ON ALL TABLES IN SCHEMA
      public TO test_role;<br>
      GRANT<br>
      postgres@postgres(16.9)=# ALTER DEFAULT PRIVILEGES IN SCHEMA
      public GRANT SELECT ON TABLES TO test_role;<br>
      ALTER DEFAULT PRIVILEGES<br>
      postgres@postgres(16.9)=# CREATE EXTENSION pg_stat_statements;<br>
      CREATE EXTENSION<br>
      <br>
      postgres@postgres(16.9)=# REVOKE SELECT ON ALL TABLES IN SCHEMA
      public FROM test_role;<br>
      REVOKE<br>
      postgres@postgres(16.9)=# ALTER DEFAULT PRIVILEGES IN SCHEMA
      public REVOKE SELECT ON TABLES FROM test_role;<br>
      ALTER DEFAULT PRIVILEGES<br>
      postgres@postgres(16.9)=# DROP ROLE test_role;<br>
      DROP ROLE<br>
      postgres@postgres(16.9)=# DROP EXTENSION pg_stat_statements;<br>
      DROP EXTENSION<br>
    </font><br>
    In any case, since v14 you can use the predefined role
    pg_read_all_data.<br>
    <pre class="moz-signature" cols="72">-- 
Pavel Luzanov
Postgres Professional: <a class="moz-txt-link-freetext" href="https://postgrespro.com">https://postgrespro.com</a></pre>
    <br>
  </body>
</html>

--------------CREnfVuxnBrIRJLFeylf9fwo--