Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nS3SP-00055j-PT for pgsql-hackers@arkaria.postgresql.org; Wed, 09 Mar 2022 21:02:53 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.92) (envelope-from ) id 1nS3RQ-00015M-8i for pgsql-hackers@arkaria.postgresql.org; Wed, 09 Mar 2022 21:01:52 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nS3RP-000158-Vt for pgsql-hackers@lists.postgresql.org; Wed, 09 Mar 2022 21:01:51 +0000 Received: from sss.pgh.pa.us ([66.207.139.130]) by makus.postgresql.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nS3RL-0001FU-M7 for pgsql-hackers@postgresql.org; Wed, 09 Mar 2022 21:01:50 +0000 Received: from sss1.sss.pgh.pa.us (localhost [127.0.0.1]) by sss.pgh.pa.us (8.15.2/8.15.2) with ESMTP id 229L1eba546159; Wed, 9 Mar 2022 16:01:41 -0500 From: Tom Lane To: Robert Haas cc: Mark Dilger , "David G. Johnston" , Stephen Frost , Joshua Brindle , Andrew Dunstan , PostgreSQL-development Subject: Re: role self-revocation In-reply-to: References: <20220228190923.GJ10577@tamriel.snowman.net> <5984.1646585629@sss.pgh.pa.us> <195958.1646669050@sss.pgh.pa.us> <208419.1646677694@sss.pgh.pa.us> <260619.1646684169@sss.pgh.pa.us> <72EF0179-D0DD-490C-812B-D64BEC5C72D1@enterprisedb.com> Comments: In-reply-to Robert Haas message dated "Wed, 09 Mar 2022 15:51:10 -0500" MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <546157.1646859700.1@sss.pgh.pa.us> Date: Wed, 09 Mar 2022 16:01:40 -0500 Message-ID: <546158.1646859700@sss.pgh.pa.us> List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Robert Haas writes: > On Mar 7, 2022, at 12:16 PM, Tom Lane wrote: > tgl> Having said that, one thing that I find fishy is that it's not clear > tgl> where the admin privilege for a role originates. After "CREATE ROLE > tgl> alice", alice has no members, therefore none that have admin privilege, > tgl> therefore the only way that the first member could be added is via > tgl> superuser deus ex machina. This does not seem clean. > I agree with that, but I don't think it's a sufficient reason for > keeping the self-admin exception, because the same problem exists for > non-login roles. I don't even think it's the right idea conceptually > to suppose that the power to administer a role originates from the > role itself. Actually, that's the same thing I was trying to say. But if it doesn't originate from the role itself, where does it originate from? > In my opinion, the right to > administer a role - regardless of whether or not it is a login role - > most naturally vests in the role that created it, or something in that > direction at least, if not that exact thing. This seems like a reasonable answer to me too: the creating role has admin option implicitly, and can then choose to grant that to other roles. Obviously some work needs to be done to make that happen (and we should see whether the SQL spec has some different idea). regards, tom lane