Re: CREATEROLE does not permit commenting on newly-created roles

Alvaro Herrera <alvherre(at)commandprompt(dot)com> writes:
> Excerpts from Euler Taveira de Oliveira's message of mar mar 08 02:06:13 -0300 2011:
>> Em 07-03-2011 16:53, Owen Jacobson escreveu:
>>> psql:repro.sql:2: ERROR: must be member of role "commented_role" to
>>> comment upon it

>> This isn't a bug; let say it is a limitation (and a documented one [1]).
>> Unfortunately only the role, superuser or its members can add/drop comments.

> Maybe it would be good to have a COMMENT clause on the CREATE ROLE
> command. It would be inconsistent with the rest of the comment system,
> but this privilege problem is inconsistent too.

I thought there was nothing particularly unreasonable about Owen's
suggestion: let users with the CREATEROLE attribute comment on any role.
I don't think COMMENT added to CREATE ROLE would be a very nice fix
(aside from being ugly, what if you want to change the comment later?).

It strikes me actually that letting members of the role comment on it
is not an amazingly good idea. They are not owners of the role in any
meaningful sense --- for instance, they can't drop it. It'd be more
reasonable and consistent to say that only superusers and holders of
CREATEROLE can do COMMENT ON ROLE.

regards, tom lane