Hello Everyone,
I recently noticed the difference between PG15 and PG16 regarding CREATEROLE and ADMIN OPTION.
Granting the Admin Option to another role is not allowed in PG16, whereas it was permitted in PG15. Please help me with how we can allow them without superuser intervention.
PostgreSQL 15:
psql (15.10 (Homebrew), server 15.10 (Homebrew))
Type "help" for help.
postgres=# create role pgtest login createdb createrole;
CREATE ROLE
postgres=# \c postgres pgtest
psql (16.6 (Homebrew), server 15.10 (Homebrew))
You are now connected to database "postgres" as user "pgtest".
postgres=>
postgres=> create role test login;
CREATE ROLE
postgres=>
postgres=> grant pgtest to test with ADMIN OPTION;
GRANT ROLE
postgres=> \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+---------------------+---------
test | pgtest | ADMIN, INHERIT, SET | pgtest
(1 row)
Type "help" for help.
postgres=# create role pgtest login createdb createrole;
CREATE ROLE
postgres=# \c postgres pgtest
psql (16.6 (Homebrew), server 15.10 (Homebrew))
You are now connected to database "postgres" as user "pgtest".
postgres=>
postgres=> create role test login;
CREATE ROLE
postgres=>
postgres=> grant pgtest to test with ADMIN OPTION;
GRANT ROLE
postgres=> \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+---------------------+---------
test | pgtest | ADMIN, INHERIT, SET | pgtest
(1 row)
PostgreSQL 16
psql (16.6 (Homebrew))
Type "help" for help.
postgres=# create role pgtest login createdb createrole;
CREATE ROLE
postgres=# \c postgres pgtest
You are now connected to database "postgres" as user "pgtest".
postgres=> create role test login;
CREATE ROLE
postgres=>
postgres=> grant pgtest to test with ADMIN OPTION;
ERROR: permission denied to grant role "admin"
DETAIL: Only roles with the ADMIN option on role "pgtest" may grant this role.
postgres=>
postgres=> \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+---------+-------------
pgtest | test | ADMIN | pawansharma
(1 row)
postgres=>
Type "help" for help.
postgres=# create role pgtest login createdb createrole;
CREATE ROLE
postgres=# \c postgres pgtest
You are now connected to database "postgres" as user "pgtest".
postgres=> create role test login;
CREATE ROLE
postgres=>
postgres=> grant pgtest to test with ADMIN OPTION;
ERROR: permission denied to grant role "admin"
DETAIL: Only roles with the ADMIN option on role "pgtest" may grant this role.
postgres=>
postgres=> \drg
List of role grants
Role name | Member of | Options | Grantor
-----------+-----------+---------+-------------
pgtest | test | ADMIN | pawansharma
(1 row)
postgres=>
Thank you so much.
Regards,
Pawan