Re: CREATEROLE Inheritance

PG Doc comments form <noreply(at)postgresql(dot)org> writes:
> I have checked this for CREATEROLE and this role attribute is definitely
> inheritable.

Does not look like that to me:

regression=# create user alice createrole;
CREATE ROLE
regression=# create user bob;
CREATE ROLE
regression=# \c - alice
You are now connected to database "regression" as user "alice".
regression=> create user charlie; -- should succeed
CREATE ROLE
regression=> \c - bob
You are now connected to database "regression" as user "bob".
regression=> create user delta; -- should fail
ERROR: permission denied to create role
DETAIL: Only roles with the CREATEROLE attribute may create roles.
regression=> \c - postgres
You are now connected to database "regression" as user "postgres".
regression=# grant alice to bob;
GRANT ROLE
regression=# \c - bob
You are now connected to database "regression" as user "bob".
regression=> create user delta; -- still fails
ERROR: permission denied to create role
DETAIL: Only roles with the CREATEROLE attribute may create roles.
regression=> set role alice;
SET
regression=> create user delta; -- now it works
CREATE ROLE

(Those DETAIL messages are fairly new, but the behavior is the same
in older branches.) The point is precisely that bob can't make
use of alice's CREATEROLE bit without having done SET ROLE.

It's not too clear to me what you did that led you to conclude
otherwise, but going through additional layers like an IDE could
well be confusing matters.

regards, tom lane