On Thu, Feb 20, 2025 at 9:05 AM Tom Lane <tgl@xxxxxxxxxxxxx> wrote:
"David G. Johnston" <david.g.johnston@xxxxxxxxx> writes:
> On Thursday, February 20, 2025, Dominique Devienne <ddevienne@xxxxxxxxx>
> wrote:
>> Hi. Today I was surprised that REVOKE ALL ON DATABASE FROM ROLE silently
>> did nothing, even with CASCADE, when I was running it as SUPERUSER,
>> preventing DROP'ing the ROLE. I had to manually SET ROLE to the GRANTOR, do
>> the REVOKE, which DID something this time, and then I could DROP the role.
> This has nothing to do with power/permissions. It is about not specifying
> “granted by” in your SQL command and thus failing to fully and correctly
> specify the single permission you want to revoke.
It used to be that if a superuser issued GRANT/REVOKE, the operation
was silently done as the owner of the affected object.
That is still the case according to the docs (REVOKE):
"If a superuser chooses to issue a GRANT or REVOKE command, the command is performed as though it were issued by the owner of the affected object."
The docs seem to be missing reasonable exposition regarding "granted by". The clause isn't even formally mentioned on the page; though I suppose it is because it is delegated to the GRANT page specification. Though the description there says it is basically an ignored compatibility clause - not something that a superuser can use to make things more explicit than using SET ROLE (not sure if it can ATM...).
David J.
