Re: CREATEROLE users vs. role properties

On Thu, Jan 19, 2023 at 8:34 PM Robert Haas <robertmhaas(at)gmail(dot)com> wrote:

> On Thu, Jan 19, 2023 at 6:15 AM tushar <tushar(dot)ahuja(at)enterprisedb(dot)com>
> wrote:
> > postgres=# create role fff with createrole;
> > CREATE ROLE
> > postgres=# create role xxx;
> > CREATE ROLE
> > postgres=# set role fff;
> > SET
> > postgres=> alter role xxx with createrole;
> > ERROR: permission denied
> > postgres=>
>
> Here fff would need ADMIN OPTION on xxx to be able to make modifications
> to it.
>
> See
> https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=cf5eb37c5ee0cc54c80d95c1695d7fca1f7c68cb

Thanks, Robert, that was helpful.

Please refer to this scenario where I am able to give createrole privileges
but not replication privilege to role

postgres=# create role t1 createrole;
CREATE ROLE
postgres=# create role t2 replication;
CREATE ROLE
postgres=# create role t3;
CREATE ROLE
postgres=# grant t3 to t1,t2 with admin option;
GRANT ROLE
postgres=# set session authorization t1;
SET

*postgres=> alter role t3 createrole ;ALTER ROLE*
postgres=> set session authorization t2;
SET
postgres=> alter role t3 replication;
ERROR: permission denied

This same behavior was observed in v14 as well but why i am able to give
createrole grant but not replication?

regards,