Change Ownership Permission Checks

Greetings,

Attached please find a patch to change how the permissions checking
for alter-owner is done. With roles there can be more than one
'owner' of an object and therefore it becomes sensible to allow
specific cases of ownership change for non-superusers.

The permission checks for change-owner follow the alter-rename
precedent that the new owner must have permission to create the object
in the schema.

The roles patch previously applied did not require the role for
which a database is being created to have createdb privileges, or for
the role for which a schema is being created to have create
privileges on the database (the role doing the creation did have to
have those privileges though, of course).

For 'container' type objects this seems reasonable. 'container' type
objects are unlike others in a few ways, but one of the more notable
differences for this case is that an owner may be specified as part of
the create command.

To support cleaning up the various checks, I also went ahead and
modified is_member_of_role() to always return true when asked if a
superuser is in a given role. This seems reasonable, won't affect
what's actually seen in the various tables, and allows us to eliminate
explicit superuser() checks in a number of places.

I have also reviewed the other superuser() calls in
src/backend/commands/ and feel pretty comfortable that they're all
necessary, reasonable, and don't need to be replaced with
*_ownercheck or other calls.

The specific changes which have been changed, by file:
aggregatecmds.c, alter-owner:
alter-owner checks:
User is owner of the to-be-changed object
User is a member of the new owner's role
New owner is permitted to create objects in the schema
Superuser() requirement removed

conversioncmds.c, rename:
rename-checks:
Changed from superuser() or same-roleId to pg_conversion_ownercheck
alter-owner checks:
User is owner of the to-be-changed object
User is a member of the new owner's role
New owner is permitted to create objects in the schema
Superuser() requirement removed

dbcommands.c:
Moved superuser() check to have_createdb_privilege
Cleaned up permissions checking in createdb and rename
alter-owner checks:
User is owner of the database
User is a member of the new owner's role
User has createdb privilege

functioncmds.c:
alter-owner checks:
User is owner of the function
User is a member of the new owner's role
New owner is permitted to create objects in the schema

opclasscmds.c:
alter-owner checks:
User is owner of the object
User is a member of the new owner's role
New owner has permission to create objects in the schema

operatorcmds.c:
alter-owner checks:
User is owner of the object
User is a member of the new owner's role
New owner has permission to create objects in the schema

schemacmds.c:
Cleaned up create schema identify changing/setting/checking
(This code was quite different from all the other create functions,
these changes make it much more closely match createdb)
alter-owner checks:
User is owner of the schema
User is a member of the new owner's role
User has create privilege on database

tablecmds.c:
alter-owner checks:
User is owner of the object
User is a member of the new owner's role
New owner has permission to create objects in the schema

tablespace.c:
alter-owner checks:
User is owner of the tablespace
User is a member of the new owner's role
(No create-tablespace permission to check, tablespaces must be
created by superusers and so alter-owner here really only matters
if the superuser changed the tablespace owner to a non-superuser
and then that non-superuser wants to change the ownership to yet
another user, the other option would be to continue to force
superuser-only for tablespace owner changes but I'm not sure I
see the point if the superuser trusts the non-superuser enough to
give them a tablespace...)

typecmds.c:
alter-owner checks:
User is owner of the object
User is a member of the new owner's role
New owner has permission to create objects in the schema

Many thanks. As always, comments, questions, concerns, please let me
know.

Thanks again,

Stephen