Re: Orphaned users in PG16 and above can only be managed by Superusers

Robert Haas <robertmhaas@gmail.com>

From: Robert Haas <robertmhaas@gmail.com>
To: Ashutosh Sharma <ashu.coek88@gmail.com>
Cc: pgsql-hackers <pgsql-hackers@postgresql.org>
Date: 2025-01-23T21:02:24Z
Lists: pgsql-hackers
On Wed, Jan 22, 2025 at 6:08 AM Ashutosh Sharma <ashu.coek88@gmail.com> wrote:
> Thanks for sharing your thoughts and inputs. I'm also not quite clear
> about the fix. Some of the solutions/changes you've mentioned above
> seem quite complex and may not be reasonable, as you pointed out. How
> about introducing a new predefined role, perhaps something like
> pg_admin_all, which, when granted to an admin user in the system,
> would allow them to manage all non-superusers on the server?

IMHO, this is a hack. Let's suppose the superuser creates roles A and
X with CREATEROLE. A creates B, who creates C. X creates Y, who
creates Z. Now A drops B. We want A to retain the ability to
administer C, but we do not want X to suddenly acquire the ability to
administer C. If A and C both had pg_admin_all, that's what would
happen.

-- 
Robert Haas
EDB: http://www.enterprisedb.com