Re: Orphaned users in PG16 and above can only be managed by Superusers

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Andres Freund <andres@anarazel.de>
Cc: Tomas Vondra <tomas@vondra.me>, Ashutosh Sharma <ashu.coek88@gmail.com>, pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-01-23T21:06:15Z
Lists: pgsql-hackers
On Thu, Jan 23, 2025 at 3:51 PM Andres Freund <andres@anarazel.de> wrote:
> I wonder if it's a mistake that a role membership that has WITH ADMIN on
> another role is silently removed if the member role is removed. We e.g. do
> *not* do that for pg_auth_members.grantor:
>
> ERROR:  2BP01: role "r1" cannot be dropped because some objects depend on it
> DETAIL:  privileges for membership of role r2 in role r3

Yeah, I'm not sure about this either, but this is the kind of thing I
was thinking about when I replied before, saying that maybe dropping
role B shouldn't just succeed. Maybe dropping a role that doesn't have
privileges to administer any other role should be different than
dropping one that does.

-- 
Robert Haas
EDB: http://www.enterprisedb.com