Re: Superuser can't revoke role granted by non-superuser
Alexander Kukushkin <cyberdemn@gmail.com>
From: Alexander Kukushkin <cyberdemn@gmail.com>
To: Kirill Reshke <reshkekirill@gmail.com>
Cc: pgsql-bugs@postgresql.org
Date: 2025-01-27T10:13:47Z
Lists: pgsql-bugs
On Mon, 27 Jan 2025 at 10:37, Kirill Reshke <reshkekirill@gmail.com> wrote: > I doubt this is a correct fix. The difference between cf5eb37 & > f026c16 behaviour is in who granted membership in role 'bb' to role > 'aa'. In the case of f026c16 the role is 'b', while after it is > bootstrap superuser. Is this correct? If yes, why should we consider > BOOTSTRAP_SUPERUSERID in this if statement? Maybe there are some other > cases from which this will not guard? > Or... Maybe it is actually working like this by design. There are UNIQUE constraints on pg_auth_members (member, roleid, grantor) columns. Therefore function explicitly searching for a tuple with exact match of member and grantor. Also, REVOKE syntax was extended to support GRANTED BY. E.g. superuser is supposed to use "revoke bb from aa granted by b" Regards, -- Alexander Kukushkin