| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
| Cc: | Dominique Devienne <ddevienne(at)gmail(dot)com>, "pgsql-general(at)lists(dot)postgresql(dot)org" <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: DROP ROLE as SUPERUSER |
| Date: | 2025-02-20 16:05:50 |
| Message-ID: | 2705563.1740067550@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
"David G. Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> writes:
> On Thursday, February 20, 2025, Dominique Devienne <ddevienne(at)gmail(dot)com>
> wrote:
>> Hi. Today I was surprised that REVOKE ALL ON DATABASE FROM ROLE silently
>> did nothing, even with CASCADE, when I was running it as SUPERUSER,
>> preventing DROP'ing the ROLE. I had to manually SET ROLE to the GRANTOR, do
>> the REVOKE, which DID something this time, and then I could DROP the role.
> This has nothing to do with power/permissions. It is about not specifying
> “granted by” in your SQL command and thus failing to fully and correctly
> specify the single permission you want to revoke.
It used to be that if a superuser issued GRANT/REVOKE, the operation
was silently done as the owner of the affected object. That was
always a bit of a wart, since among other things it meant that the
object owner could undo it. Now you have to say "GRANTED BY <owner>"
to get that effect. I'm not entirely sure, but I think this is closer
to what the SQL standard says.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Greg Sabino Mullane | 2025-02-20 16:07:02 | Re: #XX000: ERROR: tuple concurrently updated |
| Previous Message | David G. Johnston | 2025-02-20 15:56:47 | Re: DROP ROLE as SUPERUSER |