Participants
Ben Hancock
Ben Hancock
David G. Johnston
David G. Johnston
Attachments
Show all attachments
Thread Outline
#1Ben HancockBen Hancock
Jul 27, 2023
#2David G. JohnstonDavid G. Johnstonto Ben Hancock (#1)
Jul 27, 2023
#3Ben HancockBen Hancockto David G. Johnston (#2)
Jul 27, 2023

Create DB privilege is not inherited

Started by Ben Hancockover 2 years ago3 messagesgeneral
Jump to latest
#1Ben Hancock
Ben Hancock
lists@benghancock.com

Hi folks,

I've created a role 'admins' and conferred the CREATEDB and CREATE ROLE
privileges to this role. I'd like to be able to add users to this role
in order to easily manage group permissions. This doesn't seem to be
working the way I understand it should, though:

postgres=# CREATE ROLE admins WITH CREATEROLE CREATEDB;
CREATE ROLE
postgres=# CREATE USER joe;
CREATE ROLE
postgres=# GRANT admins TO joe;
GRANT ROLE
postgres=# SET ROLE joe;
SET
postgres=> CREATE DATABASE joes_db;
ERROR: permission denied to create database
postgres=> \dg
List of roles
Role name | Attributes | Member of
------------------+------------------------------------------------------------+-----------------
admins | Create role, Create DB, Cannot login | {}
joe | | {admins}
postgres | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

postgres=>

Should the CREATEDB privilege be inherited when granting the 'admins'
role to a user, or is another step required?

Or (quite possibly) have I misunderstood something else?

Many thanks,

Ben Hancock
PostgreSQL 14.3

#2David G. Johnston
David G. Johnston
david.g.johnston@gmail.com
In reply to: Ben Hancock (#1)
Re: Create DB privilege is not inherited

On Thursday, July 27, 2023, Ben Hancock <lists@benghancock.com> wrote:

Should the CREATEDB privilege be inherited when granting the 'admins'
role to a user, or is another step required?

Or (quite possibly) have I misunderstood something else?

Docs say:

https://www.postgresql.org/docs/current/sql-createrole.html#:~:text=based%20authentication%20method.-,The%20INHERIT%20attribute%20governs,before%20creating%20a%20database.,-The%20INHERIT%20attribute
"

The INHERIT attribute governs inheritance of grantable privileges (that is,
access privileges for database objects and role memberships). It does not
apply to the special role attributes set by CREATE ROLE and ALTER ROLE. For
example, being a member of a role with CREATEDB privilege does not
immediately grant the ability to create databases, even if INHERIT is set;
it would be necessary to become that role via SET ROLE before creating a
database."

David J.

#3Ben Hancock
Ben Hancock
lists@benghancock.com
In reply to: David G. Johnston (#2)
Re: Create DB privilege is not inherited

On Thu, 27 Jul 2023 06:09:28 -0700
"David G. Johnston" <david.g.johnston@gmail.com> wrote:

On Thursday, July 27, 2023, Ben Hancock <lists@benghancock.com> wrote:

Should the CREATEDB privilege be inherited when granting the 'admins'
role to a user, or is another step required?

Or (quite possibly) have I misunderstood something else?

Docs say:

https://www.postgresql.org/docs/current/sql-createrole.html#:~:text=based%20authentication%20method.-,The%20INHERIT%20attribute%20governs,before%20creating%20a%20database.,-The%20INHERIT%20attribute
"

The INHERIT attribute governs inheritance of grantable privileges (that is,
access privileges for database objects and role memberships). It does not
apply to the special role attributes set by CREATE ROLE and ALTER ROLE. For
example, being a member of a role with CREATEDB privilege does not
immediately grant the ability to create databases, even if INHERIT is set;
it would be necessary to become that role via SET ROLE before creating a
database."

Thank you David - I had managed to skim past that. So following this, it
looks like when I am "joe", I can set my role to "admins", and then
create the database I need:

postgres=> SET ROLE admins;
SET
postgres=> CREATE DATABASE joes_db;
CREATE DATABASE

Cheers!

Ben Hancock

← Back to Topics