CREATEROLE and role ownership hierarchies

From e235625bf79dbe78c5450b2cf552a38b4f2a0c7e Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Mon, 25 Oct 2021 17:11:45 -0700
Subject: [PATCH v2 1/4] Add tests of the CREATEROLE attribute.

While developing alternate rules for what privileges CREATEROLE has,
I noticed that none of the changes to how CREATEROLE works triggered
any regression test failures.  This is problematic for two reasons.
It means the existing code has insufficient test coverage, and it
means that unintended changes introduced by subsequent patches may
go unnoticed.  Fix that.
---
 src/test/regress/expected/create_role.out | 145 ++++++++++++++++++++++
 src/test/regress/parallel_schedule        |   2 +-
 src/test/regress/sql/create_role.sql      | 138 ++++++++++++++++++++
 3 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100644 src/test/regress/expected/create_role.out
 create mode 100644 src/test/regress/sql/create_role.sql

diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
new file mode 100644
index 0000000000..57010bbb58
--- /dev/null
+++ b/src/test/regress/expected/create_role.out
@@ -0,0 +1,145 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
+CREATE ROLE regress_role_2 SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_role_4 REPLICATION;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_role_5 BYPASSRLS;
+ERROR:  must be superuser to create bypassrls users
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_role_6 CREATEDB;
+CREATE ROLE regress_role_7 CREATEROLE;
+CREATE ROLE regress_role_8 LOGIN;
+CREATE ROLE regress_role_9 INHERIT;
+CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
+CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_role_12 PASSWORD NULL;
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_role_13 SYSID 12345;
+NOTICE:  SYSID can no longer be specified
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_role_14 IN ROLE regress_role_super;
+ERROR:  must be superuser to alter superusers
+-- fail, database owner cannot have members
+CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
+ERROR:  role "pg_database_owner" cannot have explicit members
+-- ok, can grant other users into a role
+CREATE ROLE regress_role_16 ROLE
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_role_17 ROLE regress_role_17;
+ERROR:  role "regress_role_17" is a member of role "regress_role_17"
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_role_18 ADMIN
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_role_19 ADMIN regress_role_19;
+ERROR:  role "regress_role_19" is a member of role "regress_role_19"
+-- fail, regress_role_7 does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_role_7;
+CREATE DATABASE regress_db_7;
+ERROR:  permission denied to create database
+-- ok, regress_role_7 can create new roles
+CREATE ROLE regress_role_20;
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_role_21 CREATEROLE;
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+-- ok, regress_role_22 can create objects within the database
+SET SESSION AUTHORIZATION regress_role_22;
+CREATE TABLE regress_tbl_22 (i integer);
+CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
+CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
+-- fail, these objects belonging to regress_role_22
+SET SESSION AUTHORIZATION regress_role_7;
+DROP INDEX regress_idx_22;
+ERROR:  must be owner of index regress_idx_22
+ALTER TABLE regress_tbl_22 ADD COLUMN t text;
+ERROR:  must be owner of table regress_tbl_22
+DROP TABLE regress_tbl_22;
+ERROR:  must be owner of table regress_tbl_22
+ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+ERROR:  must be owner of view regress_view_22
+DROP VIEW regress_view_22;
+ERROR:  must be owner of view regress_view_22
+-- fail, cannot take ownership of these objects from regress_role_22
+REASSIGN OWNED BY regress_role_22 TO regress_role_7;
+ERROR:  permission denied to reassign objects
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_1;
+DROP ROLE regress_role_2;
+ERROR:  role "regress_role_2" does not exist
+DROP ROLE regress_role_3;
+ERROR:  role "regress_role_3" does not exist
+DROP ROLE regress_role_4;
+ERROR:  role "regress_role_4" does not exist
+DROP ROLE regress_role_5;
+ERROR:  role "regress_role_5" does not exist
+DROP ROLE regress_role_14;
+ERROR:  role "regress_role_14" does not exist
+DROP ROLE regress_role_15;
+ERROR:  role "regress_role_15" does not exist
+DROP ROLE regress_role_17;
+ERROR:  role "regress_role_17" does not exist
+DROP ROLE regress_role_19;
+ERROR:  role "regress_role_19" does not exist
+DROP ROLE regress_role_20;
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_6;
+DROP ROLE regress_role_7;
+DROP ROLE regress_role_8;
+DROP ROLE regress_role_9;
+DROP ROLE regress_role_10;
+DROP ROLE regress_role_11;
+DROP ROLE regress_role_12;
+DROP ROLE regress_role_13;
+DROP ROLE regress_role_16;
+DROP ROLE regress_role_18;
+DROP ROLE regress_role_21;
+DROP ROLE regress_role_23;
+DROP ROLE regress_role_24;
+DROP ROLE regress_role_25;
+DROP ROLE regress_role_26;
+DROP ROLE regress_role_27;
+DROP ROLE regress_role_28;
+DROP ROLE regress_role_29;
+DROP ROLE regress_role_30;
+DROP ROLE regress_role_31;
+DROP ROLE regress_role_32;
+-- fail, role still owns database objects
+DROP ROLE regress_role_22;
+ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
+DETAIL:  owner of table regress_tbl_22
+owner of view regress_view_22
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+ERROR:  must be superuser to drop superusers
+DROP ROLE regress_role_1;
+ERROR:  current user cannot be dropped
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX regress_idx_22;
+DROP TABLE regress_tbl_22;
+DROP VIEW regress_view_22;
+DROP ROLE regress_role_22;
+DROP ROLE regress_role_1;
+DROP ROLE regress_role_super;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 7be89178f0..2c8580ecde 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -86,7 +86,7 @@ test: brin_bloom brin_multi
 # ----------
 # Another group of parallel tests
 # ----------
-test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort
+test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort create_role
 
 # rules cannot run concurrently with any test that creates
 # a view or rule in the public schema
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
new file mode 100644
index 0000000000..e00893de4e
--- /dev/null
+++ b/src/test/regress/sql/create_role.sql
@@ -0,0 +1,138 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
+CREATE ROLE regress_role_2 SUPERUSER;
+CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 REPLICATION;
+CREATE ROLE regress_role_5 BYPASSRLS;
+
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_role_6 CREATEDB;
+CREATE ROLE regress_role_7 CREATEROLE;
+CREATE ROLE regress_role_8 LOGIN;
+CREATE ROLE regress_role_9 INHERIT;
+CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
+CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_role_12 PASSWORD NULL;
+
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_role_13 SYSID 12345;
+
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_role_14 IN ROLE regress_role_super;
+
+-- fail, database owner cannot have members
+CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
+
+-- ok, can grant other users into a role
+CREATE ROLE regress_role_16 ROLE
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_role_17 ROLE regress_role_17;
+
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_role_18 ADMIN
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_role_19 ADMIN regress_role_19;
+
+-- fail, regress_role_7 does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_role_7;
+CREATE DATABASE regress_db_7;
+
+-- ok, regress_role_7 can create new roles
+CREATE ROLE regress_role_20;
+
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_role_21 CREATEROLE;
+
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+
+-- ok, regress_role_22 can create objects within the database
+SET SESSION AUTHORIZATION regress_role_22;
+CREATE TABLE regress_tbl_22 (i integer);
+CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
+CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
+
+-- fail, these objects belonging to regress_role_22
+SET SESSION AUTHORIZATION regress_role_7;
+DROP INDEX regress_idx_22;
+ALTER TABLE regress_tbl_22 ADD COLUMN t text;
+DROP TABLE regress_tbl_22;
+ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+DROP VIEW regress_view_22;
+
+-- fail, cannot take ownership of these objects from regress_role_22
+REASSIGN OWNED BY regress_role_22 TO regress_role_7;
+
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_1;
+DROP ROLE regress_role_2;
+DROP ROLE regress_role_3;
+DROP ROLE regress_role_4;
+DROP ROLE regress_role_5;
+DROP ROLE regress_role_14;
+DROP ROLE regress_role_15;
+DROP ROLE regress_role_17;
+DROP ROLE regress_role_19;
+DROP ROLE regress_role_20;
+
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_6;
+DROP ROLE regress_role_7;
+DROP ROLE regress_role_8;
+DROP ROLE regress_role_9;
+DROP ROLE regress_role_10;
+DROP ROLE regress_role_11;
+DROP ROLE regress_role_12;
+DROP ROLE regress_role_13;
+DROP ROLE regress_role_16;
+DROP ROLE regress_role_18;
+DROP ROLE regress_role_21;
+DROP ROLE regress_role_23;
+DROP ROLE regress_role_24;
+DROP ROLE regress_role_25;
+DROP ROLE regress_role_26;
+DROP ROLE regress_role_27;
+DROP ROLE regress_role_28;
+DROP ROLE regress_role_29;
+DROP ROLE regress_role_30;
+DROP ROLE regress_role_31;
+DROP ROLE regress_role_32;
+
+-- fail, role still owns database objects
+DROP ROLE regress_role_22;
+
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+DROP ROLE regress_role_1;
+
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX regress_idx_22;
+DROP TABLE regress_tbl_22;
+DROP VIEW regress_view_22;
+DROP ROLE regress_role_22;
+DROP ROLE regress_role_1;
+DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 0a27010622339b7f80e7d622add73137c69a97c0 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 27 Oct 2021 07:34:18 -0700
Subject: [PATCH v2 2/4] Add owners to roles

All roles now have owners.  By default, roles belong to the role
that created them, and initdb-time roles are owned by POSTGRES.

This is a preparatory patch for changing how CREATEROLE works.
---
 src/backend/catalog/aclchk.c                  |  59 +++++++-
 src/backend/catalog/pg_shdepend.c             |   5 +
 src/backend/catalog/system_views.sql          |   1 +
 src/backend/commands/alter.c                  |   3 +
 src/backend/commands/user.c                   | 142 +++++++++++++++++-
 src/backend/nodes/copyfuncs.c                 |   1 +
 src/backend/nodes/equalfuncs.c                |   1 +
 src/backend/parser/gram.y                     |  23 +++
 src/bin/psql/describe.c                       |  12 ++
 src/include/catalog/pg_authid.h               |   1 +
 src/include/commands/user.h                   |   2 +
 src/include/nodes/parsenodes.h                |   1 +
 src/include/utils/acl.h                       |   1 +
 .../unsafe_tests/expected/rolenames.out       |   6 +-
 .../modules/unsafe_tests/sql/rolenames.sql    |   3 +-
 src/test/regress/expected/create_role.out     | 133 ++++++++++++++--
 src/test/regress/expected/oidjoins.out        |   1 +
 src/test/regress/expected/privileges.out      |   9 +-
 src/test/regress/expected/rules.out           |   1 +
 src/test/regress/sql/create_role.sql          |  64 +++++++-
 src/test/regress/sql/privileges.sql           |  13 +-
 21 files changed, 461 insertions(+), 21 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ce0a4ff14e..ddd205d656 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3385,6 +3385,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("permission denied for publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("permission denied for role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("permission denied for routine %s");
 						break;
@@ -3429,7 +3432,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_RULE:
 					case OBJECT_TABCONSTRAINT:
 					case OBJECT_TRANSFORM:
@@ -3511,6 +3513,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("must be owner of publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("must be owner of role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("must be owner of routine %s");
 						break;
@@ -3569,7 +3574,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_TRANSFORM:
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
@@ -5430,6 +5434,57 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for a role (specified by OID)
+ */
+bool
+pg_role_ownercheck(Oid role_oid, Oid roleid)
+{
+	HeapTuple		tuple;
+	Form_pg_authid	authform;
+	Oid				owner_oid;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	/* Otherwise, look up the owner of the role */
+	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+	if (!HeapTupleIsValid(tuple))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role with OID %u does not exist",
+						role_oid)));
+	authform = (Form_pg_authid) GETSTRUCT(tuple);
+	owner_oid = authform->rolowner;
+
+	/*
+	 * Roles must necessarily have owners.  Even the bootstrap user has an
+	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 */
+	if (!OidIsValid(owner_oid))
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u has invalid owner",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner == authform->oid)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owns itself",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner != BOOTSTRAP_SUPERUSERID)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+						authform->rolname.data, authform->oid,
+						authform->rolowner)));
+	ReleaseSysCache(tuple);
+
+	return (owner_oid == roleid);
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
diff --git a/src/backend/catalog/pg_shdepend.c b/src/backend/catalog/pg_shdepend.c
index 8453d8fefd..88e479ca21 100644
--- a/src/backend/catalog/pg_shdepend.c
+++ b/src/backend/catalog/pg_shdepend.c
@@ -61,6 +61,7 @@
 #include "commands/tablecmds.h"
 #include "commands/tablespace.h"
 #include "commands/typecmds.h"
+#include "commands/user.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -1557,6 +1558,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
 					AlterSubscriptionOwner_oid(sdepForm->objid, newrole);
 					break;
 
+				case AuthIdRelationId:
+					AlterRoleOwner_oid(sdepForm->objid, newrole);
+					break;
+
 					/* Generic alter owner cases */
 				case CollationRelationId:
 				case ConversionRelationId:
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 55f6e3711d..b03763695c 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -17,6 +17,7 @@
 CREATE VIEW pg_roles AS
     SELECT
         rolname,
+        pg_get_userbyid(rolowner) AS rolowner,
         rolsuper,
         rolinherit,
         rolcreaterole,
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 40044070cf..eb407cfc4c 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -840,6 +840,9 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 		case OBJECT_DATABASE:
 			return AlterDatabaseOwner(strVal(stmt->object), newowner);
 
+		case OBJECT_ROLE:
+			return AlterRoleOwner(strVal(stmt->object), newowner);
+
 		case OBJECT_SCHEMA:
 			return AlterSchemaOwner(strVal(stmt->object), newowner);
 
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index aa69821be4..259968f1d4 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
+static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
+									Oid newOwnerId);
 
 
 /* Check if current user has createrole privileges */
@@ -77,6 +79,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	Datum		new_record[Natts_pg_authid];
 	bool		new_record_nulls[Natts_pg_authid];
 	Oid			roleid;
+	Oid			owner_uid;
+	Oid			saved_uid;
+	int			save_sec_context;
 	ListCell   *item;
 	ListCell   *option;
 	char	   *password = NULL;	/* user password */
@@ -108,6 +113,16 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
+	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+
+	/*
+	 * Who is supposed to own the new role?
+	 */
+	if (stmt->authrole)
+		owner_uid = get_rolespec_oid(stmt->authrole, false);
+	else
+		owner_uid = saved_uid;
+
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
 	{
@@ -254,6 +269,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
+		if (!superuser_arg(owner_uid))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must be superuser to own superusers")));
 	}
 	else if (isreplication)
 	{
@@ -310,6 +329,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 errmsg("role \"%s\" already exists",
 						stmt->role)));
 
+	/*
+	 * If the requested authorization is different from the current user,
+	 * temporarily set the current user so that the object(s) will be created
+	 * with the correct ownership.
+	 *
+	 * (The setting will be restored at the end of this routine, or in case of
+	 * error, transaction abort will clean things up.)
+	 */
+	if (saved_uid != owner_uid)
+		SetUserIdAndSecContext(owner_uid,
+							   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+
+
 	/* Convert validuntil to internal form */
 	if (validUntil)
 	{
@@ -345,6 +377,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolowner - 1] = ObjectIdGetDatum(owner_uid);
 	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
@@ -422,6 +455,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	CatalogTupleInsert(pg_authid_rel, tuple);
 
+	recordDependencyOnOwner(AuthIdRelationId, roleid, owner_uid);
+
 	/*
 	 * Advance command counter so we can see new record; else tests in
 	 * AddRoleMems may fail.
@@ -478,6 +513,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	table_close(pg_authid_rel, NoLock);
 
+	/* Reset current user and security context */
+	SetUserIdAndSecContext(saved_uid, save_sec_context);
+
 	return roleid;
 }
 
@@ -1078,8 +1116,9 @@ DropRole(DropRoleStmt *stmt)
 		systable_endscan(sscan);
 
 		/*
-		 * Remove any comments or security labels on this role.
+		 * Remove any dependencies, comments or security labels on this role.
 		 */
+		deleteSharedDependencyRecordsFor(AuthIdRelationId, roleid, 0);
 		DeleteSharedComments(roleid, AuthIdRelationId);
 		DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
 
@@ -1675,3 +1714,104 @@ DelRoleMems(const char *rolename, Oid roleid,
 	 */
 	table_close(pg_authmem_rel, NoLock);
 }
+
+/*
+ * Change role owner
+ */
+ObjectAddress
+AlterRoleOwner(const char *name, Oid newOwnerId)
+{
+	Oid                     roleid;
+	HeapTuple       tup;
+	Relation        rel;
+	ObjectAddress address;
+	Form_pg_authid authform;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHNAME, CStringGetDatum(name));
+	if (!HeapTupleIsValid(tup))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role \"%s\" does not exist", name)));
+
+	authform = (Form_pg_authid) GETSTRUCT(tup);
+	roleid = authform->oid;
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ObjectAddressSet(address, AuthIdRelationId, roleid);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+
+	return address;
+}
+
+void
+AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId)
+{
+	HeapTuple	tup;
+	Relation	rel;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
+	if (!HeapTupleIsValid(tup))
+		elog(ERROR, "cache lookup failed for role %u", roleOid);
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+}
+
+static void
+AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
+{
+	Form_pg_authid authForm;
+
+	Assert(tup->t_tableOid == AuthIdRelationId);
+	Assert(RelationGetRelid(rel) == AuthIdRelationId);
+
+	authForm = (Form_pg_authid) GETSTRUCT(tup);
+
+	/*
+	 * If the new owner is the same as the existing owner, consider the
+	 * command to have succeeded.  This is for dump restoration purposes.
+	 */
+	if (authForm->rolowner != newOwnerId)
+	{
+		/* Otherwise, must be owner of the existing object */
+		if (!pg_role_ownercheck(authForm->oid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Must be able to become new owner */
+		check_is_member_of_role(GetUserId(), newOwnerId);
+
+		/*
+		 * must have CREATEROLE rights
+		 *
+		 * NOTE: This is different from most other alter-owner checks in that
+		 * the current user is checked for create privileges instead of the
+		 * destination owner.  This is consistent with the CREATE case for
+		 * roles.  Because superusers will always have this right, we need no
+		 * special case for them.
+		 */
+		if (!have_createrole_privilege())
+			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		authForm->rolowner = newOwnerId;
+		CatalogTupleUpdate(rel, &tup->t_self, tup);
+
+		/* Update owner dependency reference */
+		changeDependencyOnOwner(AuthIdRelationId, authForm->oid, newOwnerId);
+	}
+
+	InvokeObjectPostAlterHook(AuthIdRelationId,
+							  authForm->oid, 0);
+}
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index 82464c9889..f406763d71 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -4514,6 +4514,7 @@ _copyCreateRoleStmt(const CreateRoleStmt *from)
 
 	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
+	COPY_NODE_FIELD(authrole);
 	COPY_NODE_FIELD(options);
 
 	return newnode;
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index f537d3eb96..0d2c32121b 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2128,6 +2128,7 @@ _equalCreateRoleStmt(const CreateRoleStmt *a, const CreateRoleStmt *b)
 {
 	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
+	COMPARE_NODE_FIELD(authrole);
 	COMPARE_NODE_FIELD(options);
 
 	return true;
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index d0eb80e69c..08fd20e239 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -1060,9 +1060,20 @@ CreateRoleStmt:
 					CreateRoleStmt *n = makeNode(CreateRoleStmt);
 					n->stmt_type = ROLESTMT_ROLE;
 					n->role = $3;
+					n->authrole = NULL;
 					n->options = $5;
 					$$ = (Node *)n;
 				}
+			|
+			CREATE ROLE RoleId AUTHORIZATION RoleSpec opt_with OptRoleList
+				{
+					CreateRoleStmt *n = makeNode(CreateRoleStmt);
+					n->stmt_type = ROLESTMT_ROLE;
+					n->role = $3;
+					n->authrole = $5;
+					n->options = $7;
+					$$ = (Node *)n;
+				}
 		;
 
 
@@ -1201,6 +1212,10 @@ CreateOptRoleElem:
 				{
 					$$ = makeDefElem("addroleto", (Node *)$3, @1);
 				}
+			| OWNER RoleSpec
+				{
+					$$ = makeDefElem("owner", (Node *)$2, @1);
+				}
 		;
 
 
@@ -9497,6 +9512,14 @@ AlterOwnerStmt: ALTER AGGREGATE aggregate_with_argtypes OWNER TO RoleSpec
 					n->newowner = $6;
 					$$ = (Node *)n;
 				}
+			| ALTER ROLE name OWNER TO RoleSpec
+				{
+					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
+					n->objectType = OBJECT_ROLE;
+					n->object = (Node *) makeString($3);
+					n->newowner = $6;
+					$$ = (Node *)n;
+				}
 			| ALTER ROUTINE function_with_argtypes OWNER TO RoleSpec
 				{
 					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c
index 006661412e..e051cab6f9 100644
--- a/src/bin/psql/describe.c
+++ b/src/bin/psql/describe.c
@@ -3801,6 +3801,12 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 			appendPQExpBufferStr(&buf, "\n, r.rolbypassrls");
 		}
 
+		if (pset.sversion >= 150000)
+		{
+			appendPQExpBufferStr(&buf, "\n, r.rolowner");
+			ncols++;
+		}
+
 		appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n");
 
 		if (!showSystem && !pattern)
@@ -3837,6 +3843,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	printTableInit(&cont, &myopt, _("List of roles"), ncols, nrows);
 
 	printTableAddHeader(&cont, gettext_noop("Role name"), true, align);
+	if (pset.sversion >= 150000)
+		printTableAddHeader(&cont, gettext_noop("Owner"), true, align);
 	printTableAddHeader(&cont, gettext_noop("Attributes"), true, align);
 	/* ignores implicit memberships from superuser & pg_database_owner */
 	printTableAddHeader(&cont, gettext_noop("Member of"), true, align);
@@ -3848,6 +3856,10 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	{
 		printTableAddCell(&cont, PQgetvalue(res, i, 0), false, false);
 
+		if (pset.sversion >= 150000)
+			printTableAddCell(&cont, PQgetvalue(res, i, (verbose ? 12 : 11)),
+							  false, false);
+
 		resetPQExpBuffer(&buf);
 		if (strcmp(PQgetvalue(res, i, 1), "t") == 0)
 			add_role_attribute(&buf, _("Superuser"));
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 2d7115e31d..cce43388d8 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -32,6 +32,7 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 {
 	Oid			oid;			/* oid */
 	NameData	rolname;		/* name of role */
+	Oid			rolowner BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid); /* owner of this role */
 	bool		rolsuper;		/* read this field via superuser() only! */
 	bool		rolinherit;		/* inherit privileges from other roles? */
 	bool		rolcreaterole;	/* allowed to create more roles? */
diff --git a/src/include/commands/user.h b/src/include/commands/user.h
index 0b7a3cd65f..c32127e41e 100644
--- a/src/include/commands/user.h
+++ b/src/include/commands/user.h
@@ -33,5 +33,7 @@ extern ObjectAddress RenameRole(const char *oldname, const char *newname);
 extern void DropOwnedObjects(DropOwnedStmt *stmt);
 extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt);
 extern List *roleSpecsToIds(List *memberNames);
+extern ObjectAddress AlterRoleOwner(const char *name, Oid newOwnerId);
+extern void AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId);
 
 #endif							/* USER_H */
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 49123e28a4..0d5cfd3eb9 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2621,6 +2621,7 @@ typedef struct CreateRoleStmt
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
+	RoleSpec   *authrole;		/* the owner of the created role */
 	List	   *options;		/* List of DefElem nodes */
 } CreateRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index af771c901d..ec9d480d67 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -316,6 +316,7 @@ extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
+extern bool pg_role_ownercheck(Oid role_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
 
diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out
index eb608fdc2e..8b79a63b80 100644
--- a/src/test/modules/unsafe_tests/expected/rolenames.out
+++ b/src/test/modules/unsafe_tests/expected/rolenames.out
@@ -1086,6 +1086,10 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 \c
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
+ERROR:  role "regress_testrol2" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_haspriv
+owner of role regress_role_nopriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql
index adac36536d..95a54ce70d 100644
--- a/src/test/modules/unsafe_tests/sql/rolenames.sql
+++ b/src/test/modules/unsafe_tests/sql/rolenames.sql
@@ -499,6 +499,7 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 57010bbb58..e1ce5f3a66 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_1;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
@@ -11,14 +12,95 @@ CREATE ROLE regress_role_4 REPLICATION;
 ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_5 BYPASSRLS;
 ERROR:  must be superuser to create bypassrls users
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
+ERROR:  must be superuser to own superusers
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
+CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
+\du+ regress_role_2
+                                      List of roles
+   Role name    |       Owner        |       Attributes        | Member of | Description 
+----------------+--------------------+-------------------------+-----------+-------------
+ regress_role_2 | regress_role_super | Superuser, Cannot login | {}        | 
+
+\du+ regress_role_3
+                                           List of roles
+   Role name    |     Owner      |              Attributes               | Member of | Description 
+----------------+----------------+---------------------------------------+-----------+-------------
+ regress_role_3 | regress_role_1 | Cannot login, Replication, Bypass RLS | {}        | 
+
+\du+ regress_role_4
+                                     List of roles
+   Role name    |     Owner      |        Attributes         | Member of | Description 
+----------------+----------------+---------------------------+-----------+-------------
+ regress_role_4 | regress_role_1 | Cannot login, Replication | {}        | 
+
+\du+ regress_role_5
+                                    List of roles
+   Role name    |     Owner      |        Attributes        | Member of | Description 
+----------------+----------------+--------------------------+-----------+-------------
+ regress_role_5 | regress_role_1 | Cannot login, Bypass RLS | {}        | 
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
 CREATE ROLE regress_role_8 LOGIN;
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
-CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_role_12 PASSWORD NULL;
+CREATE ROLE regress_role_11 PASSWORD NULL;
+CREATE ROLE regress_role_12
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+\du+ regress_role_6
+                                    List of roles
+   Role name    |     Owner      |       Attributes        | Member of | Description 
+----------------+----------------+-------------------------+-----------+-------------
+ regress_role_6 | regress_role_1 | Create DB, Cannot login | {}        | 
+
+\du+ regress_role_7
+                                     List of roles
+   Role name    |     Owner      |        Attributes         | Member of | Description 
+----------------+----------------+---------------------------+-----------+-------------
+ regress_role_7 | regress_role_1 | Create role, Cannot login | {}        | 
+
+\du+ regress_role_8
+                             List of roles
+   Role name    |     Owner      | Attributes | Member of | Description 
+----------------+----------------+------------+-----------+-------------
+ regress_role_8 | regress_role_1 |            | {}        | 
+
+\du+ regress_role_9
+                              List of roles
+   Role name    |     Owner      |  Attributes  | Member of | Description 
+----------------+----------------+--------------+-----------+-------------
+ regress_role_9 | regress_role_1 | Cannot login | {}        | 
+
+\du+ regress_role_10
+                               List of roles
+    Role name    |     Owner      |  Attributes   | Member of | Description 
+-----------------+----------------+---------------+-----------+-------------
+ regress_role_10 | regress_role_1 | Cannot login +| {}        | 
+                 |                | 5 connections |           | 
+
+\du+ regress_role_11
+                               List of roles
+    Role name    |     Owner      |  Attributes  | Member of | Description 
+-----------------+----------------+--------------+-----------+-------------
+ regress_role_11 | regress_role_1 | Cannot login | {}        | 
+
+\du+ regress_role_12
+                                                      List of roles
+    Role name    |     Owner      |       Attributes       |                   Member of                    | Description 
+-----------------+----------------+------------------------+------------------------------------------------+-------------
+ regress_role_12 | regress_role_1 | Create role, Create DB+| {regress_role_6,regress_role_7,regress_role_8} | 
+                 |                | 2 connections          |                                                | 
+
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
 NOTICE:  SYSID can no longer be specified
@@ -84,16 +166,24 @@ CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_role_7
 SET SESSION AUTHORIZATION regress_role_1;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+ERROR:  must be owner of role regress_role_20
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+ERROR:  permission denied to reassign objects
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
-ERROR:  role "regress_role_2" does not exist
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
-ERROR:  role "regress_role_3" does not exist
 DROP ROLE regress_role_4;
-ERROR:  role "regress_role_4" does not exist
 DROP ROLE regress_role_5;
-ERROR:  role "regress_role_5" does not exist
 DROP ROLE regress_role_14;
 ERROR:  role "regress_role_14" does not exist
 DROP ROLE regress_role_15;
@@ -103,9 +193,23 @@ ERROR:  role "regress_role_17" does not exist
 DROP ROLE regress_role_19;
 ERROR:  role "regress_role_19" does not exist
 DROP ROLE regress_role_20;
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_role_6;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
+ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_21
+owner of role regress_role_22
+owner of role regress_role_23
+owner of role regress_role_24
+owner of role regress_role_25
+owner of role regress_role_26
+owner of role regress_role_27
+owner of role regress_role_28
+owner of role regress_role_29
+owner of role regress_role_30
+owner of role regress_role_31
+owner of role regress_role_32
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_role_6;
 DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
@@ -130,6 +234,10 @@ DROP ROLE regress_role_22;
 ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
 DETAIL:  owner of table regress_tbl_22
 owner of view regress_view_22
+-- fail, role still owns other roles
+DROP ROLE regress_role_7;
+ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_22
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
@@ -141,5 +249,12 @@ DROP INDEX regress_idx_22;
 DROP TABLE regress_tbl_22;
 DROP VIEW regress_view_22;
 DROP ROLE regress_role_22;
+DROP ROLE regress_role_7;
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_1;
+ERROR:  role "regress_role_1" cannot be dropped because some objects depend on it
+DETAIL:  privileges for database regression
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_1;
 DROP ROLE regress_role_1;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 215eb899be..266a30a85b 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -194,6 +194,7 @@ NOTICE:  checking pg_database {dattablespace} => pg_tablespace {oid}
 NOTICE:  checking pg_db_role_setting {setdatabase} => pg_database {oid}
 NOTICE:  checking pg_db_role_setting {setrole} => pg_authid {oid}
 NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
+NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 83cff902f3..c4456cadce 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -27,8 +27,10 @@ CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
 ERROR:  role "regress_priv_user5" already exists
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 GRANT pg_read_all_data TO regress_priv_user6;
 GRANT pg_write_all_data TO regress_priv_user7;
 CREATE GROUP regress_priv_group1;
@@ -2327,7 +2329,12 @@ DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
 DROP USER regress_priv_user6;
+ERROR:  role "regress_priv_user6" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_priv_user7
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 ERROR:  role "regress_priv_user8" does not exist
 -- permissions with LOCK TABLE
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index 2fa00a3c29..c452cc433c 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1482,6 +1482,7 @@ pg_replication_slots| SELECT l.slot_name,
    FROM (pg_get_replication_slots() l(slot_name, plugin, slot_type, datoid, temporary, active, active_pid, xmin, catalog_xmin, restart_lsn, confirmed_flush_lsn, wal_status, safe_wal_size, two_phase)
      LEFT JOIN pg_database d ON ((l.datoid = d.oid)));
 pg_roles| SELECT pg_authid.rolname,
+    pg_get_userbyid(pg_authid.rolowner) AS rolowner,
     pg_authid.rolsuper,
     pg_authid.rolinherit,
     pg_authid.rolcreaterole,
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index e00893de4e..8a4f177574 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_1;
 
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
@@ -9,14 +10,42 @@ CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
 CREATE ROLE regress_role_4 REPLICATION;
 CREATE ROLE regress_role_5 BYPASSRLS;
 
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
+
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
+
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
+CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
+
+\du+ regress_role_2
+\du+ regress_role_3
+\du+ regress_role_4
+\du+ regress_role_5
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
 CREATE ROLE regress_role_8 LOGIN;
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
-CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_role_12 PASSWORD NULL;
+CREATE ROLE regress_role_11 PASSWORD NULL;
+CREATE ROLE regress_role_12
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+
+\du+ regress_role_6
+\du+ regress_role_7
+\du+ regress_role_8
+\du+ regress_role_9
+\du+ regress_role_10
+\du+ regress_role_11
+\du+ regress_role_12
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
@@ -86,9 +115,22 @@ CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
 
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_role_7
 SET SESSION AUTHORIZATION regress_role_1;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
+
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
@@ -98,9 +140,11 @@ DROP ROLE regress_role_17;
 DROP ROLE regress_role_19;
 DROP ROLE regress_role_20;
 
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_role_6;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
+
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_role_6;
 DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
@@ -124,6 +168,9 @@ DROP ROLE regress_role_32;
 -- fail, role still owns database objects
 DROP ROLE regress_role_22;
 
+-- fail, role still owns other roles
+DROP ROLE regress_role_7;
+
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_1;
@@ -134,5 +181,12 @@ DROP INDEX regress_idx_22;
 DROP TABLE regress_tbl_22;
 DROP VIEW regress_view_22;
 DROP ROLE regress_role_22;
+DROP ROLE regress_role_7;
+
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_1;
+
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_1;
 DROP ROLE regress_role_1;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index 3d1a1db987..bd2d67691c 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -29,9 +29,14 @@ CREATE USER regress_priv_user2;
 CREATE USER regress_priv_user3;
 CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
+
 CREATE USER regress_priv_user5;	-- duplicate
-CREATE USER regress_priv_user6;
+
+CREATE USER regress_priv_user6 CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 
 GRANT pg_read_all_data TO regress_priv_user6;
 GRANT pg_write_all_data TO regress_priv_user7;
@@ -1389,8 +1394,14 @@ DROP USER regress_priv_user2;
 DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
+
 DROP USER regress_priv_user6;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 
 
-- 
2.21.1 (Apple Git-122.3)

From 2528fc733031d2087a67ea9f8cb02edb2d9b1e52 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 27 Oct 2021 14:21:53 -0700
Subject: [PATCH v2 3/4] Give role owners control over owned roles

Create a role ownership hierarchy.  The previous commit added owners
to roles.  This goes further, making role ownership transitive.  If
role A owns role B, and role B owns role C, then role A can act as
the owner of role C.  Also, roles A and B can perform any action on
objects belonging to role C that role C could itself perform.

This is a preparatory patch for changing how CREATEROLE works.
---
 src/backend/catalog/aclchk.c                  | 104 ++++++++++--------
 src/backend/catalog/objectaddress.c           |  22 +---
 src/backend/commands/schemacmds.c             |   2 +-
 src/backend/commands/user.c                   |  16 +--
 src/backend/utils/adt/acl.c                   |   4 +
 .../expected/dummy_seclabel.out               |  12 +-
 .../dummy_seclabel/sql/dummy_seclabel.sql     |  12 +-
 src/test/regress/expected/create_role.out     |  62 +++--------
 src/test/regress/sql/create_role.sql          |  39 +++----
 9 files changed, 125 insertions(+), 148 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ddd205d656..4a11a0f124 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5440,61 +5440,79 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 bool
 pg_role_ownercheck(Oid role_oid, Oid roleid)
 {
-	HeapTuple		tuple;
-	Form_pg_authid	authform;
-	Oid				owner_oid;
-
 	/* Superusers bypass all permission checking. */
 	if (superuser_arg(roleid))
 		return true;
 
-	/* Otherwise, look up the owner of the role */
-	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
-	if (!HeapTupleIsValid(tuple))
-		ereport(ERROR,
-				(errcode(ERRCODE_UNDEFINED_OBJECT),
-				 errmsg("role with OID %u does not exist",
-						role_oid)));
-	authform = (Form_pg_authid) GETSTRUCT(tuple);
-	owner_oid = authform->rolowner;
-
 	/*
-	 * Roles must necessarily have owners.  Even the bootstrap user has an
-	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 * Start with the owned role and traverse the ownership hierarchy upward.
+	 * We stop when we find the owner we are looking for or when we reach the
+	 * top.
 	 */
-	if (!OidIsValid(owner_oid))
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u has invalid owner",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner == authform->oid)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owns itself",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner != BOOTSTRAP_SUPERUSERID)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
-						authform->rolname.data, authform->oid,
-						authform->rolowner)));
-	ReleaseSysCache(tuple);
+	while (OidIsValid(role_oid))
+	{
+		HeapTuple		tuple;
+		Form_pg_authid	authform;
+		Oid				owner_oid;
+
+		/* Find the owner of the current iteration's role */
+		tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+		if (!HeapTupleIsValid(tuple))
+			ereport(ERROR,
+					(errcode(ERRCODE_UNDEFINED_OBJECT),
+					 errmsg("role with OID %u does not exist",
+							role_oid)));
+		authform = (Form_pg_authid) GETSTRUCT(tuple);
+		owner_oid = authform->rolowner;
+
+		/*
+		 * Roles must necessarily have owners.  Even the bootstrap user has an
+		 * owner.  (It owns itself).  Other roles must form a proper tree.
+		 */
+		if (!OidIsValid(owner_oid))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u has invalid owner",
+							authform->rolname.data, authform->oid)));
+		if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+			authform->rolowner == authform->oid)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owns itself",
+							authform->rolname.data, authform->oid)));
+		if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+			authform->rolowner != BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+							authform->rolname.data, authform->oid,
+							authform->rolowner)));
+		ReleaseSysCache(tuple);
+
+		/* Have we found the target role? */
+		if (roleid == owner_oid)
+			return true;
+
+		/*
+		 * If we have reached a role which owns itself, we must iterate no
+		 * further, else we fall into an infinite loop.
+		 */
+		if (role_oid == owner_oid)
+			return false;
+
+		/* Set up for the next iteration. */
+		role_oid = owner_oid;
+	}
 
-	return (owner_oid == roleid);
+	return false;
 }
 
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!	Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
+ * Note: In versions prior to PostgreSQL version 15, roles did not have owners
+ * per se; instead we used this test in places where an ownership-like
+ * permissions test was needed for a role.
  */
 bool
 has_createrole_privilege(Oid roleid)
diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c
index 2bae3fbb17..cc19409ca3 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2596,25 +2596,9 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 							   NameListToString(castNode(List, object)));
 			break;
 		case OBJECT_ROLE:
-
-			/*
-			 * We treat roles as being "owned" by those with CREATEROLE priv,
-			 * except that superusers are only owned by superusers.
-			 */
-			if (superuser_arg(address.objectId))
-			{
-				if (!superuser_arg(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must be superuser")));
-			}
-			else
-			{
-				if (!has_createrole_privilege(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must have CREATEROLE privilege")));
-			}
+			if (!pg_role_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
+							   strVal(object));
 			break;
 		case OBJECT_TSPARSER:
 		case OBJECT_TSTEMPLATE:
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 6c6ab9ee34..3447806756 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -363,7 +363,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		/*
 		 * must have create-schema rights
 		 *
-		 * NOTE: This is different from other alter-owner checks in that the
+		 * NOTE: This is different from most other alter-owner checks in that the
 		 * current user is checked for create privileges instead of the
 		 * destination owner.  This is consistent with the CREATE case for
 		 * schemas.  Because superusers will always have this right, we need
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 259968f1d4..57aede76f0 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -724,7 +724,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			  !rolemembers &&
 			  !validUntil &&
 			  dpassword &&
-			  roleid == GetUserId()))
+			  !pg_role_ownercheck(roleid, GetUserId())))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied")));
@@ -925,7 +925,8 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() && roleid != GetUserId())
+			if (!have_createrole_privilege() &&
+				!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -977,11 +978,6 @@ DropRole(DropRoleStmt *stmt)
 				pg_auth_members_rel;
 	ListCell   *item;
 
-	if (!have_createrole_privilege())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied to drop role")));
-
 	/*
 	 * Scan the pg_authid relation to find the Oid of the role(s) to be
 	 * deleted.
@@ -1053,6 +1049,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
+		if (!have_createrole_privilege() &&
+			!pg_role_ownercheck(roleid, GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied to drop role")));
+
 		/* DROP hook for the role being removed */
 		InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 67f8b29434..04eae9d4e5 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4850,6 +4850,10 @@ has_privs_of_role(Oid member, Oid role)
 	if (superuser_arg(member))
 		return true;
 
+	/* Owners of roles have every privilge the owned role has */
+	if (pg_role_ownercheck(role, member))
+		return true;
+
 	/*
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
diff --git a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
index b2d898a7d1..93cf82b750 100644
--- a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
+++ b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
@@ -7,8 +7,11 @@ SET client_min_messages TO 'warning';
 DROP ROLE IF EXISTS regress_dummy_seclabel_user1;
 DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 RESET client_min_messages;
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
 CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
@@ -19,7 +22,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
@@ -29,6 +32,7 @@ ERROR:  '...invalid label...' is not a valid security label
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
 ERROR:  security label provider "unknown_seclabel" is not loaded
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 ERROR:  must be owner of table dummy_seclabel_tbl2
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
@@ -42,7 +46,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
 ERROR:  '...invalid label...' is not a valid security label
@@ -55,7 +59,7 @@ SECURITY LABEL ON ROLE regress_dummy_seclabel_user3 IS 'unclassified';	-- fail (
 ERROR:  role "regress_dummy_seclabel_user3" does not exist
 SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
+ERROR:  must be owner of role regress_dummy_seclabel_user2
 RESET SESSION AUTHORIZATION;
 --
 -- Test for various types of object
diff --git a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
index 8c347b6a68..bf575343cf 100644
--- a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
+++ b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
@@ -11,8 +11,12 @@ DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 
 RESET client_min_messages;
 
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
@@ -26,7 +30,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
@@ -34,6 +38,8 @@ SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
@@ -45,7 +51,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index e1ce5f3a66..492162e5a1 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -55,8 +55,9 @@ CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
 CREATE ROLE regress_role_12
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7;
+COMMENT ON ROLE regress_role_12 IS 'no login test role';
 \du+ regress_role_6
                                     List of roles
    Role name    |     Owner      |       Attributes        | Member of | Description 
@@ -95,11 +96,11 @@ CREATE ROLE regress_role_12
  regress_role_11 | regress_role_1 | Cannot login | {}        | 
 
 \du+ regress_role_12
-                                                      List of roles
-    Role name    |     Owner      |       Attributes       |                   Member of                    | Description 
------------------+----------------+------------------------+------------------------------------------------+-------------
- regress_role_12 | regress_role_1 | Create role, Create DB+| {regress_role_6,regress_role_7,regress_role_8} | 
-                 |                | 2 connections          |                                                | 
+                                                         List of roles
+    Role name    |     Owner      |              Attributes              |            Member of            |    Description     
+-----------------+----------------+--------------------------------------+---------------------------------+--------------------
+ regress_role_12 | regress_role_1 | Create role, Create DB, Cannot login+| {regress_role_6,regress_role_7} | no login test role
+                 |                | 2 connections                        |                                 | 
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
@@ -140,21 +141,18 @@ CREATE TABLE regress_tbl_22 (i integer);
 CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
 CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
--- fail, these objects belonging to regress_role_22
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_role_7;
 DROP INDEX regress_idx_22;
-ERROR:  must be owner of index regress_idx_22
 ALTER TABLE regress_tbl_22 ADD COLUMN t text;
-ERROR:  must be owner of table regress_tbl_22
 DROP TABLE regress_tbl_22;
-ERROR:  must be owner of table regress_tbl_22
+-- fail, not a member of target role
 ALTER VIEW regress_view_22 OWNER TO regress_role_1;
-ERROR:  must be owner of view regress_view_22
+ERROR:  must be member of role "regress_role_1"
+-- ok
 DROP VIEW regress_view_22;
-ERROR:  must be owner of view regress_view_22
--- fail, cannot take ownership of these objects from regress_role_22
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
-ERROR:  permission denied to reassign objects
 -- ok, having CREATEROLE is enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
@@ -166,15 +164,9 @@ CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
--- fail, cannot take ownership of these objects from regress_role_7
+-- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
-ERROR:  must be owner of role regress_role_20
-REASSIGN OWNED BY regress_role_20 TO regress_role_1;
-ERROR:  permission denied to reassign objects
--- superuser can do it, though
-RESET SESSION AUTHORIZATION;
-ALTER ROLE regress_role_20 OWNER TO regress_role_1;
 REASSIGN OWNED BY regress_role_20 TO regress_role_1;
 -- ok, superuser roles can drop superuser roles they own
 SET SESSION AUTHORIZATION regress_role_super;
@@ -184,14 +176,6 @@ SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
-DROP ROLE regress_role_14;
-ERROR:  role "regress_role_14" does not exist
-DROP ROLE regress_role_15;
-ERROR:  role "regress_role_15" does not exist
-DROP ROLE regress_role_17;
-ERROR:  role "regress_role_17" does not exist
-DROP ROLE regress_role_19;
-ERROR:  role "regress_role_19" does not exist
 DROP ROLE regress_role_20;
 -- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
@@ -219,6 +203,7 @@ DROP ROLE regress_role_13;
 DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
+DROP ROLE regress_role_22;
 DROP ROLE regress_role_23;
 DROP ROLE regress_role_24;
 DROP ROLE regress_role_25;
@@ -229,28 +214,15 @@ DROP ROLE regress_role_29;
 DROP ROLE regress_role_30;
 DROP ROLE regress_role_31;
 DROP ROLE regress_role_32;
--- fail, role still owns database objects
-DROP ROLE regress_role_22;
-ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
-DETAIL:  owner of table regress_tbl_22
-owner of view regress_view_22
--- fail, role still owns other roles
-DROP ROLE regress_role_7;
-ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
-DETAIL:  owner of role regress_role_22
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
 DROP ROLE regress_role_1;
 ERROR:  current user cannot be dropped
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX regress_idx_22;
-DROP TABLE regress_tbl_22;
-DROP VIEW regress_view_22;
-DROP ROLE regress_role_22;
+-- ok, no more owned roles remain
 DROP ROLE regress_role_7;
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_1;
 ERROR:  role "regress_role_1" cannot be dropped because some objects depend on it
 DETAIL:  privileges for database regression
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 8a4f177574..678f728f52 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -36,8 +36,9 @@ CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
 CREATE ROLE regress_role_12
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7;
+COMMENT ON ROLE regress_role_12 IS 'no login test role';
 
 \du+ regress_role_6
 \du+ regress_role_7
@@ -92,15 +93,19 @@ CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
 CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
 
--- fail, these objects belonging to regress_role_22
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_role_7;
 DROP INDEX regress_idx_22;
 ALTER TABLE regress_tbl_22 ADD COLUMN t text;
 DROP TABLE regress_tbl_22;
+
+-- fail, not a member of target role
 ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+
+-- ok
 DROP VIEW regress_view_22;
 
--- fail, cannot take ownership of these objects from regress_role_22
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
 
 -- ok, having CREATEROLE is enough to create roles in privileged roles
@@ -115,16 +120,11 @@ CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
 
--- fail, cannot take ownership of these objects from regress_role_7
+-- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
 REASSIGN OWNED BY regress_role_20 TO regress_role_1;
 
--- superuser can do it, though
-RESET SESSION AUTHORIZATION;
-ALTER ROLE regress_role_20 OWNER TO regress_role_1;
-REASSIGN OWNED BY regress_role_20 TO regress_role_1;
-
 -- ok, superuser roles can drop superuser roles they own
 SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
@@ -134,10 +134,6 @@ SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
-DROP ROLE regress_role_14;
-DROP ROLE regress_role_15;
-DROP ROLE regress_role_17;
-DROP ROLE regress_role_19;
 DROP ROLE regress_role_20;
 
 -- fail, cannot drop roles that own other roles
@@ -154,6 +150,7 @@ DROP ROLE regress_role_13;
 DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
+DROP ROLE regress_role_22;
 DROP ROLE regress_role_23;
 DROP ROLE regress_role_24;
 DROP ROLE regress_role_25;
@@ -165,25 +162,15 @@ DROP ROLE regress_role_30;
 DROP ROLE regress_role_31;
 DROP ROLE regress_role_32;
 
--- fail, role still owns database objects
-DROP ROLE regress_role_22;
-
--- fail, role still owns other roles
-DROP ROLE regress_role_7;
-
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_1;
 
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX regress_idx_22;
-DROP TABLE regress_tbl_22;
-DROP VIEW regress_view_22;
-DROP ROLE regress_role_22;
+-- ok, no more owned roles remain
 DROP ROLE regress_role_7;
 
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_1;
 
 -- ok, can drop role if we revoke privileges first
-- 
2.21.1 (Apple Git-122.3)

From 4ea93b80464b5a977a0267cf8f0e7aa215485ebf Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Wed, 27 Oct 2021 15:10:19 -0700
Subject: [PATCH v2 4/4] Restrict power granted via CREATEROLE.

The CREATEROLE attribute no longer has anything to do with the power
to alter roles or to grant or revoke role membership, but merely the
ability to create new roles, as its name suggests.  The ability to
alter a role is based on role ownership; the ability to grant and
revoke role membership is based on having admin privilege on the
relevant role or alternatively on role ownership, as owners now
implicitly have admin privileges on roles they own.

A role must either be superuser or have the CREATEROLE attribute to
create roles.  This is unchanged from the prior behavior.  A new
principle is adopted, though, to make CREATEROLE less dangerous:  a
role may not create new roles with privileges that the creating role
lacks.  This new principle is intended to prevent privilege
escalation attacks stemming from giving CREATEROLE to a user.  This
is not backwards compatible.  The idea is to fix the CREATEROLE
privilege to not be pathway to gaining superuser, and no
non-breaking change to accomplish that is apparent.

SUPERUSER, REPLICATION, BYPASSRLS, CREATEDB, CREATEROLE and LOGIN
privilege can only be given to new roles by creators who have the
same privilege.  In the case of the CREATEROLE privilege, this is
trivially true, as the creator must necessarily have it or they
couldn't be creating the role to begin with.

The INHERIT attribute is not considered a privilege, and since a
user who belongs to a role may SET ROLE to that role and do anything
that role can do, it isn't clear that treating it as a privilege
would stop any privilege escalation attacks.

The CONNECTION LIMIT and VALID UNTIL attributes are also not
considered privileges, but this design choice is debatable.  One
could think of the ability to log in during a given window of time,
or up to a certain number of connections as a privilege, and
allowing such a restricted role to create a new role with unlimited
connections or no expiration as a privilege escalation which escapes
the intended restrictions.  However, it is just as easy to think of
these limitations as being used to guard against badly written
client programs connecting too many times, or connecting at a time
of day that is not intended.  Since it is unclear which design is
better, this commit is conservative and the handling of these
attributes is unchanged relative to prior behavior.

Since the grammar of the CREATE ROLE command allows specifying roles
into which the new role should be enrolled, and also lists of roles
which become members of the newly created role (as admin or not),
the CREATE ROLE command may now fail if the creating role has
insufficient privilege on the roles so listed.  Such failures were
not possible before, since the CREATEROLE privilege was always
sufficient.
---
 doc/src/sgml/ddl.sgml                     | 12 +--
 doc/src/sgml/ref/alter_role.sgml          | 20 ++---
 doc/src/sgml/ref/comment.sgml             |  8 +-
 doc/src/sgml/ref/create_role.sgml         | 26 +++++--
 doc/src/sgml/ref/drop_role.sgml           |  3 +-
 doc/src/sgml/ref/dropuser.sgml            |  6 +-
 doc/src/sgml/ref/grant.sgml               |  4 +-
 doc/src/sgml/user-manag.sgml              | 44 ++++++-----
 src/backend/catalog/aclchk.c              | 91 +++++++++++++++++++++++
 src/backend/commands/user.c               | 60 +++++++--------
 src/backend/utils/adt/acl.c               | 21 +-----
 src/include/utils/acl.h                   |  5 ++
 src/test/regress/expected/create_role.out | 63 ++++++----------
 src/test/regress/sql/create_role.sql      | 36 ++++-----
 14 files changed, 230 insertions(+), 169 deletions(-)

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 94f745aed0..53fb0ec1c2 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -3080,9 +3080,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
            doesn't preserve that DROP.
 
            A database owner can attack the database's users via "CREATE SCHEMA
-           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
-           CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
-           database owner attack. -->
+           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". -->
       <para>
        Constrain ordinary users to user-private schemas.  To implement this,
        first issue <literal>REVOKE CREATE ON SCHEMA public FROM
@@ -3094,9 +3092,8 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        pattern in a database where untrusted users had already logged in,
        consider auditing the public schema for objects named like objects in
        schema <literal>pg_catalog</literal>.  This pattern is a secure schema
-       usage pattern unless an untrusted user is the database owner or holds
-       the <literal>CREATEROLE</literal> privilege, in which case no secure
-       schema usage pattern exists.
+       usage pattern unless an untrusted user is the database owner, in which
+       case no secure schema usage pattern exists.
       </para>
       <para>
        If the database originated in an upgrade
@@ -3118,8 +3115,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        schema <link linkend="typeconv-func">will be unsafe or
        unreliable</link>.  If you create functions or extensions in the public
        schema, use the first pattern instead.  Otherwise, like the first
-       pattern, this is secure unless an untrusted user is the database owner
-       or holds the <literal>CREATEROLE</literal> privilege.
+       pattern, this is secure unless an untrusted user is the database owner.
       </para>
      </listitem>
 
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 5aa5648ae7..96e60d5a09 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -70,18 +70,18 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
    Database superusers can change any of these settings for any role.
-   Roles having <literal>CREATEROLE</literal> privilege can change any of these
-   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
-   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
-   Ordinary roles can only change their own password.
+   Role owners can change any of these settings on roles they own except
+   <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, and
+   <literal>BYPASSRLS</literal>; but only for non-superuser and non-replication
+   roles, and only if the role owner does not alter the target role to have a
+   privilege which the role owner itself lacks.  Ordinary roles can only change
+   their own password.
   </para>
 
   <para>
    The second variant changes the name of the role.
    Database superusers can rename any role.
-   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   Role owners can rename non-superuser roles they own.
    The current session user cannot be renamed.
    (Connect as a different user if you need to do that.)
    Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -114,9 +114,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   </para>
 
   <para>
-   Superusers can change anyone's session defaults. Roles having
-   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   Superusers can change anyone's session defaults. Owning roles may change
+   privilege for non-superuser roles they own. Ordinary roles can only set
+   defaults for themselves.
    Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.  Only superusers can change a setting
    for all roles in all databases.
diff --git a/doc/src/sgml/ref/comment.sgml b/doc/src/sgml/ref/comment.sgml
index e07fc47fd3..1ba374f3a1 100644
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -92,12 +92,8 @@ COMMENT ON
 
   <para>
    For most kinds of object, only the object's owner can set the comment.
-   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
-   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
-   Likewise, access methods don't have owners either; you must be superuser
-   to comment on an access method.
-   Of course, a superuser can comment on anything.
+   Access methods don't have owners; you must be superuser to comment on an
+   access method.  Of course, a superuser can comment on anything.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..2e73102562 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -107,8 +107,10 @@ in sync when changing the above synopsis!
         <literal>CREATEDB</literal> is specified, the role being
         defined will be allowed to create new databases. Specifying
         <literal>NOCREATEDB</literal> will deny a role the ability to
-        create databases. If not specified,
-        <literal>NOCREATEDB</literal> is the default.
+        create databases. Only roles with the <literal>CREATEDB</literal>
+        attribute may create roles with the <literal>CREATEDB</literal>
+        attribute. If not specified, <literal>NOCREATEDB</literal> is the
+        default.
        </para>
       </listitem>
      </varlistentry>
@@ -120,8 +122,6 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role will be permitted to
         create new roles (that is, execute <command>CREATE ROLE</command>).
-        A role with <literal>CREATEROLE</literal> privilege can also alter
-        and drop other roles.
         If not specified,
         <literal>NOCREATEROLE</literal> is the default.
        </para>
@@ -163,6 +163,8 @@ in sync when changing the above synopsis!
         <literal>NOLOGIN</literal> is the default, except when
         <command>CREATE ROLE</command> is invoked through its alternative spelling
         <link linkend="sql-createuser"><command>CREATE USER</command></link>.
+        You must have the <literal>LOGIN</literal> attribute to create a new role
+        with the <literal>LOGIN</literal> attribute.
        </para>
       </listitem>
      </varlistentry>
@@ -194,8 +196,8 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role bypasses every row-level
         security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
-        You must be a superuser to create a new role having
-        the <literal>BYPASSRLS</literal> attribute.
+        You must have the <literal>BYPASSRLS</literal> attribute to create a
+        new role having the <literal>BYPASSRLS</literal> attribute.
        </para>
 
        <para>
@@ -281,6 +283,10 @@ in sync when changing the above synopsis!
         member.  (Note that there is no option to add the new role as an
         administrator; use a separate <command>GRANT</command> command to do that.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -301,6 +307,10 @@ in sync when changing the above synopsis!
         roles which are automatically added as members of the new role.
         (This in effect makes the new role a <quote>group</quote>.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -313,6 +323,10 @@ in sync when changing the above synopsis!
         OPTION</literal>, giving them the right to grant membership in this role
         to others.
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/drop_role.sgml b/doc/src/sgml/ref/drop_role.sgml
index 13dc1cc649..c3d57ee8db 100644
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -31,8 +31,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <para>
    <command>DROP ROLE</command> removes the specified role(s).
    To drop a superuser role, you must be a superuser yourself;
-   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   to drop non-superuser roles, you must own the target role.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 81580507e8..30a99eaf68 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,9 @@ PostgreSQL documentation
   <para>
    <application>dropuser</application> removes an existing
    <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   A <productname>PostgreSQL</productname> user may only be removed by its
+   owner or by a superuser.  (To remove a superuser, you must yourself be a
+   superuser.)
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a897712de2..86fc387af2 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -254,8 +254,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
    OPTION</literal> on itself, but it may grant or revoke membership in
    itself from a database session where the session user matches the
    role.  Database superusers can grant or revoke membership in any role
-   to anyone.  Roles having <literal>CREATEROLE</literal> privilege can grant
-   or revoke membership in any role that is not a superuser.
+   to anyone.  Roles can revoke membership in any role they own, and 
+   may grant membership in any role they own to any role they own.
   </para>
 
   <para>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index afbf67c28c..e7434f3f86 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -198,9 +198,10 @@ CREATE USER <replaceable>name</replaceable>;
         (except for superusers, since those bypass all permission
         checks). To create such a role, use <literal>CREATE ROLE
         <replaceable>name</replaceable> CREATEROLE</literal>.
-        A role with <literal>CREATEROLE</literal> privilege can alter and drop
-        other roles, too, as well as grant or revoke membership in them.
-        However, to create, alter, drop, or change membership of a
+        A role which creates a new role becomes the new role's owner, able to
+        alter or drop that new role, and sharing ownership of any additional
+        objects (including additional roles) that new role creates.
+        To create, alter, drop, or change membership of a
         superuser role, superuser status is required;
         <literal>CREATEROLE</literal> is insufficient for that.
        </para>
@@ -246,11 +247,14 @@ CREATE USER <replaceable>name</replaceable>;
 
   <tip>
    <para>
-    It is good practice to create a role that has the <literal>CREATEDB</literal>
-    and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
+    It is good practice to create a role that has the
+    <literal>CREATEDB</literal>, <literal>LOGIN</literal> and
+    <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
     use this role for all routine management of databases and roles.  This
-    approach avoids the dangers of operating as a superuser for tasks that
-    do not really require it.
+    approach avoids the dangers of operating as a superuser for tasks that do
+    not really require it.  This role must also have
+    <literal>REPLICATION</literal> if it will create replication users, and
+    must have <literal>BYPASSRLS</literal> if it will create bypassrls users.
    </para>
   </tip>
 
@@ -387,15 +391,22 @@ RESET ROLE;
 
   <para>
    The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
-   <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
-   special privileges, but they are never inherited as ordinary privileges
-   on database objects are.  You must actually <command>SET ROLE</command> to a
-   specific role having one of these attributes in order to make use of
-   the attribute.  Continuing the above example, we might choose to
+   <literal>CREATEDB</literal>, <literal>REPLICATION</literal>,
+   <literal>BYPASSRLS</literal>, and <literal>CREATEROLE</literal> can be
+   thought of as special privileges, but they are never inherited as ordinary
+   privileges on database objects are.  You must actually <command>SET
+   ROLE</command> to a specific role having one of these attributes in order to
+   make use of the attribute.  Continuing the above example, we might choose to
    grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
-   <literal>admin</literal> role.  Then a session connecting as role <literal>joe</literal>
-   would not have these privileges immediately, only after doing
-   <command>SET ROLE admin</command>.
+   <literal>admin</literal> role.  Then a session connecting as role
+   <literal>joe</literal> would not have these privileges immediately, only
+   after doing <command>SET ROLE admin</command>.  Roles with these attributes
+   may only be created by roles which themselves have these attributes.
+   Superusers may always do so, but non-superuser roles with
+   <literal>CREATEROLE</literal> may only create new roles with
+   <literal>LOGIN</literal>, <literal>CREATEDB</literal>,
+   <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> if they
+   themselves have the same attribute.
   </para>
 
   <para>
@@ -493,8 +504,7 @@ DROP ROLE doomed_role;
   <para>
    <productname>PostgreSQL</productname> provides a set of predefined roles
    that provide access to certain, commonly needed, privileged capabilities
-   and information.  Administrators (including roles that have the
-   <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+   and information.  Administrators can <command>GRANT</command> these
    roles to users and/or other roles in their environment, providing those
    users with access to the specified capabilities and information.
   </para>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 4a11a0f124..a72f412e90 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5552,6 +5552,97 @@ has_bypassrls_privilege(Oid roleid)
 	return result;
 }
 
+bool
+has_rolinherit_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_createdb_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreatedb;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_login_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcanlogin;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_replication_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+int32
+role_connection_limit(Oid roleid)
+{
+	int32		result = -1;
+	HeapTuple	utup;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolconnlimit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 57aede76f0..ccc0f46710 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -58,15 +58,6 @@ static void DelRoleMems(const char *rolename, Oid roleid,
 static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
 									Oid newOwnerId);
 
-
-/* Check if current user has createrole privileges */
-static bool
-have_createrole_privilege(void)
-{
-	return has_createrole_privilege(GetUserId());
-}
-
-
 /*
  * CREATE ROLE
  */
@@ -276,24 +267,32 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	}
 	else if (isreplication)
 	{
-		if (!superuser())
+		if (!has_replication_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
+					 errmsg("must have replication privilege to create replication users")));
 	}
 	else if (bypassrls)
 	{
-		if (!superuser())
+		if (!has_bypassrls_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
+					 errmsg("must have bypassrls privilege to create bypassrls users")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create role")));
+		if (createdb && !has_createdb_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have createdb privilege to create createdb users")));
+		if (canlogin && !has_login_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have login privilege to create login users")));
 	}
 
 	/*
@@ -713,7 +712,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to change bypassrls attribute")));
 	}
-	else if (!have_createrole_privilege())
+	else if (!superuser())
 	{
 		/* We already checked issuper, isreplication, and bypassrls */
 		if (!(inherit < 0 &&
@@ -914,7 +913,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 
 		/*
 		 * To mess with a superuser you gotta be superuser; else you need
-		 * createrole, or just want to change your own settings
+		 * to own the role, or just want to change your own settings
 		 */
 		if (roleform->rolsuper)
 		{
@@ -925,8 +924,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() &&
-				!pg_role_ownercheck(roleid, GetUserId()))
+			if (!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -1039,18 +1037,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_OBJECT_IN_USE),
 					 errmsg("session user cannot be dropped")));
 
-		/*
-		 * For safety's sake, we allow createrole holders to drop ordinary
-		 * roles but not superuser roles.  This is mainly to avoid the
-		 * scenario where you accidentally drop the last superuser.
-		 */
 		if (roleform->rolsuper && !superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
-		if (!have_createrole_privilege() &&
-			!pg_role_ownercheck(roleid, GetUserId()))
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to drop role")));
@@ -1231,7 +1223,7 @@ RenameRole(const char *oldname, const char *newname)
 				 errmsg("role \"%s\" already exists", newname)));
 
 	/*
-	 * createrole is enough privilege unless you want to mess with a superuser
+	 * role ownership is enough privilege unless you want to mess with a superuser
 	 */
 	if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
 	{
@@ -1242,7 +1234,7 @@ RenameRole(const char *oldname, const char *newname)
 	}
 	else
 	{
-		if (!have_createrole_privilege())
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to rename role")));
@@ -1457,7 +1449,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 		return;
 
 	/*
-	 * Check permissions: must have createrole or admin option on the role to
+	 * Check permissions: must be owner or have admin option on the role to
 	 * be changed.  To mess with a superuser role, you gotta be superuser.
 	 */
 	if (superuser_arg(roleid))
@@ -1467,9 +1459,9 @@ AddRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, grantorId) &&
 			!is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1645,9 +1637,9 @@ DelRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, GetUserId()) &&
 			!is_admin_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1803,7 +1795,7 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		 * roles.  Because superusers will always have this right, we need no
 		 * special case for them.
 		 */
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
 						   NameStr(authForm->rolname));
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 04eae9d4e5..3438abbcee 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4656,7 +4656,7 @@ initialize_acl(void)
 		/*
 		 * In normal mode, set a callback on any syscache invalidation of rows
 		 * of pg_auth_members (for roles_is_member_of()), pg_authid (for
-		 * has_rolinherit()), or pg_database (for roles_is_member_of())
+		 * has_rolinherit_privilege()), or pg_database (for roles_is_member_of())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
@@ -4690,23 +4690,6 @@ RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue)
 }
 
 
-/* Check if specified role has rolinherit set */
-static bool
-has_rolinherit(Oid roleid)
-{
-	bool		result = false;
-	HeapTuple	utup;
-
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
-		ReleaseSysCache(utup);
-	}
-	return result;
-}
-
-
 /*
  * Get a list of roles that the specified roleid is a member of
  *
@@ -4776,7 +4759,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 		CatCList   *memlist;
 		int			i;
 
-		if (type == ROLERECURSE_PRIVS && !has_rolinherit(memberid))
+		if (type == ROLERECURSE_PRIVS && !has_rolinherit_privilege(memberid))
 			continue;			/* ignore non-inheriting roles */
 
 		/* Find roles that memberid is directly a member of */
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index ec9d480d67..63cde442a8 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -319,5 +319,10 @@ extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool pg_role_ownercheck(Oid role_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool has_rolinherit_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_login_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
+extern int32 role_connection_limit(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 492162e5a1..7df3683f2b 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -6,22 +6,16 @@ GRANT CREATE ON DATABASE regression TO regress_role_1;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
 ERROR:  must be superuser to create superusers
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_4 REPLICATION;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_5 BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
 ERROR:  must be superuser to own superusers
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
-CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
-CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 \du+ regress_role_2
                                       List of roles
    Role name    |       Owner        |       Attributes        | Member of | Description 
@@ -50,7 +44,10 @@ CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_role_8 LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
@@ -70,12 +67,6 @@ COMMENT ON ROLE regress_role_12 IS 'no login test role';
 ----------------+----------------+---------------------------+-----------+-------------
  regress_role_7 | regress_role_1 | Create role, Cannot login | {}        | 
 
-\du+ regress_role_8
-                             List of roles
-   Role name    |     Owner      | Attributes | Member of | Description 
-----------------+----------------+------------+-----------+-------------
- regress_role_8 | regress_role_1 |            | {}        | 
-
 \du+ regress_role_9
                               List of roles
    Role name    |     Owner      |  Attributes  | Member of | Description 
@@ -108,19 +99,19 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_role_14 IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
-ERROR:  role "pg_database_owner" cannot have explicit members
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_role_16 ROLE
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 -- fail, cannot grant a role into itself
 CREATE ROLE regress_role_17 ROLE regress_role_17;
 ERROR:  role "regress_role_17" is a member of role "regress_role_17"
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_role_18 ADMIN
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 -- fail, cannot grant a role into itself with admin option
 CREATE ROLE regress_role_19 ADMIN regress_role_19;
@@ -133,8 +124,11 @@ ERROR:  permission denied to create database
 CREATE ROLE regress_role_20;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_role_21 CREATEROLE;
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+ERROR:  must have createdb privilege to create createdb users
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_role_22 CREATEROLE INHERIT CONNECTION LIMIT 5;
 -- ok, regress_role_22 can create objects within the database
 SET SESSION AUTHORIZATION regress_role_22;
 CREATE TABLE regress_tbl_22 (i integer);
@@ -153,17 +147,27 @@ ERROR:  must be member of role "regress_role_1"
 DROP VIEW regress_view_22;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
 CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
 CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
 CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
 CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
 CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
 -- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
@@ -182,19 +186,8 @@ DROP ROLE regress_role_7;
 ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
 DETAIL:  owner of role regress_role_21
 owner of role regress_role_22
-owner of role regress_role_23
-owner of role regress_role_24
-owner of role regress_role_25
-owner of role regress_role_26
-owner of role regress_role_27
-owner of role regress_role_28
-owner of role regress_role_29
-owner of role regress_role_30
-owner of role regress_role_31
-owner of role regress_role_32
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_role_6;
-DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
 DROP ROLE regress_role_11;
@@ -204,16 +197,6 @@ DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
 DROP ROLE regress_role_22;
-DROP ROLE regress_role_23;
-DROP ROLE regress_role_24;
-DROP ROLE regress_role_25;
-DROP ROLE regress_role_26;
-DROP ROLE regress_role_27;
-DROP ROLE regress_role_28;
-DROP ROLE regress_role_29;
-DROP ROLE regress_role_30;
-DROP ROLE regress_role_31;
-DROP ROLE regress_role_32;
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 678f728f52..b1c764cb82 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -6,6 +6,8 @@ GRANT CREATE ON DATABASE regression TO regress_role_1;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
+
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
 CREATE ROLE regress_role_4 REPLICATION;
 CREATE ROLE regress_role_5 BYPASSRLS;
@@ -17,11 +19,6 @@ CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
 
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
-CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
-CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
-
 \du+ regress_role_2
 \du+ regress_role_3
 \du+ regress_role_4
@@ -31,7 +28,11 @@ CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
+
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_role_8 LOGIN;
+
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
@@ -42,7 +43,6 @@ COMMENT ON ROLE regress_role_12 IS 'no login test role';
 
 \du+ regress_role_6
 \du+ regress_role_7
-\du+ regress_role_8
 \du+ regress_role_9
 \du+ regress_role_10
 \du+ regress_role_11
@@ -54,12 +54,12 @@ CREATE ROLE regress_role_13 SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_role_14 IN ROLE regress_role_super;
 
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
 CREATE ROLE regress_role_16 ROLE
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 
 -- fail, cannot grant a role into itself
@@ -67,7 +67,7 @@ CREATE ROLE regress_role_17 ROLE regress_role_17;
 
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_role_18 ADMIN
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 
 -- fail, cannot grant a role into itself with admin option
@@ -83,9 +83,12 @@ CREATE ROLE regress_role_20;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_role_21 CREATEROLE;
 
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
 
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_role_22 CREATEROLE INHERIT CONNECTION LIMIT 5;
+
 -- ok, regress_role_22 can create objects within the database
 SET SESSION AUTHORIZATION regress_role_22;
 CREATE TABLE regress_tbl_22 (i integer);
@@ -108,7 +111,7 @@ DROP VIEW regress_view_22;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
 CREATE ROLE regress_role_25 IN ROLE pg_monitor;
@@ -141,7 +144,6 @@ DROP ROLE regress_role_7;
 
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_role_6;
-DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
 DROP ROLE regress_role_11;
@@ -151,16 +153,6 @@ DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
 DROP ROLE regress_role_22;
-DROP ROLE regress_role_23;
-DROP ROLE regress_role_24;
-DROP ROLE regress_role_25;
-DROP ROLE regress_role_26;
-DROP ROLE regress_role_27;
-DROP ROLE regress_role_28;
-DROP ROLE regress_role_29;
-DROP ROLE regress_role_30;
-DROP ROLE regress_role_31;
-DROP ROLE regress_role_32;
 
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
new file mode 100644
index 0000000000..57010bbb58
--- /dev/null
+++ b/src/test/regress/expected/create_role.out
@@ -0,0 +1,145 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
+CREATE ROLE regress_role_2 SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_role_4 REPLICATION;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_role_5 BYPASSRLS;
+ERROR:  must be superuser to create bypassrls users
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_role_6 CREATEDB;
+CREATE ROLE regress_role_7 CREATEROLE;
+CREATE ROLE regress_role_8 LOGIN;
+CREATE ROLE regress_role_9 INHERIT;
+CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
+CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_role_12 PASSWORD NULL;
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_role_13 SYSID 12345;
+NOTICE:  SYSID can no longer be specified
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_role_14 IN ROLE regress_role_super;
+ERROR:  must be superuser to alter superusers
+-- fail, database owner cannot have members
+CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
+ERROR:  role "pg_database_owner" cannot have explicit members
+-- ok, can grant other users into a role
+CREATE ROLE regress_role_16 ROLE
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_role_17 ROLE regress_role_17;
+ERROR:  role "regress_role_17" is a member of role "regress_role_17"
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_role_18 ADMIN
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_role_19 ADMIN regress_role_19;
+ERROR:  role "regress_role_19" is a member of role "regress_role_19"
+-- fail, regress_role_7 does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_role_7;
+CREATE DATABASE regress_db_7;
+ERROR:  permission denied to create database
+-- ok, regress_role_7 can create new roles
+CREATE ROLE regress_role_20;
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_role_21 CREATEROLE;
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+-- ok, regress_role_22 can create objects within the database
+SET SESSION AUTHORIZATION regress_role_22;
+CREATE TABLE regress_tbl_22 (i integer);
+CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
+CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
+-- fail, these objects belonging to regress_role_22
+SET SESSION AUTHORIZATION regress_role_7;
+DROP INDEX regress_idx_22;
+ERROR:  must be owner of index regress_idx_22
+ALTER TABLE regress_tbl_22 ADD COLUMN t text;
+ERROR:  must be owner of table regress_tbl_22
+DROP TABLE regress_tbl_22;
+ERROR:  must be owner of table regress_tbl_22
+ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+ERROR:  must be owner of view regress_view_22
+DROP VIEW regress_view_22;
+ERROR:  must be owner of view regress_view_22
+-- fail, cannot take ownership of these objects from regress_role_22
+REASSIGN OWNED BY regress_role_22 TO regress_role_7;
+ERROR:  permission denied to reassign objects
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_1;
+DROP ROLE regress_role_2;
+ERROR:  role "regress_role_2" does not exist
+DROP ROLE regress_role_3;
+ERROR:  role "regress_role_3" does not exist
+DROP ROLE regress_role_4;
+ERROR:  role "regress_role_4" does not exist
+DROP ROLE regress_role_5;
+ERROR:  role "regress_role_5" does not exist
+DROP ROLE regress_role_14;
+ERROR:  role "regress_role_14" does not exist
+DROP ROLE regress_role_15;
+ERROR:  role "regress_role_15" does not exist
+DROP ROLE regress_role_17;
+ERROR:  role "regress_role_17" does not exist
+DROP ROLE regress_role_19;
+ERROR:  role "regress_role_19" does not exist
+DROP ROLE regress_role_20;
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_6;
+DROP ROLE regress_role_7;
+DROP ROLE regress_role_8;
+DROP ROLE regress_role_9;
+DROP ROLE regress_role_10;
+DROP ROLE regress_role_11;
+DROP ROLE regress_role_12;
+DROP ROLE regress_role_13;
+DROP ROLE regress_role_16;
+DROP ROLE regress_role_18;
+DROP ROLE regress_role_21;
+DROP ROLE regress_role_23;
+DROP ROLE regress_role_24;
+DROP ROLE regress_role_25;
+DROP ROLE regress_role_26;
+DROP ROLE regress_role_27;
+DROP ROLE regress_role_28;
+DROP ROLE regress_role_29;
+DROP ROLE regress_role_30;
+DROP ROLE regress_role_31;
+DROP ROLE regress_role_32;
+-- fail, role still owns database objects
+DROP ROLE regress_role_22;
+ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
+DETAIL:  owner of table regress_tbl_22
+owner of view regress_view_22
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+ERROR:  must be superuser to drop superusers
+DROP ROLE regress_role_1;
+ERROR:  current user cannot be dropped
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX regress_idx_22;
+DROP TABLE regress_tbl_22;
+DROP VIEW regress_view_22;
+DROP ROLE regress_role_22;
+DROP ROLE regress_role_1;
+DROP ROLE regress_role_super;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 017e962fed..18dfdf5be8 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -86,7 +86,7 @@ test: brin_bloom brin_multi
 # ----------
 # Another group of parallel tests
 # ----------
-test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort
+test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort create_role
 
 # rules cannot run concurrently with any test that creates
 # a view or rule in the public schema
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
new file mode 100644
index 0000000000..e00893de4e
--- /dev/null
+++ b/src/test/regress/sql/create_role.sql
@@ -0,0 +1,138 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
+CREATE ROLE regress_role_2 SUPERUSER;
+CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 REPLICATION;
+CREATE ROLE regress_role_5 BYPASSRLS;
+
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_role_6 CREATEDB;
+CREATE ROLE regress_role_7 CREATEROLE;
+CREATE ROLE regress_role_8 LOGIN;
+CREATE ROLE regress_role_9 INHERIT;
+CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
+CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_role_12 PASSWORD NULL;
+
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_role_13 SYSID 12345;
+
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_role_14 IN ROLE regress_role_super;
+
+-- fail, database owner cannot have members
+CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
+
+-- ok, can grant other users into a role
+CREATE ROLE regress_role_16 ROLE
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_role_17 ROLE regress_role_17;
+
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_role_18 ADMIN
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_role_19 ADMIN regress_role_19;
+
+-- fail, regress_role_7 does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_role_7;
+CREATE DATABASE regress_db_7;
+
+-- ok, regress_role_7 can create new roles
+CREATE ROLE regress_role_20;
+
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_role_21 CREATEROLE;
+
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+
+-- ok, regress_role_22 can create objects within the database
+SET SESSION AUTHORIZATION regress_role_22;
+CREATE TABLE regress_tbl_22 (i integer);
+CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
+CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
+
+-- fail, these objects belonging to regress_role_22
+SET SESSION AUTHORIZATION regress_role_7;
+DROP INDEX regress_idx_22;
+ALTER TABLE regress_tbl_22 ADD COLUMN t text;
+DROP TABLE regress_tbl_22;
+ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+DROP VIEW regress_view_22;
+
+-- fail, cannot take ownership of these objects from regress_role_22
+REASSIGN OWNED BY regress_role_22 TO regress_role_7;
+
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_1;
+DROP ROLE regress_role_2;
+DROP ROLE regress_role_3;
+DROP ROLE regress_role_4;
+DROP ROLE regress_role_5;
+DROP ROLE regress_role_14;
+DROP ROLE regress_role_15;
+DROP ROLE regress_role_17;
+DROP ROLE regress_role_19;
+DROP ROLE regress_role_20;
+
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_6;
+DROP ROLE regress_role_7;
+DROP ROLE regress_role_8;
+DROP ROLE regress_role_9;
+DROP ROLE regress_role_10;
+DROP ROLE regress_role_11;
+DROP ROLE regress_role_12;
+DROP ROLE regress_role_13;
+DROP ROLE regress_role_16;
+DROP ROLE regress_role_18;
+DROP ROLE regress_role_21;
+DROP ROLE regress_role_23;
+DROP ROLE regress_role_24;
+DROP ROLE regress_role_25;
+DROP ROLE regress_role_26;
+DROP ROLE regress_role_27;
+DROP ROLE regress_role_28;
+DROP ROLE regress_role_29;
+DROP ROLE regress_role_30;
+DROP ROLE regress_role_31;
+DROP ROLE regress_role_32;
+
+-- fail, role still owns database objects
+DROP ROLE regress_role_22;
+
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+DROP ROLE regress_role_1;
+
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX regress_idx_22;
+DROP TABLE regress_tbl_22;
+DROP VIEW regress_view_22;
+DROP ROLE regress_role_22;
+DROP ROLE regress_role_1;
+DROP ROLE regress_role_super;

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ce0a4ff14e..ddd205d656 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3385,6 +3385,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("permission denied for publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("permission denied for role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("permission denied for routine %s");
 						break;
@@ -3429,7 +3432,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_RULE:
 					case OBJECT_TABCONSTRAINT:
 					case OBJECT_TRANSFORM:
@@ -3511,6 +3513,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("must be owner of publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("must be owner of role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("must be owner of routine %s");
 						break;
@@ -3569,7 +3574,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_TRANSFORM:
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
@@ -5430,6 +5434,57 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for a role (specified by OID)
+ */
+bool
+pg_role_ownercheck(Oid role_oid, Oid roleid)
+{
+	HeapTuple		tuple;
+	Form_pg_authid	authform;
+	Oid				owner_oid;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	/* Otherwise, look up the owner of the role */
+	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+	if (!HeapTupleIsValid(tuple))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role with OID %u does not exist",
+						role_oid)));
+	authform = (Form_pg_authid) GETSTRUCT(tuple);
+	owner_oid = authform->rolowner;
+
+	/*
+	 * Roles must necessarily have owners.  Even the bootstrap user has an
+	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 */
+	if (!OidIsValid(owner_oid))
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u has invalid owner",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner == authform->oid)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owns itself",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner != BOOTSTRAP_SUPERUSERID)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+						authform->rolname.data, authform->oid,
+						authform->rolowner)));
+	ReleaseSysCache(tuple);
+
+	return (owner_oid == roleid);
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
diff --git a/src/backend/catalog/pg_shdepend.c b/src/backend/catalog/pg_shdepend.c
index c20b1fbb96..9842a35a41 100644
--- a/src/backend/catalog/pg_shdepend.c
+++ b/src/backend/catalog/pg_shdepend.c
@@ -61,6 +61,7 @@
 #include "commands/tablecmds.h"
 #include "commands/tablespace.h"
 #include "commands/typecmds.h"
+#include "commands/user.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -1578,6 +1579,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
 					AlterSubscriptionOwner_oid(sdepForm->objid, newrole);
 					break;
 
+				case AuthIdRelationId:
+					AlterRoleOwner_oid(sdepForm->objid, newrole);
+					break;
+
 					/* Generic alter owner cases */
 				case CollationRelationId:
 				case ConversionRelationId:
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 61b515cdb8..85f8fc7d4c 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -17,6 +17,7 @@
 CREATE VIEW pg_roles AS
     SELECT
         rolname,
+        pg_get_userbyid(rolowner) AS rolowner,
         rolsuper,
         rolinherit,
         rolcreaterole,
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 40044070cf..eb407cfc4c 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -840,6 +840,9 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 		case OBJECT_DATABASE:
 			return AlterDatabaseOwner(strVal(stmt->object), newowner);
 
+		case OBJECT_ROLE:
+			return AlterRoleOwner(strVal(stmt->object), newowner);
+
 		case OBJECT_SCHEMA:
 			return AlterSchemaOwner(strVal(stmt->object), newowner);
 
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index c8c0dd0dd5..e1296020b3 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
+static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
+									Oid newOwnerId);
 
 
 /* Check if current user has createrole privileges */
@@ -77,6 +79,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	Datum		new_record[Natts_pg_authid];
 	bool		new_record_nulls[Natts_pg_authid];
 	Oid			roleid;
+	Oid			owner_uid;
+	Oid			saved_uid;
+	int			save_sec_context;
 	ListCell   *item;
 	ListCell   *option;
 	char	   *password = NULL;	/* user password */
@@ -108,6 +113,16 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
+	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+
+	/*
+	 * Who is supposed to own the new role?
+	 */
+	if (stmt->authrole)
+		owner_uid = get_rolespec_oid(stmt->authrole, false);
+	else
+		owner_uid = saved_uid;
+
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
 	{
@@ -254,6 +269,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
+		if (!superuser_arg(owner_uid))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must be superuser to own superusers")));
 	}
 	else if (isreplication)
 	{
@@ -310,6 +329,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 errmsg("role \"%s\" already exists",
 						stmt->role)));
 
+	/*
+	 * If the requested authorization is different from the current user,
+	 * temporarily set the current user so that the object(s) will be created
+	 * with the correct ownership.
+	 *
+	 * (The setting will be restored at the end of this routine, or in case of
+	 * error, transaction abort will clean things up.)
+	 */
+	if (saved_uid != owner_uid)
+		SetUserIdAndSecContext(owner_uid,
+							   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+
+
 	/* Convert validuntil to internal form */
 	if (validUntil)
 	{
@@ -345,6 +377,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolowner - 1] = ObjectIdGetDatum(owner_uid);
 	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
@@ -422,6 +455,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	CatalogTupleInsert(pg_authid_rel, tuple);
 
+	recordDependencyOnOwner(AuthIdRelationId, roleid, owner_uid);
+
 	/*
 	 * Advance command counter so we can see new record; else tests in
 	 * AddRoleMems may fail.
@@ -478,6 +513,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	table_close(pg_authid_rel, NoLock);
 
+	/* Reset current user and security context */
+	SetUserIdAndSecContext(saved_uid, save_sec_context);
+
 	return roleid;
 }
 
@@ -1078,8 +1116,9 @@ DropRole(DropRoleStmt *stmt)
 		systable_endscan(sscan);
 
 		/*
-		 * Remove any comments or security labels on this role.
+		 * Remove any dependencies, comments or security labels on this role.
 		 */
+		deleteSharedDependencyRecordsFor(AuthIdRelationId, roleid, 0);
 		DeleteSharedComments(roleid, AuthIdRelationId);
 		DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
 
@@ -1686,3 +1725,104 @@ DelRoleMems(const char *rolename, Oid roleid,
 	 */
 	table_close(pg_authmem_rel, NoLock);
 }
+
+/*
+ * Change role owner
+ */
+ObjectAddress
+AlterRoleOwner(const char *name, Oid newOwnerId)
+{
+	Oid                     roleid;
+	HeapTuple       tup;
+	Relation        rel;
+	ObjectAddress address;
+	Form_pg_authid authform;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHNAME, CStringGetDatum(name));
+	if (!HeapTupleIsValid(tup))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role \"%s\" does not exist", name)));
+
+	authform = (Form_pg_authid) GETSTRUCT(tup);
+	roleid = authform->oid;
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ObjectAddressSet(address, AuthIdRelationId, roleid);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+
+	return address;
+}
+
+void
+AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId)
+{
+	HeapTuple	tup;
+	Relation	rel;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
+	if (!HeapTupleIsValid(tup))
+		elog(ERROR, "cache lookup failed for role %u", roleOid);
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+}
+
+static void
+AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
+{
+	Form_pg_authid authForm;
+
+	Assert(tup->t_tableOid == AuthIdRelationId);
+	Assert(RelationGetRelid(rel) == AuthIdRelationId);
+
+	authForm = (Form_pg_authid) GETSTRUCT(tup);
+
+	/*
+	 * If the new owner is the same as the existing owner, consider the
+	 * command to have succeeded.  This is for dump restoration purposes.
+	 */
+	if (authForm->rolowner != newOwnerId)
+	{
+		/* Otherwise, must be owner of the existing object */
+		if (!pg_role_ownercheck(authForm->oid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Must be able to become new owner */
+		check_is_member_of_role(GetUserId(), newOwnerId);
+
+		/*
+		 * must have CREATEROLE rights
+		 *
+		 * NOTE: This is different from most other alter-owner checks in that
+		 * the current user is checked for create privileges instead of the
+		 * destination owner.  This is consistent with the CREATE case for
+		 * roles.  Because superusers will always have this right, we need no
+		 * special case for them.
+		 */
+		if (!have_createrole_privilege())
+			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		authForm->rolowner = newOwnerId;
+		CatalogTupleUpdate(rel, &tup->t_self, tup);
+
+		/* Update owner dependency reference */
+		changeDependencyOnOwner(AuthIdRelationId, authForm->oid, newOwnerId);
+	}
+
+	InvokeObjectPostAlterHook(AuthIdRelationId,
+							  authForm->oid, 0);
+}
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index df0b747883..939d445abb 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -4518,6 +4518,7 @@ _copyCreateRoleStmt(const CreateRoleStmt *from)
 
 	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
+	COPY_NODE_FIELD(authrole);
 	COPY_NODE_FIELD(options);
 
 	return newnode;
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index cb7ddd463c..f717f5d1e0 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2128,6 +2128,7 @@ _equalCreateRoleStmt(const CreateRoleStmt *a, const CreateRoleStmt *b)
 {
 	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
+	COMPARE_NODE_FIELD(authrole);
 	COMPARE_NODE_FIELD(options);
 
 	return true;
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index 3d4dd43e47..3512392888 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -1077,9 +1077,20 @@ CreateRoleStmt:
 					CreateRoleStmt *n = makeNode(CreateRoleStmt);
 					n->stmt_type = ROLESTMT_ROLE;
 					n->role = $3;
+					n->authrole = NULL;
 					n->options = $5;
 					$$ = (Node *)n;
 				}
+			|
+			CREATE ROLE RoleId AUTHORIZATION RoleSpec opt_with OptRoleList
+				{
+					CreateRoleStmt *n = makeNode(CreateRoleStmt);
+					n->stmt_type = ROLESTMT_ROLE;
+					n->role = $3;
+					n->authrole = $5;
+					n->options = $7;
+					$$ = (Node *)n;
+				}
 		;
 
 
@@ -1218,6 +1229,10 @@ CreateOptRoleElem:
 				{
 					$$ = makeDefElem("addroleto", (Node *)$3, @1);
 				}
+			| OWNER RoleSpec
+				{
+					$$ = makeDefElem("owner", (Node *)$2, @1);
+				}
 		;
 
 
@@ -9587,6 +9602,14 @@ AlterOwnerStmt: ALTER AGGREGATE aggregate_with_argtypes OWNER TO RoleSpec
 					n->newowner = $6;
 					$$ = (Node *)n;
 				}
+			| ALTER ROLE name OWNER TO RoleSpec
+				{
+					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
+					n->objectType = OBJECT_ROLE;
+					n->object = (Node *) makeString($3);
+					n->newowner = $6;
+					$$ = (Node *)n;
+				}
 			| ALTER ROUTINE function_with_argtypes OWNER TO RoleSpec
 				{
 					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c
index c28788e84f..3d3b30f289 100644
--- a/src/bin/psql/describe.c
+++ b/src/bin/psql/describe.c
@@ -3488,6 +3488,12 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 		appendPQExpBufferStr(&buf, "\n, r.rolbypassrls");
 	}
 
+	if (pset.sversion >= 150000)
+	{
+		appendPQExpBufferStr(&buf, "\n, r.rolowner");
+		ncols++;
+	}
+
 	appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n");
 
 	if (!showSystem && !pattern)
@@ -3508,6 +3514,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	printTableInit(&cont, &myopt, _("List of roles"), ncols, nrows);
 
 	printTableAddHeader(&cont, gettext_noop("Role name"), true, align);
+	if (pset.sversion >= 150000)
+		printTableAddHeader(&cont, gettext_noop("Owner"), true, align);
 	printTableAddHeader(&cont, gettext_noop("Attributes"), true, align);
 	/* ignores implicit memberships from superuser & pg_database_owner */
 	printTableAddHeader(&cont, gettext_noop("Member of"), true, align);
@@ -3519,6 +3527,10 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	{
 		printTableAddCell(&cont, PQgetvalue(res, i, 0), false, false);
 
+		if (pset.sversion >= 150000)
+			printTableAddCell(&cont, PQgetvalue(res, i, (verbose ? 12 : 11)),
+							  false, false);
+
 		resetPQExpBuffer(&buf);
 		if (strcmp(PQgetvalue(res, i, 1), "t") == 0)
 			add_role_attribute(&buf, _("Superuser"));
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 2d7115e31d..cce43388d8 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -32,6 +32,7 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 {
 	Oid			oid;			/* oid */
 	NameData	rolname;		/* name of role */
+	Oid			rolowner BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid); /* owner of this role */
 	bool		rolsuper;		/* read this field via superuser() only! */
 	bool		rolinherit;		/* inherit privileges from other roles? */
 	bool		rolcreaterole;	/* allowed to create more roles? */
diff --git a/src/include/commands/user.h b/src/include/commands/user.h
index 0b7a3cd65f..c32127e41e 100644
--- a/src/include/commands/user.h
+++ b/src/include/commands/user.h
@@ -33,5 +33,7 @@ extern ObjectAddress RenameRole(const char *oldname, const char *newname);
 extern void DropOwnedObjects(DropOwnedStmt *stmt);
 extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt);
 extern List *roleSpecsToIds(List *memberNames);
+extern ObjectAddress AlterRoleOwner(const char *name, Oid newOwnerId);
+extern void AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId);
 
 #endif							/* USER_H */
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 4c5a8a39bf..59409edb56 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2622,6 +2622,7 @@ typedef struct CreateRoleStmt
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
+	RoleSpec   *authrole;		/* the owner of the created role */
 	List	   *options;		/* List of DefElem nodes */
 } CreateRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index af771c901d..ec9d480d67 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -316,6 +316,7 @@ extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
+extern bool pg_role_ownercheck(Oid role_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
 
diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out
index eb608fdc2e..8b79a63b80 100644
--- a/src/test/modules/unsafe_tests/expected/rolenames.out
+++ b/src/test/modules/unsafe_tests/expected/rolenames.out
@@ -1086,6 +1086,10 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 \c
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
+ERROR:  role "regress_testrol2" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_haspriv
+owner of role regress_role_nopriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql
index adac36536d..95a54ce70d 100644
--- a/src/test/modules/unsafe_tests/sql/rolenames.sql
+++ b/src/test/modules/unsafe_tests/sql/rolenames.sql
@@ -499,6 +499,7 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 57010bbb58..e1ce5f3a66 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_1;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
@@ -11,14 +12,95 @@ CREATE ROLE regress_role_4 REPLICATION;
 ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_5 BYPASSRLS;
 ERROR:  must be superuser to create bypassrls users
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
+ERROR:  must be superuser to own superusers
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
+CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
+\du+ regress_role_2
+                                      List of roles
+   Role name    |       Owner        |       Attributes        | Member of | Description 
+----------------+--------------------+-------------------------+-----------+-------------
+ regress_role_2 | regress_role_super | Superuser, Cannot login | {}        | 
+
+\du+ regress_role_3
+                                           List of roles
+   Role name    |     Owner      |              Attributes               | Member of | Description 
+----------------+----------------+---------------------------------------+-----------+-------------
+ regress_role_3 | regress_role_1 | Cannot login, Replication, Bypass RLS | {}        | 
+
+\du+ regress_role_4
+                                     List of roles
+   Role name    |     Owner      |        Attributes         | Member of | Description 
+----------------+----------------+---------------------------+-----------+-------------
+ regress_role_4 | regress_role_1 | Cannot login, Replication | {}        | 
+
+\du+ regress_role_5
+                                    List of roles
+   Role name    |     Owner      |        Attributes        | Member of | Description 
+----------------+----------------+--------------------------+-----------+-------------
+ regress_role_5 | regress_role_1 | Cannot login, Bypass RLS | {}        | 
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
 CREATE ROLE regress_role_8 LOGIN;
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
-CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_role_12 PASSWORD NULL;
+CREATE ROLE regress_role_11 PASSWORD NULL;
+CREATE ROLE regress_role_12
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+\du+ regress_role_6
+                                    List of roles
+   Role name    |     Owner      |       Attributes        | Member of | Description 
+----------------+----------------+-------------------------+-----------+-------------
+ regress_role_6 | regress_role_1 | Create DB, Cannot login | {}        | 
+
+\du+ regress_role_7
+                                     List of roles
+   Role name    |     Owner      |        Attributes         | Member of | Description 
+----------------+----------------+---------------------------+-----------+-------------
+ regress_role_7 | regress_role_1 | Create role, Cannot login | {}        | 
+
+\du+ regress_role_8
+                             List of roles
+   Role name    |     Owner      | Attributes | Member of | Description 
+----------------+----------------+------------+-----------+-------------
+ regress_role_8 | regress_role_1 |            | {}        | 
+
+\du+ regress_role_9
+                              List of roles
+   Role name    |     Owner      |  Attributes  | Member of | Description 
+----------------+----------------+--------------+-----------+-------------
+ regress_role_9 | regress_role_1 | Cannot login | {}        | 
+
+\du+ regress_role_10
+                               List of roles
+    Role name    |     Owner      |  Attributes   | Member of | Description 
+-----------------+----------------+---------------+-----------+-------------
+ regress_role_10 | regress_role_1 | Cannot login +| {}        | 
+                 |                | 5 connections |           | 
+
+\du+ regress_role_11
+                               List of roles
+    Role name    |     Owner      |  Attributes  | Member of | Description 
+-----------------+----------------+--------------+-----------+-------------
+ regress_role_11 | regress_role_1 | Cannot login | {}        | 
+
+\du+ regress_role_12
+                                                      List of roles
+    Role name    |     Owner      |       Attributes       |                   Member of                    | Description 
+-----------------+----------------+------------------------+------------------------------------------------+-------------
+ regress_role_12 | regress_role_1 | Create role, Create DB+| {regress_role_6,regress_role_7,regress_role_8} | 
+                 |                | 2 connections          |                                                | 
+
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
 NOTICE:  SYSID can no longer be specified
@@ -84,16 +166,24 @@ CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_role_7
 SET SESSION AUTHORIZATION regress_role_1;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+ERROR:  must be owner of role regress_role_20
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+ERROR:  permission denied to reassign objects
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
-ERROR:  role "regress_role_2" does not exist
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
-ERROR:  role "regress_role_3" does not exist
 DROP ROLE regress_role_4;
-ERROR:  role "regress_role_4" does not exist
 DROP ROLE regress_role_5;
-ERROR:  role "regress_role_5" does not exist
 DROP ROLE regress_role_14;
 ERROR:  role "regress_role_14" does not exist
 DROP ROLE regress_role_15;
@@ -103,9 +193,23 @@ ERROR:  role "regress_role_17" does not exist
 DROP ROLE regress_role_19;
 ERROR:  role "regress_role_19" does not exist
 DROP ROLE regress_role_20;
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_role_6;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
+ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_21
+owner of role regress_role_22
+owner of role regress_role_23
+owner of role regress_role_24
+owner of role regress_role_25
+owner of role regress_role_26
+owner of role regress_role_27
+owner of role regress_role_28
+owner of role regress_role_29
+owner of role regress_role_30
+owner of role regress_role_31
+owner of role regress_role_32
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_role_6;
 DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
@@ -130,6 +234,10 @@ DROP ROLE regress_role_22;
 ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
 DETAIL:  owner of table regress_tbl_22
 owner of view regress_view_22
+-- fail, role still owns other roles
+DROP ROLE regress_role_7;
+ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_22
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
@@ -141,5 +249,12 @@ DROP INDEX regress_idx_22;
 DROP TABLE regress_tbl_22;
 DROP VIEW regress_view_22;
 DROP ROLE regress_role_22;
+DROP ROLE regress_role_7;
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_1;
+ERROR:  role "regress_role_1" cannot be dropped because some objects depend on it
+DETAIL:  privileges for database regression
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_1;
 DROP ROLE regress_role_1;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 215eb899be..266a30a85b 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -194,6 +194,7 @@ NOTICE:  checking pg_database {dattablespace} => pg_tablespace {oid}
 NOTICE:  checking pg_db_role_setting {setdatabase} => pg_database {oid}
 NOTICE:  checking pg_db_role_setting {setrole} => pg_authid {oid}
 NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
+NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 0bc79be03d..7ed1ee84a5 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -27,8 +27,10 @@ CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
 ERROR:  role "regress_priv_user5" already exists
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -2358,7 +2360,12 @@ DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
 DROP USER regress_priv_user6;
+ERROR:  role "regress_priv_user6" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_priv_user7
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 ERROR:  role "regress_priv_user8" does not exist
 -- permissions with LOCK TABLE
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index b58b062b10..6bce5a005d 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1482,6 +1482,7 @@ pg_replication_slots| SELECT l.slot_name,
    FROM (pg_get_replication_slots() l(slot_name, plugin, slot_type, datoid, temporary, active, active_pid, xmin, catalog_xmin, restart_lsn, confirmed_flush_lsn, wal_status, safe_wal_size, two_phase)
      LEFT JOIN pg_database d ON ((l.datoid = d.oid)));
 pg_roles| SELECT pg_authid.rolname,
+    pg_get_userbyid(pg_authid.rolowner) AS rolowner,
     pg_authid.rolsuper,
     pg_authid.rolinherit,
     pg_authid.rolcreaterole,
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index e00893de4e..8a4f177574 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_1;
 
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
@@ -9,14 +10,42 @@ CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
 CREATE ROLE regress_role_4 REPLICATION;
 CREATE ROLE regress_role_5 BYPASSRLS;
 
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
+
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
+
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
+CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
+
+\du+ regress_role_2
+\du+ regress_role_3
+\du+ regress_role_4
+\du+ regress_role_5
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
 CREATE ROLE regress_role_8 LOGIN;
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
-CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_role_12 PASSWORD NULL;
+CREATE ROLE regress_role_11 PASSWORD NULL;
+CREATE ROLE regress_role_12
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+
+\du+ regress_role_6
+\du+ regress_role_7
+\du+ regress_role_8
+\du+ regress_role_9
+\du+ regress_role_10
+\du+ regress_role_11
+\du+ regress_role_12
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
@@ -86,9 +115,22 @@ CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
 
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_role_7
 SET SESSION AUTHORIZATION regress_role_1;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
+
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
@@ -98,9 +140,11 @@ DROP ROLE regress_role_17;
 DROP ROLE regress_role_19;
 DROP ROLE regress_role_20;
 
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_role_6;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
+
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_role_6;
 DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
@@ -124,6 +168,9 @@ DROP ROLE regress_role_32;
 -- fail, role still owns database objects
 DROP ROLE regress_role_22;
 
+-- fail, role still owns other roles
+DROP ROLE regress_role_7;
+
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_1;
@@ -134,5 +181,12 @@ DROP INDEX regress_idx_22;
 DROP TABLE regress_tbl_22;
 DROP VIEW regress_view_22;
 DROP ROLE regress_role_22;
+DROP ROLE regress_role_7;
+
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_1;
+
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_1;
 DROP ROLE regress_role_1;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c8c545b64c..48de54a930 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -29,9 +29,13 @@ CREATE USER regress_priv_user2;
 CREATE USER regress_priv_user3;
 CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
+
 CREATE USER regress_priv_user5;	-- duplicate
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -1426,8 +1430,14 @@ DROP USER regress_priv_user2;
 DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
+
 DROP USER regress_priv_user6;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 
 

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ddd205d656..4a11a0f124 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5440,61 +5440,79 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 bool
 pg_role_ownercheck(Oid role_oid, Oid roleid)
 {
-	HeapTuple		tuple;
-	Form_pg_authid	authform;
-	Oid				owner_oid;
-
 	/* Superusers bypass all permission checking. */
 	if (superuser_arg(roleid))
 		return true;
 
-	/* Otherwise, look up the owner of the role */
-	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
-	if (!HeapTupleIsValid(tuple))
-		ereport(ERROR,
-				(errcode(ERRCODE_UNDEFINED_OBJECT),
-				 errmsg("role with OID %u does not exist",
-						role_oid)));
-	authform = (Form_pg_authid) GETSTRUCT(tuple);
-	owner_oid = authform->rolowner;
-
 	/*
-	 * Roles must necessarily have owners.  Even the bootstrap user has an
-	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 * Start with the owned role and traverse the ownership hierarchy upward.
+	 * We stop when we find the owner we are looking for or when we reach the
+	 * top.
 	 */
-	if (!OidIsValid(owner_oid))
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u has invalid owner",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner == authform->oid)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owns itself",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner != BOOTSTRAP_SUPERUSERID)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
-						authform->rolname.data, authform->oid,
-						authform->rolowner)));
-	ReleaseSysCache(tuple);
+	while (OidIsValid(role_oid))
+	{
+		HeapTuple		tuple;
+		Form_pg_authid	authform;
+		Oid				owner_oid;
+
+		/* Find the owner of the current iteration's role */
+		tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+		if (!HeapTupleIsValid(tuple))
+			ereport(ERROR,
+					(errcode(ERRCODE_UNDEFINED_OBJECT),
+					 errmsg("role with OID %u does not exist",
+							role_oid)));
+		authform = (Form_pg_authid) GETSTRUCT(tuple);
+		owner_oid = authform->rolowner;
+
+		/*
+		 * Roles must necessarily have owners.  Even the bootstrap user has an
+		 * owner.  (It owns itself).  Other roles must form a proper tree.
+		 */
+		if (!OidIsValid(owner_oid))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u has invalid owner",
+							authform->rolname.data, authform->oid)));
+		if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+			authform->rolowner == authform->oid)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owns itself",
+							authform->rolname.data, authform->oid)));
+		if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+			authform->rolowner != BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+							authform->rolname.data, authform->oid,
+							authform->rolowner)));
+		ReleaseSysCache(tuple);
+
+		/* Have we found the target role? */
+		if (roleid == owner_oid)
+			return true;
+
+		/*
+		 * If we have reached a role which owns itself, we must iterate no
+		 * further, else we fall into an infinite loop.
+		 */
+		if (role_oid == owner_oid)
+			return false;
+
+		/* Set up for the next iteration. */
+		role_oid = owner_oid;
+	}
 
-	return (owner_oid == roleid);
+	return false;
 }
 
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!	Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
+ * Note: In versions prior to PostgreSQL version 15, roles did not have owners
+ * per se; instead we used this test in places where an ownership-like
+ * permissions test was needed for a role.
  */
 bool
 has_createrole_privilege(Oid roleid)
diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c
index 2bae3fbb17..cc19409ca3 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2596,25 +2596,9 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 							   NameListToString(castNode(List, object)));
 			break;
 		case OBJECT_ROLE:
-
-			/*
-			 * We treat roles as being "owned" by those with CREATEROLE priv,
-			 * except that superusers are only owned by superusers.
-			 */
-			if (superuser_arg(address.objectId))
-			{
-				if (!superuser_arg(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must be superuser")));
-			}
-			else
-			{
-				if (!has_createrole_privilege(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must have CREATEROLE privilege")));
-			}
+			if (!pg_role_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
+							   strVal(object));
 			break;
 		case OBJECT_TSPARSER:
 		case OBJECT_TSTEMPLATE:
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 6c6ab9ee34..3447806756 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -363,7 +363,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		/*
 		 * must have create-schema rights
 		 *
-		 * NOTE: This is different from other alter-owner checks in that the
+		 * NOTE: This is different from most other alter-owner checks in that the
 		 * current user is checked for create privileges instead of the
 		 * destination owner.  This is consistent with the CREATE case for
 		 * schemas.  Because superusers will always have this right, we need
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index e1296020b3..9c40766d83 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -724,7 +724,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			  !rolemembers &&
 			  !validUntil &&
 			  dpassword &&
-			  roleid == GetUserId()))
+			  !pg_role_ownercheck(roleid, GetUserId())))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied")));
@@ -925,7 +925,8 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() && roleid != GetUserId())
+			if (!have_createrole_privilege() &&
+				!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -977,11 +978,6 @@ DropRole(DropRoleStmt *stmt)
 				pg_auth_members_rel;
 	ListCell   *item;
 
-	if (!have_createrole_privilege())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied to drop role")));
-
 	/*
 	 * Scan the pg_authid relation to find the Oid of the role(s) to be
 	 * deleted.
@@ -1053,6 +1049,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
+		if (!have_createrole_privilege() &&
+			!pg_role_ownercheck(roleid, GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied to drop role")));
+
 		/* DROP hook for the role being removed */
 		InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 67f8b29434..04eae9d4e5 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4850,6 +4850,10 @@ has_privs_of_role(Oid member, Oid role)
 	if (superuser_arg(member))
 		return true;
 
+	/* Owners of roles have every privilge the owned role has */
+	if (pg_role_ownercheck(role, member))
+		return true;
+
 	/*
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
diff --git a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
index b2d898a7d1..93cf82b750 100644
--- a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
+++ b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
@@ -7,8 +7,11 @@ SET client_min_messages TO 'warning';
 DROP ROLE IF EXISTS regress_dummy_seclabel_user1;
 DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 RESET client_min_messages;
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
 CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
@@ -19,7 +22,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
@@ -29,6 +32,7 @@ ERROR:  '...invalid label...' is not a valid security label
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
 ERROR:  security label provider "unknown_seclabel" is not loaded
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 ERROR:  must be owner of table dummy_seclabel_tbl2
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
@@ -42,7 +46,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
 ERROR:  '...invalid label...' is not a valid security label
@@ -55,7 +59,7 @@ SECURITY LABEL ON ROLE regress_dummy_seclabel_user3 IS 'unclassified';	-- fail (
 ERROR:  role "regress_dummy_seclabel_user3" does not exist
 SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
+ERROR:  must be owner of role regress_dummy_seclabel_user2
 RESET SESSION AUTHORIZATION;
 --
 -- Test for various types of object
diff --git a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
index 8c347b6a68..bf575343cf 100644
--- a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
+++ b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
@@ -11,8 +11,12 @@ DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 
 RESET client_min_messages;
 
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
@@ -26,7 +30,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
@@ -34,6 +38,8 @@ SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
@@ -45,7 +51,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index e1ce5f3a66..492162e5a1 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -55,8 +55,9 @@ CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
 CREATE ROLE regress_role_12
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7;
+COMMENT ON ROLE regress_role_12 IS 'no login test role';
 \du+ regress_role_6
                                     List of roles
    Role name    |     Owner      |       Attributes        | Member of | Description 
@@ -95,11 +96,11 @@ CREATE ROLE regress_role_12
  regress_role_11 | regress_role_1 | Cannot login | {}        | 
 
 \du+ regress_role_12
-                                                      List of roles
-    Role name    |     Owner      |       Attributes       |                   Member of                    | Description 
------------------+----------------+------------------------+------------------------------------------------+-------------
- regress_role_12 | regress_role_1 | Create role, Create DB+| {regress_role_6,regress_role_7,regress_role_8} | 
-                 |                | 2 connections          |                                                | 
+                                                         List of roles
+    Role name    |     Owner      |              Attributes              |            Member of            |    Description     
+-----------------+----------------+--------------------------------------+---------------------------------+--------------------
+ regress_role_12 | regress_role_1 | Create role, Create DB, Cannot login+| {regress_role_6,regress_role_7} | no login test role
+                 |                | 2 connections                        |                                 | 
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
@@ -140,21 +141,18 @@ CREATE TABLE regress_tbl_22 (i integer);
 CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
 CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
--- fail, these objects belonging to regress_role_22
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_role_7;
 DROP INDEX regress_idx_22;
-ERROR:  must be owner of index regress_idx_22
 ALTER TABLE regress_tbl_22 ADD COLUMN t text;
-ERROR:  must be owner of table regress_tbl_22
 DROP TABLE regress_tbl_22;
-ERROR:  must be owner of table regress_tbl_22
+-- fail, not a member of target role
 ALTER VIEW regress_view_22 OWNER TO regress_role_1;
-ERROR:  must be owner of view regress_view_22
+ERROR:  must be member of role "regress_role_1"
+-- ok
 DROP VIEW regress_view_22;
-ERROR:  must be owner of view regress_view_22
--- fail, cannot take ownership of these objects from regress_role_22
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
-ERROR:  permission denied to reassign objects
 -- ok, having CREATEROLE is enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
@@ -166,15 +164,9 @@ CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
--- fail, cannot take ownership of these objects from regress_role_7
+-- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
-ERROR:  must be owner of role regress_role_20
-REASSIGN OWNED BY regress_role_20 TO regress_role_1;
-ERROR:  permission denied to reassign objects
--- superuser can do it, though
-RESET SESSION AUTHORIZATION;
-ALTER ROLE regress_role_20 OWNER TO regress_role_1;
 REASSIGN OWNED BY regress_role_20 TO regress_role_1;
 -- ok, superuser roles can drop superuser roles they own
 SET SESSION AUTHORIZATION regress_role_super;
@@ -184,14 +176,6 @@ SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
-DROP ROLE regress_role_14;
-ERROR:  role "regress_role_14" does not exist
-DROP ROLE regress_role_15;
-ERROR:  role "regress_role_15" does not exist
-DROP ROLE regress_role_17;
-ERROR:  role "regress_role_17" does not exist
-DROP ROLE regress_role_19;
-ERROR:  role "regress_role_19" does not exist
 DROP ROLE regress_role_20;
 -- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
@@ -219,6 +203,7 @@ DROP ROLE regress_role_13;
 DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
+DROP ROLE regress_role_22;
 DROP ROLE regress_role_23;
 DROP ROLE regress_role_24;
 DROP ROLE regress_role_25;
@@ -229,28 +214,15 @@ DROP ROLE regress_role_29;
 DROP ROLE regress_role_30;
 DROP ROLE regress_role_31;
 DROP ROLE regress_role_32;
--- fail, role still owns database objects
-DROP ROLE regress_role_22;
-ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
-DETAIL:  owner of table regress_tbl_22
-owner of view regress_view_22
--- fail, role still owns other roles
-DROP ROLE regress_role_7;
-ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
-DETAIL:  owner of role regress_role_22
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
 DROP ROLE regress_role_1;
 ERROR:  current user cannot be dropped
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX regress_idx_22;
-DROP TABLE regress_tbl_22;
-DROP VIEW regress_view_22;
-DROP ROLE regress_role_22;
+-- ok, no more owned roles remain
 DROP ROLE regress_role_7;
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_1;
 ERROR:  role "regress_role_1" cannot be dropped because some objects depend on it
 DETAIL:  privileges for database regression
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 8a4f177574..678f728f52 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -36,8 +36,9 @@ CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
 CREATE ROLE regress_role_12
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7;
+COMMENT ON ROLE regress_role_12 IS 'no login test role';
 
 \du+ regress_role_6
 \du+ regress_role_7
@@ -92,15 +93,19 @@ CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
 CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
 
--- fail, these objects belonging to regress_role_22
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_role_7;
 DROP INDEX regress_idx_22;
 ALTER TABLE regress_tbl_22 ADD COLUMN t text;
 DROP TABLE regress_tbl_22;
+
+-- fail, not a member of target role
 ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+
+-- ok
 DROP VIEW regress_view_22;
 
--- fail, cannot take ownership of these objects from regress_role_22
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
 
 -- ok, having CREATEROLE is enough to create roles in privileged roles
@@ -115,16 +120,11 @@ CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
 
--- fail, cannot take ownership of these objects from regress_role_7
+-- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
 REASSIGN OWNED BY regress_role_20 TO regress_role_1;
 
--- superuser can do it, though
-RESET SESSION AUTHORIZATION;
-ALTER ROLE regress_role_20 OWNER TO regress_role_1;
-REASSIGN OWNED BY regress_role_20 TO regress_role_1;
-
 -- ok, superuser roles can drop superuser roles they own
 SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
@@ -134,10 +134,6 @@ SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
-DROP ROLE regress_role_14;
-DROP ROLE regress_role_15;
-DROP ROLE regress_role_17;
-DROP ROLE regress_role_19;
 DROP ROLE regress_role_20;
 
 -- fail, cannot drop roles that own other roles
@@ -154,6 +150,7 @@ DROP ROLE regress_role_13;
 DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
+DROP ROLE regress_role_22;
 DROP ROLE regress_role_23;
 DROP ROLE regress_role_24;
 DROP ROLE regress_role_25;
@@ -165,25 +162,15 @@ DROP ROLE regress_role_30;
 DROP ROLE regress_role_31;
 DROP ROLE regress_role_32;
 
--- fail, role still owns database objects
-DROP ROLE regress_role_22;
-
--- fail, role still owns other roles
-DROP ROLE regress_role_7;
-
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_1;
 
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX regress_idx_22;
-DROP TABLE regress_tbl_22;
-DROP VIEW regress_view_22;
-DROP ROLE regress_role_22;
+-- ok, no more owned roles remain
 DROP ROLE regress_role_7;
 
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_1;
 
 -- ok, can drop role if we revoke privileges first

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 64d9030652..bfdd6403cd 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -3132,9 +3132,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
            doesn't preserve that DROP.
 
            A database owner can attack the database's users via "CREATE SCHEMA
-           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
-           CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
-           database owner attack. -->
+           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". -->
       <para>
        Constrain ordinary users to user-private schemas.  To implement this,
        first issue <literal>REVOKE CREATE ON SCHEMA public FROM
@@ -3146,9 +3144,8 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        pattern in a database where untrusted users had already logged in,
        consider auditing the public schema for objects named like objects in
        schema <literal>pg_catalog</literal>.  This pattern is a secure schema
-       usage pattern unless an untrusted user is the database owner or holds
-       the <literal>CREATEROLE</literal> privilege, in which case no secure
-       schema usage pattern exists.
+       usage pattern unless an untrusted user is the database owner, in which
+       case no secure schema usage pattern exists.
       </para>
       <para>
        If the database originated in an upgrade
@@ -3170,8 +3167,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        schema <link linkend="typeconv-func">will be unsafe or
        unreliable</link>.  If you create functions or extensions in the public
        schema, use the first pattern instead.  Otherwise, like the first
-       pattern, this is secure unless an untrusted user is the database owner
-       or holds the <literal>CREATEROLE</literal> privilege.
+       pattern, this is secure unless an untrusted user is the database owner.
       </para>
      </listitem>
 
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 5aa5648ae7..96e60d5a09 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -70,18 +70,18 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
    Database superusers can change any of these settings for any role.
-   Roles having <literal>CREATEROLE</literal> privilege can change any of these
-   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
-   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
-   Ordinary roles can only change their own password.
+   Role owners can change any of these settings on roles they own except
+   <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, and
+   <literal>BYPASSRLS</literal>; but only for non-superuser and non-replication
+   roles, and only if the role owner does not alter the target role to have a
+   privilege which the role owner itself lacks.  Ordinary roles can only change
+   their own password.
   </para>
 
   <para>
    The second variant changes the name of the role.
    Database superusers can rename any role.
-   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   Role owners can rename non-superuser roles they own.
    The current session user cannot be renamed.
    (Connect as a different user if you need to do that.)
    Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -114,9 +114,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   </para>
 
   <para>
-   Superusers can change anyone's session defaults. Roles having
-   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   Superusers can change anyone's session defaults. Owning roles may change
+   privilege for non-superuser roles they own. Ordinary roles can only set
+   defaults for themselves.
    Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.  Only superusers can change a setting
    for all roles in all databases.
diff --git a/doc/src/sgml/ref/comment.sgml b/doc/src/sgml/ref/comment.sgml
index e07fc47fd3..1ba374f3a1 100644
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -92,12 +92,8 @@ COMMENT ON
 
   <para>
    For most kinds of object, only the object's owner can set the comment.
-   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
-   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
-   Likewise, access methods don't have owners either; you must be superuser
-   to comment on an access method.
-   Of course, a superuser can comment on anything.
+   Access methods don't have owners; you must be superuser to comment on an
+   access method.  Of course, a superuser can comment on anything.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..2e73102562 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -107,8 +107,10 @@ in sync when changing the above synopsis!
         <literal>CREATEDB</literal> is specified, the role being
         defined will be allowed to create new databases. Specifying
         <literal>NOCREATEDB</literal> will deny a role the ability to
-        create databases. If not specified,
-        <literal>NOCREATEDB</literal> is the default.
+        create databases. Only roles with the <literal>CREATEDB</literal>
+        attribute may create roles with the <literal>CREATEDB</literal>
+        attribute. If not specified, <literal>NOCREATEDB</literal> is the
+        default.
        </para>
       </listitem>
      </varlistentry>
@@ -120,8 +122,6 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role will be permitted to
         create new roles (that is, execute <command>CREATE ROLE</command>).
-        A role with <literal>CREATEROLE</literal> privilege can also alter
-        and drop other roles.
         If not specified,
         <literal>NOCREATEROLE</literal> is the default.
        </para>
@@ -163,6 +163,8 @@ in sync when changing the above synopsis!
         <literal>NOLOGIN</literal> is the default, except when
         <command>CREATE ROLE</command> is invoked through its alternative spelling
         <link linkend="sql-createuser"><command>CREATE USER</command></link>.
+        You must have the <literal>LOGIN</literal> attribute to create a new role
+        with the <literal>LOGIN</literal> attribute.
        </para>
       </listitem>
      </varlistentry>
@@ -194,8 +196,8 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role bypasses every row-level
         security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
-        You must be a superuser to create a new role having
-        the <literal>BYPASSRLS</literal> attribute.
+        You must have the <literal>BYPASSRLS</literal> attribute to create a
+        new role having the <literal>BYPASSRLS</literal> attribute.
        </para>
 
        <para>
@@ -281,6 +283,10 @@ in sync when changing the above synopsis!
         member.  (Note that there is no option to add the new role as an
         administrator; use a separate <command>GRANT</command> command to do that.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -301,6 +307,10 @@ in sync when changing the above synopsis!
         roles which are automatically added as members of the new role.
         (This in effect makes the new role a <quote>group</quote>.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -313,6 +323,10 @@ in sync when changing the above synopsis!
         OPTION</literal>, giving them the right to grant membership in this role
         to others.
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/drop_role.sgml b/doc/src/sgml/ref/drop_role.sgml
index 13dc1cc649..c3d57ee8db 100644
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -31,8 +31,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <para>
    <command>DROP ROLE</command> removes the specified role(s).
    To drop a superuser role, you must be a superuser yourself;
-   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   to drop non-superuser roles, you must own the target role.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 81580507e8..30a99eaf68 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,9 @@ PostgreSQL documentation
   <para>
    <application>dropuser</application> removes an existing
    <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   A <productname>PostgreSQL</productname> user may only be removed by its
+   owner or by a superuser.  (To remove a superuser, you must yourself be a
+   superuser.)
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a897712de2..86fc387af2 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -254,8 +254,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
    OPTION</literal> on itself, but it may grant or revoke membership in
    itself from a database session where the session user matches the
    role.  Database superusers can grant or revoke membership in any role
-   to anyone.  Roles having <literal>CREATEROLE</literal> privilege can grant
-   or revoke membership in any role that is not a superuser.
+   to anyone.  Roles can revoke membership in any role they own, and 
+   may grant membership in any role they own to any role they own.
   </para>
 
   <para>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 9067be1d9c..e65b55a004 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -198,9 +198,10 @@ CREATE USER <replaceable>name</replaceable>;
         (except for superusers, since those bypass all permission
         checks). To create such a role, use <literal>CREATE ROLE
         <replaceable>name</replaceable> CREATEROLE</literal>.
-        A role with <literal>CREATEROLE</literal> privilege can alter and drop
-        other roles, too, as well as grant or revoke membership in them.
-        However, to create, alter, drop, or change membership of a
+        A role which creates a new role becomes the new role's owner, able to
+        alter or drop that new role, and sharing ownership of any additional
+        objects (including additional roles) that new role creates.
+        To create, alter, drop, or change membership of a
         superuser role, superuser status is required;
         <literal>CREATEROLE</literal> is insufficient for that.
        </para>
@@ -246,11 +247,14 @@ CREATE USER <replaceable>name</replaceable>;
 
   <tip>
    <para>
-    It is good practice to create a role that has the <literal>CREATEDB</literal>
-    and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
+    It is good practice to create a role that has the
+    <literal>CREATEDB</literal>, <literal>LOGIN</literal> and
+    <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
     use this role for all routine management of databases and roles.  This
-    approach avoids the dangers of operating as a superuser for tasks that
-    do not really require it.
+    approach avoids the dangers of operating as a superuser for tasks that do
+    not really require it.  This role must also have
+    <literal>REPLICATION</literal> if it will create replication users, and
+    must have <literal>BYPASSRLS</literal> if it will create bypassrls users.
    </para>
   </tip>
 
@@ -387,15 +391,22 @@ RESET ROLE;
 
   <para>
    The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
-   <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
-   special privileges, but they are never inherited as ordinary privileges
-   on database objects are.  You must actually <command>SET ROLE</command> to a
-   specific role having one of these attributes in order to make use of
-   the attribute.  Continuing the above example, we might choose to
+   <literal>CREATEDB</literal>, <literal>REPLICATION</literal>,
+   <literal>BYPASSRLS</literal>, and <literal>CREATEROLE</literal> can be
+   thought of as special privileges, but they are never inherited as ordinary
+   privileges on database objects are.  You must actually <command>SET
+   ROLE</command> to a specific role having one of these attributes in order to
+   make use of the attribute.  Continuing the above example, we might choose to
    grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
-   <literal>admin</literal> role.  Then a session connecting as role <literal>joe</literal>
-   would not have these privileges immediately, only after doing
-   <command>SET ROLE admin</command>.
+   <literal>admin</literal> role.  Then a session connecting as role
+   <literal>joe</literal> would not have these privileges immediately, only
+   after doing <command>SET ROLE admin</command>.  Roles with these attributes
+   may only be created by roles which themselves have these attributes.
+   Superusers may always do so, but non-superuser roles with
+   <literal>CREATEROLE</literal> may only create new roles with
+   <literal>LOGIN</literal>, <literal>CREATEDB</literal>,
+   <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> if they
+   themselves have the same attribute.
   </para>
 
   <para>
@@ -493,8 +504,7 @@ DROP ROLE doomed_role;
   <para>
    <productname>PostgreSQL</productname> provides a set of predefined roles
    that provide access to certain, commonly needed, privileged capabilities
-   and information.  Administrators (including roles that have the
-   <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+   and information.  Administrators can <command>GRANT</command> these
    roles to users and/or other roles in their environment, providing those
    users with access to the specified capabilities and information.
   </para>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 4a11a0f124..a72f412e90 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5552,6 +5552,97 @@ has_bypassrls_privilege(Oid roleid)
 	return result;
 }
 
+bool
+has_rolinherit_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_createdb_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreatedb;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_login_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcanlogin;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_replication_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+int32
+role_connection_limit(Oid roleid)
+{
+	int32		result = -1;
+	HeapTuple	utup;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolconnlimit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 9c40766d83..274047c232 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -58,15 +58,6 @@ static void DelRoleMems(const char *rolename, Oid roleid,
 static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
 									Oid newOwnerId);
 
-
-/* Check if current user has createrole privileges */
-static bool
-have_createrole_privilege(void)
-{
-	return has_createrole_privilege(GetUserId());
-}
-
-
 /*
  * CREATE ROLE
  */
@@ -276,24 +267,32 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	}
 	else if (isreplication)
 	{
-		if (!superuser())
+		if (!has_replication_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
+					 errmsg("must have replication privilege to create replication users")));
 	}
 	else if (bypassrls)
 	{
-		if (!superuser())
+		if (!has_bypassrls_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
+					 errmsg("must have bypassrls privilege to create bypassrls users")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create role")));
+		if (createdb && !has_createdb_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have createdb privilege to create createdb users")));
+		if (canlogin && !has_login_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have login privilege to create login users")));
 	}
 
 	/*
@@ -713,7 +712,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to change bypassrls attribute")));
 	}
-	else if (!have_createrole_privilege())
+	else if (!superuser())
 	{
 		/* We already checked issuper, isreplication, and bypassrls */
 		if (!(inherit < 0 &&
@@ -914,7 +913,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 
 		/*
 		 * To mess with a superuser you gotta be superuser; else you need
-		 * createrole, or just want to change your own settings
+		 * to own the role, or just want to change your own settings
 		 */
 		if (roleform->rolsuper)
 		{
@@ -925,8 +924,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() &&
-				!pg_role_ownercheck(roleid, GetUserId()))
+			if (!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -1039,18 +1037,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_OBJECT_IN_USE),
 					 errmsg("session user cannot be dropped")));
 
-		/*
-		 * For safety's sake, we allow createrole holders to drop ordinary
-		 * roles but not superuser roles.  This is mainly to avoid the
-		 * scenario where you accidentally drop the last superuser.
-		 */
 		if (roleform->rolsuper && !superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
-		if (!have_createrole_privilege() &&
-			!pg_role_ownercheck(roleid, GetUserId()))
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to drop role")));
@@ -1231,7 +1223,7 @@ RenameRole(const char *oldname, const char *newname)
 				 errmsg("role \"%s\" already exists", newname)));
 
 	/*
-	 * createrole is enough privilege unless you want to mess with a superuser
+	 * role ownership is enough privilege unless you want to mess with a superuser
 	 */
 	if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
 	{
@@ -1242,7 +1234,7 @@ RenameRole(const char *oldname, const char *newname)
 	}
 	else
 	{
-		if (!have_createrole_privilege())
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to rename role")));
@@ -1468,7 +1460,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 		return;
 
 	/*
-	 * Check permissions: must have createrole or admin option on the role to
+	 * Check permissions: must be owner or have admin option on the role to
 	 * be changed.  To mess with a superuser role, you gotta be superuser.
 	 */
 	if (superuser_arg(roleid))
@@ -1478,9 +1470,9 @@ AddRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, grantorId) &&
 			!is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1656,9 +1648,9 @@ DelRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, GetUserId()) &&
 			!is_admin_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1814,7 +1806,7 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		 * roles.  Because superusers will always have this right, we need no
 		 * special case for them.
 		 */
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
 						   NameStr(authForm->rolname));
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 04eae9d4e5..3438abbcee 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4656,7 +4656,7 @@ initialize_acl(void)
 		/*
 		 * In normal mode, set a callback on any syscache invalidation of rows
 		 * of pg_auth_members (for roles_is_member_of()), pg_authid (for
-		 * has_rolinherit()), or pg_database (for roles_is_member_of())
+		 * has_rolinherit_privilege()), or pg_database (for roles_is_member_of())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
@@ -4690,23 +4690,6 @@ RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue)
 }
 
 
-/* Check if specified role has rolinherit set */
-static bool
-has_rolinherit(Oid roleid)
-{
-	bool		result = false;
-	HeapTuple	utup;
-
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
-		ReleaseSysCache(utup);
-	}
-	return result;
-}
-
-
 /*
  * Get a list of roles that the specified roleid is a member of
  *
@@ -4776,7 +4759,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 		CatCList   *memlist;
 		int			i;
 
-		if (type == ROLERECURSE_PRIVS && !has_rolinherit(memberid))
+		if (type == ROLERECURSE_PRIVS && !has_rolinherit_privilege(memberid))
 			continue;			/* ignore non-inheriting roles */
 
 		/* Find roles that memberid is directly a member of */
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index ec9d480d67..63cde442a8 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -319,5 +319,10 @@ extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool pg_role_ownercheck(Oid role_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool has_rolinherit_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_login_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
+extern int32 role_connection_limit(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 492162e5a1..7df3683f2b 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -6,22 +6,16 @@ GRANT CREATE ON DATABASE regression TO regress_role_1;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
 ERROR:  must be superuser to create superusers
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_4 REPLICATION;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_5 BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
 ERROR:  must be superuser to own superusers
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
-CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
-CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 \du+ regress_role_2
                                       List of roles
    Role name    |       Owner        |       Attributes        | Member of | Description 
@@ -50,7 +44,10 @@ CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_role_8 LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
@@ -70,12 +67,6 @@ COMMENT ON ROLE regress_role_12 IS 'no login test role';
 ----------------+----------------+---------------------------+-----------+-------------
  regress_role_7 | regress_role_1 | Create role, Cannot login | {}        | 
 
-\du+ regress_role_8
-                             List of roles
-   Role name    |     Owner      | Attributes | Member of | Description 
-----------------+----------------+------------+-----------+-------------
- regress_role_8 | regress_role_1 |            | {}        | 
-
 \du+ regress_role_9
                               List of roles
    Role name    |     Owner      |  Attributes  | Member of | Description 
@@ -108,19 +99,19 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_role_14 IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
-ERROR:  role "pg_database_owner" cannot have explicit members
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_role_16 ROLE
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 -- fail, cannot grant a role into itself
 CREATE ROLE regress_role_17 ROLE regress_role_17;
 ERROR:  role "regress_role_17" is a member of role "regress_role_17"
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_role_18 ADMIN
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 -- fail, cannot grant a role into itself with admin option
 CREATE ROLE regress_role_19 ADMIN regress_role_19;
@@ -133,8 +124,11 @@ ERROR:  permission denied to create database
 CREATE ROLE regress_role_20;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_role_21 CREATEROLE;
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+ERROR:  must have createdb privilege to create createdb users
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_role_22 CREATEROLE INHERIT CONNECTION LIMIT 5;
 -- ok, regress_role_22 can create objects within the database
 SET SESSION AUTHORIZATION regress_role_22;
 CREATE TABLE regress_tbl_22 (i integer);
@@ -153,17 +147,27 @@ ERROR:  must be member of role "regress_role_1"
 DROP VIEW regress_view_22;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
 CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
 CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
 CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
 CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
 CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
 -- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
@@ -182,19 +186,8 @@ DROP ROLE regress_role_7;
 ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
 DETAIL:  owner of role regress_role_21
 owner of role regress_role_22
-owner of role regress_role_23
-owner of role regress_role_24
-owner of role regress_role_25
-owner of role regress_role_26
-owner of role regress_role_27
-owner of role regress_role_28
-owner of role regress_role_29
-owner of role regress_role_30
-owner of role regress_role_31
-owner of role regress_role_32
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_role_6;
-DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
 DROP ROLE regress_role_11;
@@ -204,16 +197,6 @@ DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
 DROP ROLE regress_role_22;
-DROP ROLE regress_role_23;
-DROP ROLE regress_role_24;
-DROP ROLE regress_role_25;
-DROP ROLE regress_role_26;
-DROP ROLE regress_role_27;
-DROP ROLE regress_role_28;
-DROP ROLE regress_role_29;
-DROP ROLE regress_role_30;
-DROP ROLE regress_role_31;
-DROP ROLE regress_role_32;
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 678f728f52..b1c764cb82 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -6,6 +6,8 @@ GRANT CREATE ON DATABASE regression TO regress_role_1;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
+
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
 CREATE ROLE regress_role_4 REPLICATION;
 CREATE ROLE regress_role_5 BYPASSRLS;
@@ -17,11 +19,6 @@ CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
 
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
-CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
-CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
-
 \du+ regress_role_2
 \du+ regress_role_3
 \du+ regress_role_4
@@ -31,7 +28,11 @@ CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
+
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_role_8 LOGIN;
+
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
@@ -42,7 +43,6 @@ COMMENT ON ROLE regress_role_12 IS 'no login test role';
 
 \du+ regress_role_6
 \du+ regress_role_7
-\du+ regress_role_8
 \du+ regress_role_9
 \du+ regress_role_10
 \du+ regress_role_11
@@ -54,12 +54,12 @@ CREATE ROLE regress_role_13 SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_role_14 IN ROLE regress_role_super;
 
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
 CREATE ROLE regress_role_16 ROLE
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 
 -- fail, cannot grant a role into itself
@@ -67,7 +67,7 @@ CREATE ROLE regress_role_17 ROLE regress_role_17;
 
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_role_18 ADMIN
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 
 -- fail, cannot grant a role into itself with admin option
@@ -83,9 +83,12 @@ CREATE ROLE regress_role_20;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_role_21 CREATEROLE;
 
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
 
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_role_22 CREATEROLE INHERIT CONNECTION LIMIT 5;
+
 -- ok, regress_role_22 can create objects within the database
 SET SESSION AUTHORIZATION regress_role_22;
 CREATE TABLE regress_tbl_22 (i integer);
@@ -108,7 +111,7 @@ DROP VIEW regress_view_22;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
 CREATE ROLE regress_role_25 IN ROLE pg_monitor;
@@ -141,7 +144,6 @@ DROP ROLE regress_role_7;
 
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_role_6;
-DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
 DROP ROLE regress_role_11;
@@ -151,16 +153,6 @@ DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
 DROP ROLE regress_role_22;
-DROP ROLE regress_role_23;
-DROP ROLE regress_role_24;
-DROP ROLE regress_role_25;
-DROP ROLE regress_role_26;
-DROP ROLE regress_role_27;
-DROP ROLE regress_role_28;
-DROP ROLE regress_role_29;
-DROP ROLE regress_role_30;
-DROP ROLE regress_role_31;
-DROP ROLE regress_role_32;
 
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;

From 2fd69c860c08805f9aaf25f375d952991cd45e00 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 4 Jan 2022 10:35:10 -0800
Subject: [PATCH v4 1/5] Add tests of the CREATEROLE attribute.

While developing alternate rules for what privileges CREATEROLE has,
I noticed that none of the changes to how CREATEROLE works triggered
any regression test failures.  This is problematic for two reasons.
It means the existing code has insufficient test coverage, and it
means that unintended changes introduced by subsequent patches may
go unnoticed.  Fix that.
---
 src/test/regress/expected/create_role.out | 145 ++++++++++++++++++++++
 src/test/regress/parallel_schedule        |   2 +-
 src/test/regress/sql/create_role.sql      | 138 ++++++++++++++++++++
 3 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100644 src/test/regress/expected/create_role.out
 create mode 100644 src/test/regress/sql/create_role.sql

diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
new file mode 100644
index 0000000000..57010bbb58
--- /dev/null
+++ b/src/test/regress/expected/create_role.out
@@ -0,0 +1,145 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
+CREATE ROLE regress_role_2 SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_role_4 REPLICATION;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_role_5 BYPASSRLS;
+ERROR:  must be superuser to create bypassrls users
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_role_6 CREATEDB;
+CREATE ROLE regress_role_7 CREATEROLE;
+CREATE ROLE regress_role_8 LOGIN;
+CREATE ROLE regress_role_9 INHERIT;
+CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
+CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_role_12 PASSWORD NULL;
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_role_13 SYSID 12345;
+NOTICE:  SYSID can no longer be specified
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_role_14 IN ROLE regress_role_super;
+ERROR:  must be superuser to alter superusers
+-- fail, database owner cannot have members
+CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
+ERROR:  role "pg_database_owner" cannot have explicit members
+-- ok, can grant other users into a role
+CREATE ROLE regress_role_16 ROLE
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_role_17 ROLE regress_role_17;
+ERROR:  role "regress_role_17" is a member of role "regress_role_17"
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_role_18 ADMIN
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_role_19 ADMIN regress_role_19;
+ERROR:  role "regress_role_19" is a member of role "regress_role_19"
+-- fail, regress_role_7 does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_role_7;
+CREATE DATABASE regress_db_7;
+ERROR:  permission denied to create database
+-- ok, regress_role_7 can create new roles
+CREATE ROLE regress_role_20;
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_role_21 CREATEROLE;
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+-- ok, regress_role_22 can create objects within the database
+SET SESSION AUTHORIZATION regress_role_22;
+CREATE TABLE regress_tbl_22 (i integer);
+CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
+CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
+-- fail, these objects belonging to regress_role_22
+SET SESSION AUTHORIZATION regress_role_7;
+DROP INDEX regress_idx_22;
+ERROR:  must be owner of index regress_idx_22
+ALTER TABLE regress_tbl_22 ADD COLUMN t text;
+ERROR:  must be owner of table regress_tbl_22
+DROP TABLE regress_tbl_22;
+ERROR:  must be owner of table regress_tbl_22
+ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+ERROR:  must be owner of view regress_view_22
+DROP VIEW regress_view_22;
+ERROR:  must be owner of view regress_view_22
+-- fail, cannot take ownership of these objects from regress_role_22
+REASSIGN OWNED BY regress_role_22 TO regress_role_7;
+ERROR:  permission denied to reassign objects
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_1;
+DROP ROLE regress_role_2;
+ERROR:  role "regress_role_2" does not exist
+DROP ROLE regress_role_3;
+ERROR:  role "regress_role_3" does not exist
+DROP ROLE regress_role_4;
+ERROR:  role "regress_role_4" does not exist
+DROP ROLE regress_role_5;
+ERROR:  role "regress_role_5" does not exist
+DROP ROLE regress_role_14;
+ERROR:  role "regress_role_14" does not exist
+DROP ROLE regress_role_15;
+ERROR:  role "regress_role_15" does not exist
+DROP ROLE regress_role_17;
+ERROR:  role "regress_role_17" does not exist
+DROP ROLE regress_role_19;
+ERROR:  role "regress_role_19" does not exist
+DROP ROLE regress_role_20;
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_6;
+DROP ROLE regress_role_7;
+DROP ROLE regress_role_8;
+DROP ROLE regress_role_9;
+DROP ROLE regress_role_10;
+DROP ROLE regress_role_11;
+DROP ROLE regress_role_12;
+DROP ROLE regress_role_13;
+DROP ROLE regress_role_16;
+DROP ROLE regress_role_18;
+DROP ROLE regress_role_21;
+DROP ROLE regress_role_23;
+DROP ROLE regress_role_24;
+DROP ROLE regress_role_25;
+DROP ROLE regress_role_26;
+DROP ROLE regress_role_27;
+DROP ROLE regress_role_28;
+DROP ROLE regress_role_29;
+DROP ROLE regress_role_30;
+DROP ROLE regress_role_31;
+DROP ROLE regress_role_32;
+-- fail, role still owns database objects
+DROP ROLE regress_role_22;
+ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
+DETAIL:  owner of table regress_tbl_22
+owner of view regress_view_22
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+ERROR:  must be superuser to drop superusers
+DROP ROLE regress_role_1;
+ERROR:  current user cannot be dropped
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX regress_idx_22;
+DROP TABLE regress_tbl_22;
+DROP VIEW regress_view_22;
+DROP ROLE regress_role_22;
+DROP ROLE regress_role_1;
+DROP ROLE regress_role_super;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 5b0c73d7e3..861c30a73a 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -89,7 +89,7 @@ test: brin_bloom brin_multi
 # ----------
 # Another group of parallel tests
 # ----------
-test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort
+test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort create_role
 
 # rules cannot run concurrently with any test that creates
 # a view or rule in the public schema
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
new file mode 100644
index 0000000000..e00893de4e
--- /dev/null
+++ b/src/test/regress/sql/create_role.sql
@@ -0,0 +1,138 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
+CREATE ROLE regress_role_2 SUPERUSER;
+CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 REPLICATION;
+CREATE ROLE regress_role_5 BYPASSRLS;
+
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_role_6 CREATEDB;
+CREATE ROLE regress_role_7 CREATEROLE;
+CREATE ROLE regress_role_8 LOGIN;
+CREATE ROLE regress_role_9 INHERIT;
+CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
+CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_role_12 PASSWORD NULL;
+
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_role_13 SYSID 12345;
+
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_role_14 IN ROLE regress_role_super;
+
+-- fail, database owner cannot have members
+CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
+
+-- ok, can grant other users into a role
+CREATE ROLE regress_role_16 ROLE
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_role_17 ROLE regress_role_17;
+
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_role_18 ADMIN
+	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
+
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_role_19 ADMIN regress_role_19;
+
+-- fail, regress_role_7 does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_role_7;
+CREATE DATABASE regress_db_7;
+
+-- ok, regress_role_7 can create new roles
+CREATE ROLE regress_role_20;
+
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_role_21 CREATEROLE;
+
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+
+-- ok, regress_role_22 can create objects within the database
+SET SESSION AUTHORIZATION regress_role_22;
+CREATE TABLE regress_tbl_22 (i integer);
+CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
+CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
+
+-- fail, these objects belonging to regress_role_22
+SET SESSION AUTHORIZATION regress_role_7;
+DROP INDEX regress_idx_22;
+ALTER TABLE regress_tbl_22 ADD COLUMN t text;
+DROP TABLE regress_tbl_22;
+ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+DROP VIEW regress_view_22;
+
+-- fail, cannot take ownership of these objects from regress_role_22
+REASSIGN OWNED BY regress_role_22 TO regress_role_7;
+
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_1;
+DROP ROLE regress_role_2;
+DROP ROLE regress_role_3;
+DROP ROLE regress_role_4;
+DROP ROLE regress_role_5;
+DROP ROLE regress_role_14;
+DROP ROLE regress_role_15;
+DROP ROLE regress_role_17;
+DROP ROLE regress_role_19;
+DROP ROLE regress_role_20;
+
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_6;
+DROP ROLE regress_role_7;
+DROP ROLE regress_role_8;
+DROP ROLE regress_role_9;
+DROP ROLE regress_role_10;
+DROP ROLE regress_role_11;
+DROP ROLE regress_role_12;
+DROP ROLE regress_role_13;
+DROP ROLE regress_role_16;
+DROP ROLE regress_role_18;
+DROP ROLE regress_role_21;
+DROP ROLE regress_role_23;
+DROP ROLE regress_role_24;
+DROP ROLE regress_role_25;
+DROP ROLE regress_role_26;
+DROP ROLE regress_role_27;
+DROP ROLE regress_role_28;
+DROP ROLE regress_role_29;
+DROP ROLE regress_role_30;
+DROP ROLE regress_role_31;
+DROP ROLE regress_role_32;
+
+-- fail, role still owns database objects
+DROP ROLE regress_role_22;
+
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+DROP ROLE regress_role_1;
+
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX regress_idx_22;
+DROP TABLE regress_tbl_22;
+DROP VIEW regress_view_22;
+DROP ROLE regress_role_22;
+DROP ROLE regress_role_1;
+DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 5ed5697400c26e369956c24652c689d72fbb4242 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 4 Jan 2022 11:19:32 -0800
Subject: [PATCH v4 2/5] Add owners to roles

All roles now have owners.  By default, roles belong to the role
that created them, and initdb-time roles are owned by POSTGRES.

This is a preparatory patch for changing how CREATEROLE works.
---
 src/backend/catalog/aclchk.c                  |  59 ++++++-
 src/backend/catalog/pg_shdepend.c             |   5 +
 src/backend/catalog/system_views.sql          |   1 +
 src/backend/commands/alter.c                  |   3 +
 src/backend/commands/user.c                   | 148 +++++++++++++++++-
 src/backend/nodes/copyfuncs.c                 |   1 +
 src/backend/nodes/equalfuncs.c                |   1 +
 src/backend/parser/gram.y                     |  23 +++
 src/bin/psql/describe.c                       |  12 ++
 src/include/catalog/pg_authid.h               |   1 +
 src/include/commands/user.h                   |   2 +
 src/include/nodes/parsenodes.h                |   1 +
 src/include/utils/acl.h                       |   1 +
 .../unsafe_tests/expected/rolenames.out       |   6 +-
 .../modules/unsafe_tests/sql/rolenames.sql    |   3 +-
 src/test/regress/expected/create_role.out     | 136 ++++++++++++++--
 src/test/regress/expected/oidjoins.out        |   1 +
 src/test/regress/expected/privileges.out      |   9 +-
 src/test/regress/expected/rules.out           |   1 +
 src/test/regress/sql/create_role.sql          |  67 +++++++-
 src/test/regress/sql/privileges.sql           |  10 +-
 21 files changed, 470 insertions(+), 21 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ce0a4ff14e..ddd205d656 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3385,6 +3385,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("permission denied for publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("permission denied for role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("permission denied for routine %s");
 						break;
@@ -3429,7 +3432,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_RULE:
 					case OBJECT_TABCONSTRAINT:
 					case OBJECT_TRANSFORM:
@@ -3511,6 +3513,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("must be owner of publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("must be owner of role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("must be owner of routine %s");
 						break;
@@ -3569,7 +3574,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_TRANSFORM:
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
@@ -5430,6 +5434,57 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for a role (specified by OID)
+ */
+bool
+pg_role_ownercheck(Oid role_oid, Oid roleid)
+{
+	HeapTuple		tuple;
+	Form_pg_authid	authform;
+	Oid				owner_oid;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	/* Otherwise, look up the owner of the role */
+	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+	if (!HeapTupleIsValid(tuple))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role with OID %u does not exist",
+						role_oid)));
+	authform = (Form_pg_authid) GETSTRUCT(tuple);
+	owner_oid = authform->rolowner;
+
+	/*
+	 * Roles must necessarily have owners.  Even the bootstrap user has an
+	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 */
+	if (!OidIsValid(owner_oid))
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u has invalid owner",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner == authform->oid)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owns itself",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner != BOOTSTRAP_SUPERUSERID)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+						authform->rolname.data, authform->oid,
+						authform->rolowner)));
+	ReleaseSysCache(tuple);
+
+	return (owner_oid == roleid);
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
diff --git a/src/backend/catalog/pg_shdepend.c b/src/backend/catalog/pg_shdepend.c
index c20b1fbb96..9842a35a41 100644
--- a/src/backend/catalog/pg_shdepend.c
+++ b/src/backend/catalog/pg_shdepend.c
@@ -61,6 +61,7 @@
 #include "commands/tablecmds.h"
 #include "commands/tablespace.h"
 #include "commands/typecmds.h"
+#include "commands/user.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -1578,6 +1579,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
 					AlterSubscriptionOwner_oid(sdepForm->objid, newrole);
 					break;
 
+				case AuthIdRelationId:
+					AlterRoleOwner_oid(sdepForm->objid, newrole);
+					break;
+
 					/* Generic alter owner cases */
 				case CollationRelationId:
 				case ConversionRelationId:
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 61b515cdb8..85f8fc7d4c 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -17,6 +17,7 @@
 CREATE VIEW pg_roles AS
     SELECT
         rolname,
+        pg_get_userbyid(rolowner) AS rolowner,
         rolsuper,
         rolinherit,
         rolcreaterole,
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 40044070cf..eb407cfc4c 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -840,6 +840,9 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 		case OBJECT_DATABASE:
 			return AlterDatabaseOwner(strVal(stmt->object), newowner);
 
+		case OBJECT_ROLE:
+			return AlterRoleOwner(strVal(stmt->object), newowner);
+
 		case OBJECT_SCHEMA:
 			return AlterSchemaOwner(strVal(stmt->object), newowner);
 
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index aa69821be4..14820744bf 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
+static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
+									Oid newOwnerId);
 
 
 /* Check if current user has createrole privileges */
@@ -77,6 +79,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	Datum		new_record[Natts_pg_authid];
 	bool		new_record_nulls[Natts_pg_authid];
 	Oid			roleid;
+	Oid			owner_uid;
+	Oid			saved_uid;
+	int			save_sec_context;
 	ListCell   *item;
 	ListCell   *option;
 	char	   *password = NULL;	/* user password */
@@ -108,6 +113,16 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
+	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+
+	/*
+	 * Who is supposed to own the new role?
+	 */
+	if (stmt->authrole)
+		owner_uid = get_rolespec_oid(stmt->authrole, false);
+	else
+		owner_uid = saved_uid;
+
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
 	{
@@ -254,6 +269,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
+		if (!superuser_arg(owner_uid))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must be superuser to own superusers")));
 	}
 	else if (isreplication)
 	{
@@ -310,6 +329,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 errmsg("role \"%s\" already exists",
 						stmt->role)));
 
+	/*
+	 * If the requested authorization is different from the current user,
+	 * temporarily set the current user so that the object(s) will be created
+	 * with the correct ownership.
+	 *
+	 * (The setting will be restored at the end of this routine, or in case of
+	 * error, transaction abort will clean things up.)
+	 */
+	if (saved_uid != owner_uid)
+		SetUserIdAndSecContext(owner_uid,
+							   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+
+
 	/* Convert validuntil to internal form */
 	if (validUntil)
 	{
@@ -345,6 +377,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolowner - 1] = ObjectIdGetDatum(owner_uid);
 	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
@@ -422,6 +455,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	CatalogTupleInsert(pg_authid_rel, tuple);
 
+	recordDependencyOnOwner(AuthIdRelationId, roleid, owner_uid);
+
 	/*
 	 * Advance command counter so we can see new record; else tests in
 	 * AddRoleMems may fail.
@@ -478,6 +513,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	table_close(pg_authid_rel, NoLock);
 
+	/* Reset current user and security context */
+	SetUserIdAndSecContext(saved_uid, save_sec_context);
+
 	return roleid;
 }
 
@@ -1078,8 +1116,9 @@ DropRole(DropRoleStmt *stmt)
 		systable_endscan(sscan);
 
 		/*
-		 * Remove any comments or security labels on this role.
+		 * Remove any dependencies, comments or security labels on this role.
 		 */
+		deleteSharedDependencyRecordsFor(AuthIdRelationId, roleid, 0);
 		DeleteSharedComments(roleid, AuthIdRelationId);
 		DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
 
@@ -1675,3 +1714,110 @@ DelRoleMems(const char *rolename, Oid roleid,
 	 */
 	table_close(pg_authmem_rel, NoLock);
 }
+
+/*
+ * Change role owner
+ */
+ObjectAddress
+AlterRoleOwner(const char *name, Oid newOwnerId)
+{
+	Oid                     roleid;
+	HeapTuple       tup;
+	Relation        rel;
+	ObjectAddress address;
+	Form_pg_authid authform;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHNAME, CStringGetDatum(name));
+	if (!HeapTupleIsValid(tup))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role \"%s\" does not exist", name)));
+
+	authform = (Form_pg_authid) GETSTRUCT(tup);
+	roleid = authform->oid;
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ObjectAddressSet(address, AuthIdRelationId, roleid);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+
+	return address;
+}
+
+void
+AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId)
+{
+	HeapTuple	tup;
+	Relation	rel;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
+	if (!HeapTupleIsValid(tup))
+		elog(ERROR, "cache lookup failed for role %u", roleOid);
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+}
+
+static void
+AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
+{
+	Form_pg_authid authForm;
+
+	Assert(tup->t_tableOid == AuthIdRelationId);
+	Assert(RelationGetRelid(rel) == AuthIdRelationId);
+
+	authForm = (Form_pg_authid) GETSTRUCT(tup);
+
+	/*
+	 * If the new owner is the same as the existing owner, consider the
+	 * command to have succeeded.  This is for dump restoration purposes.
+	 */
+	if (authForm->rolowner != newOwnerId)
+	{
+		/* Otherwise, must be owner of the existing object */
+		if (!pg_role_ownercheck(authForm->oid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Must be able to become new owner */
+		check_is_member_of_role(GetUserId(), newOwnerId);
+
+		/*
+		 * must have CREATEROLE rights
+		 *
+		 * NOTE: This is different from most other alter-owner checks in that
+		 * the current user is checked for create privileges instead of the
+		 * destination owner.  This is consistent with the CREATE case for
+		 * roles.  Because superusers will always have this right, we need no
+		 * special case for them.
+		 */
+		if (!have_createrole_privilege())
+			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Only the bootstrap superuser is allowed to own itself. */
+		if (newOwnerId != BOOTSTRAP_SUPERUSERID && authForm->oid == newOwnerId)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role may not own itself")));
+
+		authForm->rolowner = newOwnerId;
+		CatalogTupleUpdate(rel, &tup->t_self, tup);
+
+		/* Update owner dependency reference */
+		changeDependencyOnOwner(AuthIdRelationId, authForm->oid, newOwnerId);
+	}
+
+	InvokeObjectPostAlterHook(AuthIdRelationId,
+							  authForm->oid, 0);
+}
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index 18e778e856..e26f3c0a64 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -4519,6 +4519,7 @@ _copyCreateRoleStmt(const CreateRoleStmt *from)
 
 	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
+	COPY_NODE_FIELD(authrole);
 	COPY_NODE_FIELD(options);
 
 	return newnode;
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index cb7ddd463c..f717f5d1e0 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2128,6 +2128,7 @@ _equalCreateRoleStmt(const CreateRoleStmt *a, const CreateRoleStmt *b)
 {
 	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
+	COMPARE_NODE_FIELD(authrole);
 	COMPARE_NODE_FIELD(options);
 
 	return true;
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index 6dddc07947..48b9b0cfbe 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -1077,9 +1077,20 @@ CreateRoleStmt:
 					CreateRoleStmt *n = makeNode(CreateRoleStmt);
 					n->stmt_type = ROLESTMT_ROLE;
 					n->role = $3;
+					n->authrole = NULL;
 					n->options = $5;
 					$$ = (Node *)n;
 				}
+			|
+			CREATE ROLE RoleId AUTHORIZATION RoleSpec opt_with OptRoleList
+				{
+					CreateRoleStmt *n = makeNode(CreateRoleStmt);
+					n->stmt_type = ROLESTMT_ROLE;
+					n->role = $3;
+					n->authrole = $5;
+					n->options = $7;
+					$$ = (Node *)n;
+				}
 		;
 
 
@@ -1218,6 +1229,10 @@ CreateOptRoleElem:
 				{
 					$$ = makeDefElem("addroleto", (Node *)$3, @1);
 				}
+			| OWNER RoleSpec
+				{
+					$$ = makeDefElem("owner", (Node *)$2, @1);
+				}
 		;
 
 
@@ -9585,6 +9600,14 @@ AlterOwnerStmt: ALTER AGGREGATE aggregate_with_argtypes OWNER TO RoleSpec
 					n->newowner = $6;
 					$$ = (Node *)n;
 				}
+			| ALTER ROLE name OWNER TO RoleSpec
+				{
+					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
+					n->objectType = OBJECT_ROLE;
+					n->object = (Node *) makeString($3);
+					n->newowner = $6;
+					$$ = (Node *)n;
+				}
 			| ALTER ROUTINE function_with_argtypes OWNER TO RoleSpec
 				{
 					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c
index c28788e84f..3d3b30f289 100644
--- a/src/bin/psql/describe.c
+++ b/src/bin/psql/describe.c
@@ -3488,6 +3488,12 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 		appendPQExpBufferStr(&buf, "\n, r.rolbypassrls");
 	}
 
+	if (pset.sversion >= 150000)
+	{
+		appendPQExpBufferStr(&buf, "\n, r.rolowner");
+		ncols++;
+	}
+
 	appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n");
 
 	if (!showSystem && !pattern)
@@ -3508,6 +3514,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	printTableInit(&cont, &myopt, _("List of roles"), ncols, nrows);
 
 	printTableAddHeader(&cont, gettext_noop("Role name"), true, align);
+	if (pset.sversion >= 150000)
+		printTableAddHeader(&cont, gettext_noop("Owner"), true, align);
 	printTableAddHeader(&cont, gettext_noop("Attributes"), true, align);
 	/* ignores implicit memberships from superuser & pg_database_owner */
 	printTableAddHeader(&cont, gettext_noop("Member of"), true, align);
@@ -3519,6 +3527,10 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	{
 		printTableAddCell(&cont, PQgetvalue(res, i, 0), false, false);
 
+		if (pset.sversion >= 150000)
+			printTableAddCell(&cont, PQgetvalue(res, i, (verbose ? 12 : 11)),
+							  false, false);
+
 		resetPQExpBuffer(&buf);
 		if (strcmp(PQgetvalue(res, i, 1), "t") == 0)
 			add_role_attribute(&buf, _("Superuser"));
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 2d7115e31d..cce43388d8 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -32,6 +32,7 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 {
 	Oid			oid;			/* oid */
 	NameData	rolname;		/* name of role */
+	Oid			rolowner BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid); /* owner of this role */
 	bool		rolsuper;		/* read this field via superuser() only! */
 	bool		rolinherit;		/* inherit privileges from other roles? */
 	bool		rolcreaterole;	/* allowed to create more roles? */
diff --git a/src/include/commands/user.h b/src/include/commands/user.h
index 0b7a3cd65f..c32127e41e 100644
--- a/src/include/commands/user.h
+++ b/src/include/commands/user.h
@@ -33,5 +33,7 @@ extern ObjectAddress RenameRole(const char *oldname, const char *newname);
 extern void DropOwnedObjects(DropOwnedStmt *stmt);
 extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt);
 extern List *roleSpecsToIds(List *memberNames);
+extern ObjectAddress AlterRoleOwner(const char *name, Oid newOwnerId);
+extern void AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId);
 
 #endif							/* USER_H */
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 593e301f7a..1a211924a8 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2622,6 +2622,7 @@ typedef struct CreateRoleStmt
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
+	RoleSpec   *authrole;		/* the owner of the created role */
 	List	   *options;		/* List of DefElem nodes */
 } CreateRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index af771c901d..ec9d480d67 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -316,6 +316,7 @@ extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
+extern bool pg_role_ownercheck(Oid role_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
 
diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out
index eb608fdc2e..8b79a63b80 100644
--- a/src/test/modules/unsafe_tests/expected/rolenames.out
+++ b/src/test/modules/unsafe_tests/expected/rolenames.out
@@ -1086,6 +1086,10 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 \c
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
+ERROR:  role "regress_testrol2" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_haspriv
+owner of role regress_role_nopriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql
index adac36536d..95a54ce70d 100644
--- a/src/test/modules/unsafe_tests/sql/rolenames.sql
+++ b/src/test/modules/unsafe_tests/sql/rolenames.sql
@@ -499,6 +499,7 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 57010bbb58..7a5b830de7 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_1;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
@@ -11,14 +12,98 @@ CREATE ROLE regress_role_4 REPLICATION;
 ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_5 BYPASSRLS;
 ERROR:  must be superuser to create bypassrls users
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
+ERROR:  must be superuser to own superusers
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
+CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
+\du+ regress_role_2
+                                      List of roles
+   Role name    |       Owner        |       Attributes        | Member of | Description 
+----------------+--------------------+-------------------------+-----------+-------------
+ regress_role_2 | regress_role_super | Superuser, Cannot login | {}        | 
+
+\du+ regress_role_3
+                                           List of roles
+   Role name    |     Owner      |              Attributes               | Member of | Description 
+----------------+----------------+---------------------------------------+-----------+-------------
+ regress_role_3 | regress_role_1 | Cannot login, Replication, Bypass RLS | {}        | 
+
+\du+ regress_role_4
+                                     List of roles
+   Role name    |     Owner      |        Attributes         | Member of | Description 
+----------------+----------------+---------------------------+-----------+-------------
+ regress_role_4 | regress_role_1 | Cannot login, Replication | {}        | 
+
+\du+ regress_role_5
+                                    List of roles
+   Role name    |     Owner      |        Attributes        | Member of | Description 
+----------------+----------------+--------------------------+-----------+-------------
+ regress_role_5 | regress_role_1 | Cannot login, Bypass RLS | {}        | 
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_role_5 OWNER TO regress_role_5;
+ERROR:  role may not own itself
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
 CREATE ROLE regress_role_8 LOGIN;
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
-CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_role_12 PASSWORD NULL;
+CREATE ROLE regress_role_11 PASSWORD NULL;
+CREATE ROLE regress_role_12
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+\du+ regress_role_6
+                                    List of roles
+   Role name    |     Owner      |       Attributes        | Member of | Description 
+----------------+----------------+-------------------------+-----------+-------------
+ regress_role_6 | regress_role_1 | Create DB, Cannot login | {}        | 
+
+\du+ regress_role_7
+                                     List of roles
+   Role name    |     Owner      |        Attributes         | Member of | Description 
+----------------+----------------+---------------------------+-----------+-------------
+ regress_role_7 | regress_role_1 | Create role, Cannot login | {}        | 
+
+\du+ regress_role_8
+                             List of roles
+   Role name    |     Owner      | Attributes | Member of | Description 
+----------------+----------------+------------+-----------+-------------
+ regress_role_8 | regress_role_1 |            | {}        | 
+
+\du+ regress_role_9
+                              List of roles
+   Role name    |     Owner      |  Attributes  | Member of | Description 
+----------------+----------------+--------------+-----------+-------------
+ regress_role_9 | regress_role_1 | Cannot login | {}        | 
+
+\du+ regress_role_10
+                               List of roles
+    Role name    |     Owner      |  Attributes   | Member of | Description 
+-----------------+----------------+---------------+-----------+-------------
+ regress_role_10 | regress_role_1 | Cannot login +| {}        | 
+                 |                | 5 connections |           | 
+
+\du+ regress_role_11
+                               List of roles
+    Role name    |     Owner      |  Attributes  | Member of | Description 
+-----------------+----------------+--------------+-----------+-------------
+ regress_role_11 | regress_role_1 | Cannot login | {}        | 
+
+\du+ regress_role_12
+                                                      List of roles
+    Role name    |     Owner      |       Attributes       |                   Member of                    | Description 
+-----------------+----------------+------------------------+------------------------------------------------+-------------
+ regress_role_12 | regress_role_1 | Create role, Create DB+| {regress_role_6,regress_role_7,regress_role_8} | 
+                 |                | 2 connections          |                                                | 
+
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
 NOTICE:  SYSID can no longer be specified
@@ -84,16 +169,24 @@ CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_role_7
 SET SESSION AUTHORIZATION regress_role_1;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+ERROR:  must be owner of role regress_role_20
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+ERROR:  permission denied to reassign objects
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
-ERROR:  role "regress_role_2" does not exist
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
-ERROR:  role "regress_role_3" does not exist
 DROP ROLE regress_role_4;
-ERROR:  role "regress_role_4" does not exist
 DROP ROLE regress_role_5;
-ERROR:  role "regress_role_5" does not exist
 DROP ROLE regress_role_14;
 ERROR:  role "regress_role_14" does not exist
 DROP ROLE regress_role_15;
@@ -103,9 +196,23 @@ ERROR:  role "regress_role_17" does not exist
 DROP ROLE regress_role_19;
 ERROR:  role "regress_role_19" does not exist
 DROP ROLE regress_role_20;
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_role_6;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
+ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_21
+owner of role regress_role_22
+owner of role regress_role_23
+owner of role regress_role_24
+owner of role regress_role_25
+owner of role regress_role_26
+owner of role regress_role_27
+owner of role regress_role_28
+owner of role regress_role_29
+owner of role regress_role_30
+owner of role regress_role_31
+owner of role regress_role_32
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_role_6;
 DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
@@ -130,6 +237,10 @@ DROP ROLE regress_role_22;
 ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
 DETAIL:  owner of table regress_tbl_22
 owner of view regress_view_22
+-- fail, role still owns other roles
+DROP ROLE regress_role_7;
+ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_22
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
@@ -141,5 +252,12 @@ DROP INDEX regress_idx_22;
 DROP TABLE regress_tbl_22;
 DROP VIEW regress_view_22;
 DROP ROLE regress_role_22;
+DROP ROLE regress_role_7;
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_1;
+ERROR:  role "regress_role_1" cannot be dropped because some objects depend on it
+DETAIL:  privileges for database regression
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_1;
 DROP ROLE regress_role_1;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 215eb899be..266a30a85b 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -194,6 +194,7 @@ NOTICE:  checking pg_database {dattablespace} => pg_tablespace {oid}
 NOTICE:  checking pg_db_role_setting {setdatabase} => pg_database {oid}
 NOTICE:  checking pg_db_role_setting {setrole} => pg_authid {oid}
 NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
+NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 291e21d7a6..9ce619fd5f 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -27,8 +27,10 @@ CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
 ERROR:  role "regress_priv_user5" already exists
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -2356,7 +2358,12 @@ DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
 DROP USER regress_priv_user6;
+ERROR:  role "regress_priv_user6" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_priv_user7
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 ERROR:  role "regress_priv_user8" does not exist
 -- permissions with LOCK TABLE
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index b58b062b10..6bce5a005d 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1482,6 +1482,7 @@ pg_replication_slots| SELECT l.slot_name,
    FROM (pg_get_replication_slots() l(slot_name, plugin, slot_type, datoid, temporary, active, active_pid, xmin, catalog_xmin, restart_lsn, confirmed_flush_lsn, wal_status, safe_wal_size, two_phase)
      LEFT JOIN pg_database d ON ((l.datoid = d.oid)));
 pg_roles| SELECT pg_authid.rolname,
+    pg_get_userbyid(pg_authid.rolowner) AS rolowner,
     pg_authid.rolsuper,
     pg_authid.rolinherit,
     pg_authid.rolcreaterole,
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index e00893de4e..71fe01ad5d 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_1 CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_1;
 
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
@@ -9,14 +10,45 @@ CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
 CREATE ROLE regress_role_4 REPLICATION;
 CREATE ROLE regress_role_5 BYPASSRLS;
 
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
+
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
+
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
+CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
+CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
+
+\du+ regress_role_2
+\du+ regress_role_3
+\du+ regress_role_4
+\du+ regress_role_5
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_role_5 OWNER TO regress_role_5;
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
 CREATE ROLE regress_role_8 LOGIN;
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
-CREATE ROLE regress_role_11 ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_role_12 PASSWORD NULL;
+CREATE ROLE regress_role_11 PASSWORD NULL;
+CREATE ROLE regress_role_12
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+
+\du+ regress_role_6
+\du+ regress_role_7
+\du+ regress_role_8
+\du+ regress_role_9
+\du+ regress_role_10
+\du+ regress_role_11
+\du+ regress_role_12
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
@@ -86,9 +118,22 @@ CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
 
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_role_7
 SET SESSION AUTHORIZATION regress_role_1;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_20 OWNER TO regress_role_1;
+REASSIGN OWNED BY regress_role_20 TO regress_role_1;
+
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_role_2;
+
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
@@ -98,9 +143,11 @@ DROP ROLE regress_role_17;
 DROP ROLE regress_role_19;
 DROP ROLE regress_role_20;
 
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_role_6;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
+
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_role_6;
 DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
@@ -124,6 +171,9 @@ DROP ROLE regress_role_32;
 -- fail, role still owns database objects
 DROP ROLE regress_role_22;
 
+-- fail, role still owns other roles
+DROP ROLE regress_role_7;
+
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_1;
@@ -134,5 +184,12 @@ DROP INDEX regress_idx_22;
 DROP TABLE regress_tbl_22;
 DROP VIEW regress_view_22;
 DROP ROLE regress_role_22;
+DROP ROLE regress_role_7;
+
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_1;
+
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_1;
 DROP ROLE regress_role_1;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c8c545b64c..dcf84f91fd 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -30,8 +30,10 @@ CREATE USER regress_priv_user3;
 CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -1426,8 +1428,14 @@ DROP USER regress_priv_user2;
 DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
+
 DROP USER regress_priv_user6;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 
 
-- 
2.21.1 (Apple Git-122.3)

From 1784a5b51d4dbebf99798b5832d92b0f585feb08 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 4 Jan 2022 11:42:27 -0800
Subject: [PATCH v4 3/5] Give role owners control over owned roles

Create a role ownership hierarchy.  The previous commit added owners
to roles.  This goes further, making role ownership transitive.  If
role A owns role B, and role B owns role C, then role A can act as
the owner of role C.  Also, roles A and B can perform any action on
objects belonging to role C that role C could itself perform.

This is a preparatory patch for changing how CREATEROLE works.
---
 src/backend/catalog/aclchk.c                  |  51 +-------
 src/backend/catalog/objectaddress.c           |  22 +---
 src/backend/commands/schemacmds.c             |   2 +-
 src/backend/commands/user.c                   |  28 +++--
 src/backend/utils/adt/acl.c                   | 118 ++++++++++++++++++
 src/include/utils/acl.h                       |   1 +
 .../expected/dummy_seclabel.out               |  12 +-
 .../dummy_seclabel/sql/dummy_seclabel.sql     |  12 +-
 src/test/regress/expected/create_role.out     |  68 ++++------
 src/test/regress/sql/create_role.sql          |  44 +++----
 10 files changed, 207 insertions(+), 151 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ddd205d656..ef36fad700 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5440,61 +5440,20 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 bool
 pg_role_ownercheck(Oid role_oid, Oid roleid)
 {
-	HeapTuple		tuple;
-	Form_pg_authid	authform;
-	Oid				owner_oid;
-
 	/* Superusers bypass all permission checking. */
 	if (superuser_arg(roleid))
 		return true;
 
-	/* Otherwise, look up the owner of the role */
-	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
-	if (!HeapTupleIsValid(tuple))
-		ereport(ERROR,
-				(errcode(ERRCODE_UNDEFINED_OBJECT),
-				 errmsg("role with OID %u does not exist",
-						role_oid)));
-	authform = (Form_pg_authid) GETSTRUCT(tuple);
-	owner_oid = authform->rolowner;
-
-	/*
-	 * Roles must necessarily have owners.  Even the bootstrap user has an
-	 * owner.  (It owns itself).  Other roles must form a proper tree.
-	 */
-	if (!OidIsValid(owner_oid))
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u has invalid owner",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner == authform->oid)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owns itself",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner != BOOTSTRAP_SUPERUSERID)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
-						authform->rolname.data, authform->oid,
-						authform->rolowner)));
-	ReleaseSysCache(tuple);
-
-	return (owner_oid == roleid);
+	/* Otherwise, check the role ownership hierarchy */
+	return is_owner_of_role_nosuper(roleid, role_oid);
 }
 
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!	Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
+ * Note: In versions prior to PostgreSQL version 15, roles did not have owners
+ * per se; instead we used this test in places where an ownership-like
+ * permissions test was needed for a role.
  */
 bool
 has_createrole_privilege(Oid roleid)
diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c
index 2bae3fbb17..cc19409ca3 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2596,25 +2596,9 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 							   NameListToString(castNode(List, object)));
 			break;
 		case OBJECT_ROLE:
-
-			/*
-			 * We treat roles as being "owned" by those with CREATEROLE priv,
-			 * except that superusers are only owned by superusers.
-			 */
-			if (superuser_arg(address.objectId))
-			{
-				if (!superuser_arg(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must be superuser")));
-			}
-			else
-			{
-				if (!has_createrole_privilege(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must have CREATEROLE privilege")));
-			}
+			if (!pg_role_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
+							   strVal(object));
 			break;
 		case OBJECT_TSPARSER:
 		case OBJECT_TSTEMPLATE:
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 6c6ab9ee34..3447806756 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -363,7 +363,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		/*
 		 * must have create-schema rights
 		 *
-		 * NOTE: This is different from other alter-owner checks in that the
+		 * NOTE: This is different from most other alter-owner checks in that the
 		 * current user is checked for create privileges instead of the
 		 * destination owner.  This is consistent with the CREATE case for
 		 * schemas.  Because superusers will always have this right, we need
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 14820744bf..11d5dffc90 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -724,7 +724,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			  !rolemembers &&
 			  !validUntil &&
 			  dpassword &&
-			  roleid == GetUserId()))
+			  !pg_role_ownercheck(roleid, GetUserId())))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied")));
@@ -925,7 +925,8 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() && roleid != GetUserId())
+			if (!have_createrole_privilege() &&
+				!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -977,11 +978,6 @@ DropRole(DropRoleStmt *stmt)
 				pg_auth_members_rel;
 	ListCell   *item;
 
-	if (!have_createrole_privilege())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied to drop role")));
-
 	/*
 	 * Scan the pg_authid relation to find the Oid of the role(s) to be
 	 * deleted.
@@ -1053,6 +1049,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
+		if (!have_createrole_privilege() &&
+			!pg_role_ownercheck(roleid, GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied to drop role")));
+
 		/* DROP hook for the role being removed */
 		InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
 
@@ -1811,6 +1813,18 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 					 errmsg("role may not own itself")));
 
+		/*
+		 * Must not create cycles in the role ownership hierarchy.  If this
+		 * role owns (directly or indirectly) the proposed new owner, disallow
+		 * the ownership transfer.
+		 */
+		if (is_owner_of_role_nosuper(authForm->oid, newOwnerId))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role \"%s\" may not both own and be owned by role \"%s\"",
+							NameStr(authForm->rolname),
+							GetUserNameFromId(newOwnerId, false))));
+
 		authForm->rolowner = newOwnerId;
 		CatalogTupleUpdate(rel, &tup->t_self, tup);
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 67f8b29434..bcb7a50642 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4832,6 +4832,111 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 }
 
 
+/*
+ * Get a list of roles which own the given role, directly or indirectly.
+ *
+ * Each role has only one direct owner.  The returned list contains the given
+ * role's owner, that role's owner, etc., up to the top of the ownership
+ * hierarchy, which is always the bootstrap superuser.
+ *
+ * Raises an error if any role ownership invariant is violated.  Returns NIL if
+ * the given roleid is invalid.
+ */
+static List *
+roles_is_owned_by(Oid roleid)
+{
+	List	   *owners_list = NIL;
+	Oid			role_oid = roleid;
+
+	/*
+	 * Start with the current role and follow the ownership chain upwards until
+	 * we reach the bootstrap superuser.  To defend against getting into an
+	 * infinite loop, we must check for ownership cycles.  We choose to perform
+	 * other corruption checks on the ownership structure while iterating, too.
+	 */
+	while (OidIsValid(role_oid))
+	{
+		HeapTuple		tuple;
+		Form_pg_authid	authform;
+		Oid				owner_oid;
+
+		/* Find the owner of the current iteration's role */
+		tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+		if (!HeapTupleIsValid(tuple))
+			ereport(ERROR,
+					(errcode(ERRCODE_UNDEFINED_OBJECT),
+					 errmsg("role with OID %u does not exist", role_oid)));
+
+		authform = (Form_pg_authid) GETSTRUCT(tuple);
+		owner_oid = authform->rolowner;
+
+		/*
+		 * Roles must necessarily have owners.  Even the bootstrap user has an
+		 * owner.  (It owns itself).
+		 */
+		if (!OidIsValid(owner_oid))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u has invalid owner",
+							NameStr(authform->rolname), authform->oid)));
+
+		/* The bootstrap user must own itself */
+		if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+			owner_oid != BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+							NameStr(authform->rolname), authform->oid,
+							authform->rolowner)));
+
+		/*
+		 * Roles other than the bootstrap user must not be their own direct
+		 * owners.
+		 */
+		if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+			authform->oid == owner_oid)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owns itself",
+							NameStr(authform->rolname), authform->oid)));
+
+		ReleaseSysCache(tuple);
+
+		/* If we have reached the bootstrap user, we're done. */
+		if (role_oid == BOOTSTRAP_SUPERUSERID)
+		{
+			if (!owners_list)
+				owners_list = lappend_oid(owners_list, owner_oid);
+			break;
+		}
+
+		/*
+		 * For all other users, check they do not own themselves indirectly
+		 * through an ownership cycle.
+		 *
+		 * Scanning the list each time through this loop results in overall
+		 * quadratic work in the depth of the ownership chain, but we're
+		 * not on a critical performance path, nor do we expect ownership
+		 * hierarchies to be deep.
+		 */
+		if (owners_list && list_member_oid(owners_list,
+										   ObjectIdGetDatum(owner_oid)))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u indirectly owns itself",
+							GetUserNameFromId(owner_oid, false),
+							owner_oid)));
+
+		/* Done with sanity checks.  Add this owner to the list. */
+		owners_list = lappend_oid(owners_list, owner_oid);
+
+		/* Otherwise, iterate on this iteration's owner_oid. */
+		role_oid = owner_oid;
+	}
+
+	return owners_list;
+}
+
 /*
  * Does member have the privileges of role (directly or indirectly)?
  *
@@ -4850,6 +4955,10 @@ has_privs_of_role(Oid member, Oid role)
 	if (superuser_arg(member))
 		return true;
 
+	/* Owners of roles have every privilge the owned role has */
+	if (pg_role_ownercheck(role, member))
+		return true;
+
 	/*
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
@@ -4921,6 +5030,15 @@ is_member_of_role_nosuper(Oid member, Oid role)
 						   role);
 }
 
+/*
+ * Is owner a direct or indirect owner of the role, not considering
+ * superuserness?
+ */
+bool
+is_owner_of_role_nosuper(Oid owner, Oid role)
+{
+	return list_member_oid(roles_is_owned_by(role), owner);
+}
 
 /*
  * Is member an admin of role?	That is, is member the role itself (subject to
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index ec9d480d67..7f20aaa9f2 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -209,6 +209,7 @@ extern bool has_privs_of_role(Oid member, Oid role);
 extern bool is_member_of_role(Oid member, Oid role);
 extern bool is_member_of_role_nosuper(Oid member, Oid role);
 extern bool is_admin_of_role(Oid member, Oid role);
+extern bool is_owner_of_role_nosuper(Oid owner, Oid role);
 extern void check_is_member_of_role(Oid member, Oid role);
 extern Oid	get_role_oid(const char *rolename, bool missing_ok);
 extern Oid	get_role_oid_or_public(const char *rolename);
diff --git a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
index b2d898a7d1..93cf82b750 100644
--- a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
+++ b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
@@ -7,8 +7,11 @@ SET client_min_messages TO 'warning';
 DROP ROLE IF EXISTS regress_dummy_seclabel_user1;
 DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 RESET client_min_messages;
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
 CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
@@ -19,7 +22,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
@@ -29,6 +32,7 @@ ERROR:  '...invalid label...' is not a valid security label
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
 ERROR:  security label provider "unknown_seclabel" is not loaded
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 ERROR:  must be owner of table dummy_seclabel_tbl2
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
@@ -42,7 +46,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
 ERROR:  '...invalid label...' is not a valid security label
@@ -55,7 +59,7 @@ SECURITY LABEL ON ROLE regress_dummy_seclabel_user3 IS 'unclassified';	-- fail (
 ERROR:  role "regress_dummy_seclabel_user3" does not exist
 SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
+ERROR:  must be owner of role regress_dummy_seclabel_user2
 RESET SESSION AUTHORIZATION;
 --
 -- Test for various types of object
diff --git a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
index 8c347b6a68..bf575343cf 100644
--- a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
+++ b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
@@ -11,8 +11,12 @@ DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 
 RESET client_min_messages;
 
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
@@ -26,7 +30,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
@@ -34,6 +38,8 @@ SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
@@ -45,7 +51,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 7a5b830de7..b6cc68eed5 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -58,8 +58,9 @@ CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
 CREATE ROLE regress_role_12
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7;
+COMMENT ON ROLE regress_role_12 IS 'no login test role';
 \du+ regress_role_6
                                     List of roles
    Role name    |     Owner      |       Attributes        | Member of | Description 
@@ -98,11 +99,11 @@ CREATE ROLE regress_role_12
  regress_role_11 | regress_role_1 | Cannot login | {}        | 
 
 \du+ regress_role_12
-                                                      List of roles
-    Role name    |     Owner      |       Attributes       |                   Member of                    | Description 
------------------+----------------+------------------------+------------------------------------------------+-------------
- regress_role_12 | regress_role_1 | Create role, Create DB+| {regress_role_6,regress_role_7,regress_role_8} | 
-                 |                | 2 connections          |                                                | 
+                                                         List of roles
+    Role name    |     Owner      |              Attributes              |            Member of            |    Description     
+-----------------+----------------+--------------------------------------+---------------------------------+--------------------
+ regress_role_12 | regress_role_1 | Create role, Create DB, Cannot login+| {regress_role_6,regress_role_7} | no login test role
+                 |                | 2 connections                        |                                 | 
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_role_13 SYSID 12345;
@@ -143,21 +144,18 @@ CREATE TABLE regress_tbl_22 (i integer);
 CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
 CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
--- fail, these objects belonging to regress_role_22
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_role_7;
 DROP INDEX regress_idx_22;
-ERROR:  must be owner of index regress_idx_22
 ALTER TABLE regress_tbl_22 ADD COLUMN t text;
-ERROR:  must be owner of table regress_tbl_22
 DROP TABLE regress_tbl_22;
-ERROR:  must be owner of table regress_tbl_22
+-- fail, not a member of target role
 ALTER VIEW regress_view_22 OWNER TO regress_role_1;
-ERROR:  must be owner of view regress_view_22
+ERROR:  must be member of role "regress_role_1"
+-- ok
 DROP VIEW regress_view_22;
-ERROR:  must be owner of view regress_view_22
--- fail, cannot take ownership of these objects from regress_role_22
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
-ERROR:  permission denied to reassign objects
 -- ok, having CREATEROLE is enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
@@ -169,14 +167,14 @@ CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
--- fail, cannot take ownership of these objects from regress_role_7
-SET SESSION AUTHORIZATION regress_role_1;
-ALTER ROLE regress_role_20 OWNER TO regress_role_1;
-ERROR:  must be owner of role regress_role_20
-REASSIGN OWNED BY regress_role_20 TO regress_role_1;
-ERROR:  permission denied to reassign objects
--- superuser can do it, though
+-- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_1 TO regress_role_22;
+ERROR:  role "regress_role_7" may not both own and be owned by role "regress_role_22"
+ALTER ROLE regress_role_1 OWNER TO regress_role_22;
+ERROR:  role "regress_role_1" may not both own and be owned by role "regress_role_22"
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
 REASSIGN OWNED BY regress_role_20 TO regress_role_1;
 -- ok, superuser roles can drop superuser roles they own
@@ -187,14 +185,6 @@ SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
-DROP ROLE regress_role_14;
-ERROR:  role "regress_role_14" does not exist
-DROP ROLE regress_role_15;
-ERROR:  role "regress_role_15" does not exist
-DROP ROLE regress_role_17;
-ERROR:  role "regress_role_17" does not exist
-DROP ROLE regress_role_19;
-ERROR:  role "regress_role_19" does not exist
 DROP ROLE regress_role_20;
 -- fail, cannot drop roles that own other roles
 DROP ROLE regress_role_7;
@@ -222,6 +212,7 @@ DROP ROLE regress_role_13;
 DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
+DROP ROLE regress_role_22;
 DROP ROLE regress_role_23;
 DROP ROLE regress_role_24;
 DROP ROLE regress_role_25;
@@ -232,28 +223,15 @@ DROP ROLE regress_role_29;
 DROP ROLE regress_role_30;
 DROP ROLE regress_role_31;
 DROP ROLE regress_role_32;
--- fail, role still owns database objects
-DROP ROLE regress_role_22;
-ERROR:  role "regress_role_22" cannot be dropped because some objects depend on it
-DETAIL:  owner of table regress_tbl_22
-owner of view regress_view_22
--- fail, role still owns other roles
-DROP ROLE regress_role_7;
-ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
-DETAIL:  owner of role regress_role_22
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
 DROP ROLE regress_role_1;
 ERROR:  current user cannot be dropped
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX regress_idx_22;
-DROP TABLE regress_tbl_22;
-DROP VIEW regress_view_22;
-DROP ROLE regress_role_22;
+-- ok, no more owned roles remain
 DROP ROLE regress_role_7;
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_1;
 ERROR:  role "regress_role_1" cannot be dropped because some objects depend on it
 DETAIL:  privileges for database regression
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 71fe01ad5d..4a6f7840a2 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -39,8 +39,9 @@ CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
 CREATE ROLE regress_role_12
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_role_6, regress_role_7, regress_role_8;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_role_6, regress_role_7;
+COMMENT ON ROLE regress_role_12 IS 'no login test role';
 
 \du+ regress_role_6
 \du+ regress_role_7
@@ -95,15 +96,19 @@ CREATE INDEX regress_idx_22 ON regress_tbl_22(i);
 CREATE VIEW regress_view_22 AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON regress_tbl_22 FROM PUBLIC;
 
--- fail, these objects belonging to regress_role_22
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_role_7;
 DROP INDEX regress_idx_22;
 ALTER TABLE regress_tbl_22 ADD COLUMN t text;
 DROP TABLE regress_tbl_22;
+
+-- fail, not a member of target role
 ALTER VIEW regress_view_22 OWNER TO regress_role_1;
+
+-- ok
 DROP VIEW regress_view_22;
 
--- fail, cannot take ownership of these objects from regress_role_22
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
 
 -- ok, having CREATEROLE is enough to create roles in privileged roles
@@ -118,13 +123,13 @@ CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
 
--- fail, cannot take ownership of these objects from regress_role_7
-SET SESSION AUTHORIZATION regress_role_1;
-ALTER ROLE regress_role_20 OWNER TO regress_role_1;
-REASSIGN OWNED BY regress_role_20 TO regress_role_1;
-
--- superuser can do it, though
+-- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_1 TO regress_role_22;
+ALTER ROLE regress_role_1 OWNER TO regress_role_22;
+
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_1;
 ALTER ROLE regress_role_20 OWNER TO regress_role_1;
 REASSIGN OWNED BY regress_role_20 TO regress_role_1;
 
@@ -137,10 +142,6 @@ SET SESSION AUTHORIZATION regress_role_1;
 DROP ROLE regress_role_3;
 DROP ROLE regress_role_4;
 DROP ROLE regress_role_5;
-DROP ROLE regress_role_14;
-DROP ROLE regress_role_15;
-DROP ROLE regress_role_17;
-DROP ROLE regress_role_19;
 DROP ROLE regress_role_20;
 
 -- fail, cannot drop roles that own other roles
@@ -157,6 +158,7 @@ DROP ROLE regress_role_13;
 DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
+DROP ROLE regress_role_22;
 DROP ROLE regress_role_23;
 DROP ROLE regress_role_24;
 DROP ROLE regress_role_25;
@@ -168,25 +170,15 @@ DROP ROLE regress_role_30;
 DROP ROLE regress_role_31;
 DROP ROLE regress_role_32;
 
--- fail, role still owns database objects
-DROP ROLE regress_role_22;
-
--- fail, role still owns other roles
-DROP ROLE regress_role_7;
-
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_1;
 
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX regress_idx_22;
-DROP TABLE regress_tbl_22;
-DROP VIEW regress_view_22;
-DROP ROLE regress_role_22;
+-- ok, no more owned roles remain
 DROP ROLE regress_role_7;
 
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_1;
 
 -- ok, can drop role if we revoke privileges first
-- 
2.21.1 (Apple Git-122.3)

From 070d5d472b30b31be2be4365cbfdd8353bdff2da Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 4 Jan 2022 18:53:34 -0800
Subject: [PATCH v4 4/5] Restrict power granted via CREATEROLE.

The CREATEROLE attribute no longer has anything to do with the power
to alter roles or to grant or revoke role membership, but merely the
ability to create new roles, as its name suggests.  The ability to
alter a role is based on role ownership; the ability to grant and
revoke role membership is based on having admin privilege on the
relevant role or alternatively on role ownership, as owners now
implicitly have admin privileges on roles they own.

A role must either be superuser or have the CREATEROLE attribute to
create roles.  This is unchanged from the prior behavior.  A new
principle is adopted, though, to make CREATEROLE less dangerous:  a
role may not create new roles with privileges that the creating role
lacks.  This new principle is intended to prevent privilege
escalation attacks stemming from giving CREATEROLE to a user.  This
is not backwards compatible.  The idea is to fix the CREATEROLE
privilege to not be pathway to gaining superuser, and no
non-breaking change to accomplish that is apparent.

SUPERUSER, REPLICATION, BYPASSRLS, CREATEDB, CREATEROLE and LOGIN
privilege can only be given to new roles by creators who have the
same privilege.  In the case of the CREATEROLE privilege, this is
trivially true, as the creator must necessarily have it or they
couldn't be creating the role to begin with.

The INHERIT attribute is not considered a privilege, and since a
user who belongs to a role may SET ROLE to that role and do anything
that role can do, it isn't clear that treating it as a privilege
would stop any privilege escalation attacks.

The CONNECTION LIMIT and VALID UNTIL attributes are also not
considered privileges, but this design choice is debatable.  One
could think of the ability to log in during a given window of time,
or up to a certain number of connections as a privilege, and
allowing such a restricted role to create a new role with unlimited
connections or no expiration as a privilege escalation which escapes
the intended restrictions.  However, it is just as easy to think of
these limitations as being used to guard against badly written
client programs connecting too many times, or connecting at a time
of day that is not intended.  Since it is unclear which design is
better, this commit is conservative and the handling of these
attributes is unchanged relative to prior behavior.

Since the grammar of the CREATE ROLE command allows specifying roles
into which the new role should be enrolled, and also lists of roles
which become members of the newly created role (as admin or not),
the CREATE ROLE command may now fail if the creating role has
insufficient privilege on the roles so listed.  Such failures were
not possible before, since the CREATEROLE privilege was always
sufficient.
---
 doc/src/sgml/ddl.sgml                     | 12 +--
 doc/src/sgml/ref/alter_role.sgml          | 20 ++---
 doc/src/sgml/ref/comment.sgml             |  8 +-
 doc/src/sgml/ref/create_role.sgml         | 26 +++++--
 doc/src/sgml/ref/drop_role.sgml           |  3 +-
 doc/src/sgml/ref/dropuser.sgml            |  6 +-
 doc/src/sgml/ref/grant.sgml               |  4 +-
 doc/src/sgml/user-manag.sgml              | 44 ++++++-----
 src/backend/catalog/aclchk.c              | 91 +++++++++++++++++++++++
 src/backend/commands/user.c               | 60 +++++++--------
 src/backend/utils/adt/acl.c               | 21 +-----
 src/include/utils/acl.h                   |  5 ++
 src/test/regress/expected/create_role.out | 63 ++++++----------
 src/test/regress/sql/create_role.sql      | 36 ++++-----
 14 files changed, 230 insertions(+), 169 deletions(-)

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 64d9030652..bfdd6403cd 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -3132,9 +3132,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
            doesn't preserve that DROP.
 
            A database owner can attack the database's users via "CREATE SCHEMA
-           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
-           CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
-           database owner attack. -->
+           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". -->
       <para>
        Constrain ordinary users to user-private schemas.  To implement this,
        first issue <literal>REVOKE CREATE ON SCHEMA public FROM
@@ -3146,9 +3144,8 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        pattern in a database where untrusted users had already logged in,
        consider auditing the public schema for objects named like objects in
        schema <literal>pg_catalog</literal>.  This pattern is a secure schema
-       usage pattern unless an untrusted user is the database owner or holds
-       the <literal>CREATEROLE</literal> privilege, in which case no secure
-       schema usage pattern exists.
+       usage pattern unless an untrusted user is the database owner, in which
+       case no secure schema usage pattern exists.
       </para>
       <para>
        If the database originated in an upgrade
@@ -3170,8 +3167,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        schema <link linkend="typeconv-func">will be unsafe or
        unreliable</link>.  If you create functions or extensions in the public
        schema, use the first pattern instead.  Otherwise, like the first
-       pattern, this is secure unless an untrusted user is the database owner
-       or holds the <literal>CREATEROLE</literal> privilege.
+       pattern, this is secure unless an untrusted user is the database owner.
       </para>
      </listitem>
 
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 5aa5648ae7..96e60d5a09 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -70,18 +70,18 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
    Database superusers can change any of these settings for any role.
-   Roles having <literal>CREATEROLE</literal> privilege can change any of these
-   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
-   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
-   Ordinary roles can only change their own password.
+   Role owners can change any of these settings on roles they own except
+   <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>, and
+   <literal>BYPASSRLS</literal>; but only for non-superuser and non-replication
+   roles, and only if the role owner does not alter the target role to have a
+   privilege which the role owner itself lacks.  Ordinary roles can only change
+   their own password.
   </para>
 
   <para>
    The second variant changes the name of the role.
    Database superusers can rename any role.
-   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   Role owners can rename non-superuser roles they own.
    The current session user cannot be renamed.
    (Connect as a different user if you need to do that.)
    Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -114,9 +114,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   </para>
 
   <para>
-   Superusers can change anyone's session defaults. Roles having
-   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   Superusers can change anyone's session defaults. Owning roles may change
+   privilege for non-superuser roles they own. Ordinary roles can only set
+   defaults for themselves.
    Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.  Only superusers can change a setting
    for all roles in all databases.
diff --git a/doc/src/sgml/ref/comment.sgml b/doc/src/sgml/ref/comment.sgml
index e07fc47fd3..1ba374f3a1 100644
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -92,12 +92,8 @@ COMMENT ON
 
   <para>
    For most kinds of object, only the object's owner can set the comment.
-   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
-   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
-   Likewise, access methods don't have owners either; you must be superuser
-   to comment on an access method.
-   Of course, a superuser can comment on anything.
+   Access methods don't have owners; you must be superuser to comment on an
+   access method.  Of course, a superuser can comment on anything.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..2e73102562 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -107,8 +107,10 @@ in sync when changing the above synopsis!
         <literal>CREATEDB</literal> is specified, the role being
         defined will be allowed to create new databases. Specifying
         <literal>NOCREATEDB</literal> will deny a role the ability to
-        create databases. If not specified,
-        <literal>NOCREATEDB</literal> is the default.
+        create databases. Only roles with the <literal>CREATEDB</literal>
+        attribute may create roles with the <literal>CREATEDB</literal>
+        attribute. If not specified, <literal>NOCREATEDB</literal> is the
+        default.
        </para>
       </listitem>
      </varlistentry>
@@ -120,8 +122,6 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role will be permitted to
         create new roles (that is, execute <command>CREATE ROLE</command>).
-        A role with <literal>CREATEROLE</literal> privilege can also alter
-        and drop other roles.
         If not specified,
         <literal>NOCREATEROLE</literal> is the default.
        </para>
@@ -163,6 +163,8 @@ in sync when changing the above synopsis!
         <literal>NOLOGIN</literal> is the default, except when
         <command>CREATE ROLE</command> is invoked through its alternative spelling
         <link linkend="sql-createuser"><command>CREATE USER</command></link>.
+        You must have the <literal>LOGIN</literal> attribute to create a new role
+        with the <literal>LOGIN</literal> attribute.
        </para>
       </listitem>
      </varlistentry>
@@ -194,8 +196,8 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role bypasses every row-level
         security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
-        You must be a superuser to create a new role having
-        the <literal>BYPASSRLS</literal> attribute.
+        You must have the <literal>BYPASSRLS</literal> attribute to create a
+        new role having the <literal>BYPASSRLS</literal> attribute.
        </para>
 
        <para>
@@ -281,6 +283,10 @@ in sync when changing the above synopsis!
         member.  (Note that there is no option to add the new role as an
         administrator; use a separate <command>GRANT</command> command to do that.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -301,6 +307,10 @@ in sync when changing the above synopsis!
         roles which are automatically added as members of the new role.
         (This in effect makes the new role a <quote>group</quote>.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -313,6 +323,10 @@ in sync when changing the above synopsis!
         OPTION</literal>, giving them the right to grant membership in this role
         to others.
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/drop_role.sgml b/doc/src/sgml/ref/drop_role.sgml
index 13dc1cc649..c3d57ee8db 100644
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -31,8 +31,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <para>
    <command>DROP ROLE</command> removes the specified role(s).
    To drop a superuser role, you must be a superuser yourself;
-   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   to drop non-superuser roles, you must own the target role.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 81580507e8..30a99eaf68 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,9 @@ PostgreSQL documentation
   <para>
    <application>dropuser</application> removes an existing
    <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   A <productname>PostgreSQL</productname> user may only be removed by its
+   owner or by a superuser.  (To remove a superuser, you must yourself be a
+   superuser.)
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a897712de2..86fc387af2 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -254,8 +254,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
    OPTION</literal> on itself, but it may grant or revoke membership in
    itself from a database session where the session user matches the
    role.  Database superusers can grant or revoke membership in any role
-   to anyone.  Roles having <literal>CREATEROLE</literal> privilege can grant
-   or revoke membership in any role that is not a superuser.
+   to anyone.  Roles can revoke membership in any role they own, and 
+   may grant membership in any role they own to any role they own.
   </para>
 
   <para>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 9067be1d9c..e65b55a004 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -198,9 +198,10 @@ CREATE USER <replaceable>name</replaceable>;
         (except for superusers, since those bypass all permission
         checks). To create such a role, use <literal>CREATE ROLE
         <replaceable>name</replaceable> CREATEROLE</literal>.
-        A role with <literal>CREATEROLE</literal> privilege can alter and drop
-        other roles, too, as well as grant or revoke membership in them.
-        However, to create, alter, drop, or change membership of a
+        A role which creates a new role becomes the new role's owner, able to
+        alter or drop that new role, and sharing ownership of any additional
+        objects (including additional roles) that new role creates.
+        To create, alter, drop, or change membership of a
         superuser role, superuser status is required;
         <literal>CREATEROLE</literal> is insufficient for that.
        </para>
@@ -246,11 +247,14 @@ CREATE USER <replaceable>name</replaceable>;
 
   <tip>
    <para>
-    It is good practice to create a role that has the <literal>CREATEDB</literal>
-    and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
+    It is good practice to create a role that has the
+    <literal>CREATEDB</literal>, <literal>LOGIN</literal> and
+    <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
     use this role for all routine management of databases and roles.  This
-    approach avoids the dangers of operating as a superuser for tasks that
-    do not really require it.
+    approach avoids the dangers of operating as a superuser for tasks that do
+    not really require it.  This role must also have
+    <literal>REPLICATION</literal> if it will create replication users, and
+    must have <literal>BYPASSRLS</literal> if it will create bypassrls users.
    </para>
   </tip>
 
@@ -387,15 +391,22 @@ RESET ROLE;
 
   <para>
    The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
-   <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
-   special privileges, but they are never inherited as ordinary privileges
-   on database objects are.  You must actually <command>SET ROLE</command> to a
-   specific role having one of these attributes in order to make use of
-   the attribute.  Continuing the above example, we might choose to
+   <literal>CREATEDB</literal>, <literal>REPLICATION</literal>,
+   <literal>BYPASSRLS</literal>, and <literal>CREATEROLE</literal> can be
+   thought of as special privileges, but they are never inherited as ordinary
+   privileges on database objects are.  You must actually <command>SET
+   ROLE</command> to a specific role having one of these attributes in order to
+   make use of the attribute.  Continuing the above example, we might choose to
    grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
-   <literal>admin</literal> role.  Then a session connecting as role <literal>joe</literal>
-   would not have these privileges immediately, only after doing
-   <command>SET ROLE admin</command>.
+   <literal>admin</literal> role.  Then a session connecting as role
+   <literal>joe</literal> would not have these privileges immediately, only
+   after doing <command>SET ROLE admin</command>.  Roles with these attributes
+   may only be created by roles which themselves have these attributes.
+   Superusers may always do so, but non-superuser roles with
+   <literal>CREATEROLE</literal> may only create new roles with
+   <literal>LOGIN</literal>, <literal>CREATEDB</literal>,
+   <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> if they
+   themselves have the same attribute.
   </para>
 
   <para>
@@ -493,8 +504,7 @@ DROP ROLE doomed_role;
   <para>
    <productname>PostgreSQL</productname> provides a set of predefined roles
    that provide access to certain, commonly needed, privileged capabilities
-   and information.  Administrators (including roles that have the
-   <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+   and information.  Administrators can <command>GRANT</command> these
    roles to users and/or other roles in their environment, providing those
    users with access to the specified capabilities and information.
   </para>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index ef36fad700..6f3434b0b7 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5493,6 +5493,97 @@ has_bypassrls_privilege(Oid roleid)
 	return result;
 }
 
+bool
+has_rolinherit_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_createdb_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreatedb;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_login_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcanlogin;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+bool
+has_replication_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+int32
+role_connection_limit(Oid roleid)
+{
+	int32		result = -1;
+	HeapTuple	utup;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolconnlimit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 11d5dffc90..44f3f54b15 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -58,15 +58,6 @@ static void DelRoleMems(const char *rolename, Oid roleid,
 static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
 									Oid newOwnerId);
 
-
-/* Check if current user has createrole privileges */
-static bool
-have_createrole_privilege(void)
-{
-	return has_createrole_privilege(GetUserId());
-}
-
-
 /*
  * CREATE ROLE
  */
@@ -276,24 +267,32 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	}
 	else if (isreplication)
 	{
-		if (!superuser())
+		if (!has_replication_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
+					 errmsg("must have replication privilege to create replication users")));
 	}
 	else if (bypassrls)
 	{
-		if (!superuser())
+		if (!has_bypassrls_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
+					 errmsg("must have bypassrls privilege to create bypassrls users")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create role")));
+		if (createdb && !has_createdb_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have createdb privilege to create createdb users")));
+		if (canlogin && !has_login_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have login privilege to create login users")));
 	}
 
 	/*
@@ -713,7 +712,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to change bypassrls attribute")));
 	}
-	else if (!have_createrole_privilege())
+	else if (!superuser())
 	{
 		/* We already checked issuper, isreplication, and bypassrls */
 		if (!(inherit < 0 &&
@@ -914,7 +913,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 
 		/*
 		 * To mess with a superuser you gotta be superuser; else you need
-		 * createrole, or just want to change your own settings
+		 * to own the role, or just want to change your own settings
 		 */
 		if (roleform->rolsuper)
 		{
@@ -925,8 +924,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() &&
-				!pg_role_ownercheck(roleid, GetUserId()))
+			if (!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -1039,18 +1037,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_OBJECT_IN_USE),
 					 errmsg("session user cannot be dropped")));
 
-		/*
-		 * For safety's sake, we allow createrole holders to drop ordinary
-		 * roles but not superuser roles.  This is mainly to avoid the
-		 * scenario where you accidentally drop the last superuser.
-		 */
 		if (roleform->rolsuper && !superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
-		if (!have_createrole_privilege() &&
-			!pg_role_ownercheck(roleid, GetUserId()))
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to drop role")));
@@ -1231,7 +1223,7 @@ RenameRole(const char *oldname, const char *newname)
 				 errmsg("role \"%s\" already exists", newname)));
 
 	/*
-	 * createrole is enough privilege unless you want to mess with a superuser
+	 * role ownership is enough privilege unless you want to mess with a superuser
 	 */
 	if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
 	{
@@ -1242,7 +1234,7 @@ RenameRole(const char *oldname, const char *newname)
 	}
 	else
 	{
-		if (!have_createrole_privilege())
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to rename role")));
@@ -1457,7 +1449,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 		return;
 
 	/*
-	 * Check permissions: must have createrole or admin option on the role to
+	 * Check permissions: must be owner or have admin option on the role to
 	 * be changed.  To mess with a superuser role, you gotta be superuser.
 	 */
 	if (superuser_arg(roleid))
@@ -1467,9 +1459,9 @@ AddRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, grantorId) &&
 			!is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1645,9 +1637,9 @@ DelRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, GetUserId()) &&
 			!is_admin_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1803,7 +1795,7 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		 * roles.  Because superusers will always have this right, we need no
 		 * special case for them.
 		 */
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
 						   NameStr(authForm->rolname));
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index bcb7a50642..764a8436c5 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4656,7 +4656,7 @@ initialize_acl(void)
 		/*
 		 * In normal mode, set a callback on any syscache invalidation of rows
 		 * of pg_auth_members (for roles_is_member_of()), pg_authid (for
-		 * has_rolinherit()), or pg_database (for roles_is_member_of())
+		 * has_rolinherit_privilege()), or pg_database (for roles_is_member_of())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
@@ -4690,23 +4690,6 @@ RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue)
 }
 
 
-/* Check if specified role has rolinherit set */
-static bool
-has_rolinherit(Oid roleid)
-{
-	bool		result = false;
-	HeapTuple	utup;
-
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
-		ReleaseSysCache(utup);
-	}
-	return result;
-}
-
-
 /*
  * Get a list of roles that the specified roleid is a member of
  *
@@ -4776,7 +4759,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 		CatCList   *memlist;
 		int			i;
 
-		if (type == ROLERECURSE_PRIVS && !has_rolinherit(memberid))
+		if (type == ROLERECURSE_PRIVS && !has_rolinherit_privilege(memberid))
 			continue;			/* ignore non-inheriting roles */
 
 		/* Find roles that memberid is directly a member of */
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 7f20aaa9f2..a6a72af5c1 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -320,5 +320,10 @@ extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool pg_role_ownercheck(Oid role_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool has_rolinherit_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_login_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
+extern int32 role_connection_limit(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index b6cc68eed5..89aaa9969b 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -6,22 +6,16 @@ GRANT CREATE ON DATABASE regression TO regress_role_1;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
 ERROR:  must be superuser to create superusers
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_4 REPLICATION;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_role_5 BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
 ERROR:  must be superuser to own superusers
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
-CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
-CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
 \du+ regress_role_2
                                       List of roles
    Role name    |       Owner        |       Attributes        | Member of | Description 
@@ -53,7 +47,10 @@ ERROR:  role may not own itself
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_role_8 LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
@@ -73,12 +70,6 @@ COMMENT ON ROLE regress_role_12 IS 'no login test role';
 ----------------+----------------+---------------------------+-----------+-------------
  regress_role_7 | regress_role_1 | Create role, Cannot login | {}        | 
 
-\du+ regress_role_8
-                             List of roles
-   Role name    |     Owner      | Attributes | Member of | Description 
-----------------+----------------+------------+-----------+-------------
- regress_role_8 | regress_role_1 |            | {}        | 
-
 \du+ regress_role_9
                               List of roles
    Role name    |     Owner      |  Attributes  | Member of | Description 
@@ -111,19 +102,19 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_role_14 IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
-ERROR:  role "pg_database_owner" cannot have explicit members
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_role_16 ROLE
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 -- fail, cannot grant a role into itself
 CREATE ROLE regress_role_17 ROLE regress_role_17;
 ERROR:  role "regress_role_17" is a member of role "regress_role_17"
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_role_18 ADMIN
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 -- fail, cannot grant a role into itself with admin option
 CREATE ROLE regress_role_19 ADMIN regress_role_19;
@@ -136,8 +127,11 @@ ERROR:  permission denied to create database
 CREATE ROLE regress_role_20;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_role_21 CREATEROLE;
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+ERROR:  must have createdb privilege to create createdb users
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_role_22 CREATEROLE INHERIT CONNECTION LIMIT 5;
 -- ok, regress_role_22 can create objects within the database
 SET SESSION AUTHORIZATION regress_role_22;
 CREATE TABLE regress_tbl_22 (i integer);
@@ -156,17 +150,27 @@ ERROR:  must be member of role "regress_role_1"
 DROP VIEW regress_view_22;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
 CREATE ROLE regress_role_25 IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
 CREATE ROLE regress_role_26 IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
 CREATE ROLE regress_role_27 IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
 CREATE ROLE regress_role_28 IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
 CREATE ROLE regress_role_29 IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
 CREATE ROLE regress_role_30 IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
 CREATE ROLE regress_role_31 IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
 CREATE ROLE regress_role_32 IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
 -- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
 REASSIGN OWNED BY regress_role_1 TO regress_role_22;
@@ -191,19 +195,8 @@ DROP ROLE regress_role_7;
 ERROR:  role "regress_role_7" cannot be dropped because some objects depend on it
 DETAIL:  owner of role regress_role_21
 owner of role regress_role_22
-owner of role regress_role_23
-owner of role regress_role_24
-owner of role regress_role_25
-owner of role regress_role_26
-owner of role regress_role_27
-owner of role regress_role_28
-owner of role regress_role_29
-owner of role regress_role_30
-owner of role regress_role_31
-owner of role regress_role_32
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_role_6;
-DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
 DROP ROLE regress_role_11;
@@ -213,16 +206,6 @@ DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
 DROP ROLE regress_role_22;
-DROP ROLE regress_role_23;
-DROP ROLE regress_role_24;
-DROP ROLE regress_role_25;
-DROP ROLE regress_role_26;
-DROP ROLE regress_role_27;
-DROP ROLE regress_role_28;
-DROP ROLE regress_role_29;
-DROP ROLE regress_role_30;
-DROP ROLE regress_role_31;
-DROP ROLE regress_role_32;
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 4a6f7840a2..11cf26dd82 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -6,6 +6,8 @@ GRANT CREATE ON DATABASE regression TO regress_role_1;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_2 SUPERUSER;
+
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_role_3 REPLICATION BYPASSRLS;
 CREATE ROLE regress_role_4 REPLICATION;
 CREATE ROLE regress_role_5 BYPASSRLS;
@@ -17,11 +19,6 @@ CREATE ROLE regress_role_2 AUTHORIZATION regress_role_1 SUPERUSER;
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_role_2 AUTHORIZATION regress_role_super SUPERUSER;
 
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_role_3 AUTHORIZATION regress_role_1 REPLICATION BYPASSRLS;
-CREATE ROLE regress_role_4 AUTHORIZATION regress_role_1 REPLICATION;
-CREATE ROLE regress_role_5 AUTHORIZATION regress_role_1 BYPASSRLS;
-
 \du+ regress_role_2
 \du+ regress_role_3
 \du+ regress_role_4
@@ -34,7 +31,11 @@ ALTER ROLE regress_role_5 OWNER TO regress_role_5;
 SET SESSION AUTHORIZATION regress_role_1;
 CREATE ROLE regress_role_6 CREATEDB;
 CREATE ROLE regress_role_7 CREATEROLE;
+
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_role_8 LOGIN;
+
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_role_9 INHERIT;
 CREATE ROLE regress_role_10 CONNECTION LIMIT 5;
 CREATE ROLE regress_role_11 PASSWORD NULL;
@@ -45,7 +46,6 @@ COMMENT ON ROLE regress_role_12 IS 'no login test role';
 
 \du+ regress_role_6
 \du+ regress_role_7
-\du+ regress_role_8
 \du+ regress_role_9
 \du+ regress_role_10
 \du+ regress_role_11
@@ -57,12 +57,12 @@ CREATE ROLE regress_role_13 SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_role_14 IN ROLE regress_role_super;
 
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_role_15 IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
 CREATE ROLE regress_role_16 ROLE
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 
 -- fail, cannot grant a role into itself
@@ -70,7 +70,7 @@ CREATE ROLE regress_role_17 ROLE regress_role_17;
 
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_role_18 ADMIN
-	regress_role_super, regress_role_6, regress_role_7, regress_role_8,
+	regress_role_super, regress_role_6, regress_role_7,
 	regress_role_9, regress_role_10, regress_role_11, regress_role_12;
 
 -- fail, cannot grant a role into itself with admin option
@@ -86,9 +86,12 @@ CREATE ROLE regress_role_20;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_role_21 CREATEROLE;
 
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_role_22 CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
 
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_role_22 CREATEROLE INHERIT CONNECTION LIMIT 5;
+
 -- ok, regress_role_22 can create objects within the database
 SET SESSION AUTHORIZATION regress_role_22;
 CREATE TABLE regress_tbl_22 (i integer);
@@ -111,7 +114,7 @@ DROP VIEW regress_view_22;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_role_22 TO regress_role_7;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_role_23 IN ROLE pg_read_all_data;
 CREATE ROLE regress_role_24 IN ROLE pg_write_all_data;
 CREATE ROLE regress_role_25 IN ROLE pg_monitor;
@@ -149,7 +152,6 @@ DROP ROLE regress_role_7;
 
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_role_6;
-DROP ROLE regress_role_8;
 DROP ROLE regress_role_9;
 DROP ROLE regress_role_10;
 DROP ROLE regress_role_11;
@@ -159,16 +161,6 @@ DROP ROLE regress_role_16;
 DROP ROLE regress_role_18;
 DROP ROLE regress_role_21;
 DROP ROLE regress_role_22;
-DROP ROLE regress_role_23;
-DROP ROLE regress_role_24;
-DROP ROLE regress_role_25;
-DROP ROLE regress_role_26;
-DROP ROLE regress_role_27;
-DROP ROLE regress_role_28;
-DROP ROLE regress_role_29;
-DROP ROLE regress_role_30;
-DROP ROLE regress_role_31;
-DROP ROLE regress_role_32;
 
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 3ce6981776a708f4c865e04cfb05b0357f39c1d6 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 4 Jan 2022 19:51:44 -0800
Subject: [PATCH v4 5/5] Remove grantor field from pg_auth_members

The "grantor" field of pg_auth_members is unused and, more to the
point, unreliable.  The system does not avoid dangling references
from the grantor field to dropped roles in pg_authid.  This creates
the risk that, if an oid is reused for a new role, the grantor field
may point to a role other than the one that performed the grant.

We could fix the bug, but there is no clear solution to the problem
that existing installations may have broken data.  Since the field
is not used for any purpose, removing it seems the best option.
---
 src/backend/commands/user.c            | 17 -----------------
 src/bin/pg_dump/pg_dumpall.c           | 17 ++---------------
 src/include/catalog/pg_auth_members.h  |  1 -
 src/test/regress/expected/oidjoins.out |  1 -
 4 files changed, 2 insertions(+), 34 deletions(-)

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 44f3f54b15..c70ee87f9d 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -1481,21 +1481,6 @@ AddRoleMems(const char *rolename, Oid roleid,
 		ereport(ERROR,
 				errmsg("role \"%s\" cannot have explicit members", rolename));
 
-	/*
-	 * The role membership grantor of record has little significance at
-	 * present.  Nonetheless, inasmuch as users might look to it for a crude
-	 * audit trail, let only superusers impute the grant to a third party.
-	 *
-	 * Before lifting this restriction, give the member == role case of
-	 * is_admin_of_role() a fresh look.  Ensure that the current role cannot
-	 * use an explicit grantor specification to take advantage of the session
-	 * user's self-admin right.
-	 */
-	if (grantorId != GetUserId() && !superuser())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("must be superuser to set grantor")));
-
 	pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
 	pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
 
@@ -1571,12 +1556,10 @@ AddRoleMems(const char *rolename, Oid roleid,
 
 		new_record[Anum_pg_auth_members_roleid - 1] = ObjectIdGetDatum(roleid);
 		new_record[Anum_pg_auth_members_member - 1] = ObjectIdGetDatum(memberid);
-		new_record[Anum_pg_auth_members_grantor - 1] = ObjectIdGetDatum(grantorId);
 		new_record[Anum_pg_auth_members_admin_option - 1] = BoolGetDatum(admin_opt);
 
 		if (HeapTupleIsValid(authmem_tuple))
 		{
-			new_record_repl[Anum_pg_auth_members_grantor - 1] = true;
 			new_record_repl[Anum_pg_auth_members_admin_option - 1] = true;
 			tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
 									  new_record,
diff --git a/src/bin/pg_dump/pg_dumpall.c b/src/bin/pg_dump/pg_dumpall.c
index 9ff0c091a9..a20778299d 100644
--- a/src/bin/pg_dump/pg_dumpall.c
+++ b/src/bin/pg_dump/pg_dumpall.c
@@ -940,14 +940,12 @@ dumpRoleMembership(PGconn *conn)
 
 	printfPQExpBuffer(buf, "SELECT ur.rolname AS roleid, "
 					  "um.rolname AS member, "
-					  "a.admin_option, "
-					  "ug.rolname AS grantor "
+					  "a.admin_option "
 					  "FROM pg_auth_members a "
 					  "LEFT JOIN %s ur on ur.oid = a.roleid "
 					  "LEFT JOIN %s um on um.oid = a.member "
-					  "LEFT JOIN %s ug on ug.oid = a.grantor "
 					  "WHERE NOT (ur.rolname ~ '^pg_' AND um.rolname ~ '^pg_')"
-					  "ORDER BY 1,2,3", role_catalog, role_catalog, role_catalog);
+					  "ORDER BY 1,2,3", role_catalog, role_catalog);
 	res = executeQuery(conn, buf->data);
 
 	if (PQntuples(res) > 0)
@@ -963,17 +961,6 @@ dumpRoleMembership(PGconn *conn)
 		fprintf(OPF, " TO %s", fmtId(member));
 		if (*option == 't')
 			fprintf(OPF, " WITH ADMIN OPTION");
-
-		/*
-		 * We don't track the grantor very carefully in the backend, so cope
-		 * with the possibility that it has been dropped.
-		 */
-		if (!PQgetisnull(res, i, 3))
-		{
-			char	   *grantor = PQgetvalue(res, i, 3);
-
-			fprintf(OPF, " GRANTED BY %s", fmtId(grantor));
-		}
 		fprintf(OPF, ";\n");
 	}
 
diff --git a/src/include/catalog/pg_auth_members.h b/src/include/catalog/pg_auth_members.h
index b9d3ffd1c5..21b805f6de 100644
--- a/src/include/catalog/pg_auth_members.h
+++ b/src/include/catalog/pg_auth_members.h
@@ -31,7 +31,6 @@ CATALOG(pg_auth_members,1261,AuthMemRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_
 {
 	Oid			roleid BKI_LOOKUP(pg_authid);	/* ID of a role */
 	Oid			member BKI_LOOKUP(pg_authid);	/* ID of a member of that role */
-	Oid			grantor BKI_LOOKUP(pg_authid);	/* who granted the membership */
 	bool		admin_option;	/* granted with admin option? */
 } FormData_pg_auth_members;
 
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 266a30a85b..a6a73df7ff 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -197,7 +197,6 @@ NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
 NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
-NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
 NOTICE:  checking pg_shdepend {dbid} => pg_database {oid}
 NOTICE:  checking pg_shdepend {classid} => pg_class {oid}
 NOTICE:  checking pg_shdepend {refclassid} => pg_class {oid}
-- 
2.21.1 (Apple Git-122.3)

From 11f8a16020547d2cb95a750b4f9c92303726a132 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 11:14:23 -0800
Subject: [PATCH v5 1/5] Add tests of the CREATEROLE attribute.

While developing alternate rules for what privileges CREATEROLE has,
I noticed that none of the changes to how CREATEROLE works triggered
any regression test failures.  This is problematic for two reasons.
It means the existing code has insufficient test coverage, and it
means that unintended changes introduced by subsequent patches may
go unnoticed.  Fix that.
---
 src/test/regress/expected/create_role.out | 145 ++++++++++++++++++++++
 src/test/regress/parallel_schedule        |   2 +-
 src/test/regress/sql/create_role.sql      | 138 ++++++++++++++++++++
 3 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100644 src/test/regress/expected/create_role.out
 create mode 100644 src/test/regress/sql/create_role.sql

diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
new file mode 100644
index 0000000000..4e67d72760
--- /dev/null
+++ b/src/test/regress/expected/create_role.out
@@ -0,0 +1,145 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_nosuch_replication REPLICATION;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+ERROR:  must be superuser to create bypassrls users
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_createdb CREATEDB;
+CREATE ROLE regress_createrole CREATEROLE;
+CREATE ROLE regress_login LOGIN;
+CREATE ROLE regress_inherit INHERIT;
+CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
+CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_password_null PASSWORD NULL;
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_noiseword SYSID 12345;
+NOTICE:  SYSID can no longer be specified
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
+ERROR:  must be superuser to alter superusers
+-- fail, database owner cannot have members
+CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+ERROR:  role "pg_database_owner" cannot have explicit members
+-- ok, can grant other users into a role
+CREATE ROLE regress_inroles ROLE
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
+ERROR:  role "regress_nosuch_recursive" is a member of role "regress_nosuch_recursive"
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_adminroles ADMIN
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
+ERROR:  role "regress_nosuch_admin_recursive" is a member of role "regress_nosuch_admin_recursive"
+-- fail, regress_createrole does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_createrole;
+CREATE DATABASE regress_nosuch_db;
+ERROR:  permission denied to create database
+-- ok, regress_createrole can create new roles
+CREATE ROLE regress_plainrole;
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_rolecreator CREATEROLE;
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+-- ok, regress_tenant can create objects within the database
+SET SESSION AUTHORIZATION regress_tenant;
+CREATE TABLE tenant_table (i integer);
+CREATE INDEX tenant_idx ON tenant_table(i);
+CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
+-- fail, these objects belonging to regress_tenant
+SET SESSION AUTHORIZATION regress_createrole;
+DROP INDEX tenant_idx;
+ERROR:  must be owner of index tenant_idx
+ALTER TABLE tenant_table ADD COLUMN t text;
+ERROR:  must be owner of table tenant_table
+DROP TABLE tenant_table;
+ERROR:  must be owner of table tenant_table
+ALTER VIEW tenant_view OWNER TO regress_role_admin;
+ERROR:  must be owner of view tenant_view
+DROP VIEW tenant_view;
+ERROR:  must be owner of view tenant_view
+-- fail, cannot take ownership of these objects from regress_tenant
+REASSIGN OWNED BY regress_tenant TO regress_createrole;
+ERROR:  permission denied to reassign objects
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+CREATE ROLE regress_monitor IN ROLE pg_monitor;
+CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_admin;
+DROP ROLE regress_nosuch_superuser;
+ERROR:  role "regress_nosuch_superuser" does not exist
+DROP ROLE regress_nosuch_replication_bypassrls;
+ERROR:  role "regress_nosuch_replication_bypassrls" does not exist
+DROP ROLE regress_nosuch_replication;
+ERROR:  role "regress_nosuch_replication" does not exist
+DROP ROLE regress_nosuch_bypassrls;
+ERROR:  role "regress_nosuch_bypassrls" does not exist
+DROP ROLE regress_nosuch_super;
+ERROR:  role "regress_nosuch_super" does not exist
+DROP ROLE regress_nosuch_dbowner;
+ERROR:  role "regress_nosuch_dbowner" does not exist
+DROP ROLE regress_nosuch_recursive;
+ERROR:  role "regress_nosuch_recursive" does not exist
+DROP ROLE regress_nosuch_admin_recursive;
+ERROR:  role "regress_nosuch_admin_recursive" does not exist
+DROP ROLE regress_plainrole;
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_createdb;
+DROP ROLE regress_createrole;
+DROP ROLE regress_login;
+DROP ROLE regress_inherit;
+DROP ROLE regress_connection_limit;
+DROP ROLE regress_encrypted_password;
+DROP ROLE regress_password_null;
+DROP ROLE regress_noiseword;
+DROP ROLE regress_inroles;
+DROP ROLE regress_adminroles;
+DROP ROLE regress_rolecreator;
+DROP ROLE regress_read_all_data;
+DROP ROLE regress_write_all_data;
+DROP ROLE regress_monitor;
+DROP ROLE regress_read_all_settings;
+DROP ROLE regress_read_all_stats;
+DROP ROLE regress_stat_scan_tables;
+DROP ROLE regress_read_server_files;
+DROP ROLE regress_write_server_files;
+DROP ROLE regress_execute_server_program;
+DROP ROLE regress_signal_backend;
+-- fail, role still owns database objects
+DROP ROLE regress_tenant;
+ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
+DETAIL:  owner of table tenant_table
+owner of view tenant_view
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+ERROR:  must be superuser to drop superusers
+DROP ROLE regress_role_admin;
+ERROR:  current user cannot be dropped
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX tenant_idx;
+DROP TABLE tenant_table;
+DROP VIEW tenant_view;
+DROP ROLE regress_tenant;
+DROP ROLE regress_role_admin;
+DROP ROLE regress_role_super;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 5b0c73d7e3..861c30a73a 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -89,7 +89,7 @@ test: brin_bloom brin_multi
 # ----------
 # Another group of parallel tests
 # ----------
-test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort
+test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort create_role
 
 # rules cannot run concurrently with any test that creates
 # a view or rule in the public schema
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
new file mode 100644
index 0000000000..292dc08797
--- /dev/null
+++ b/src/test/regress/sql/create_role.sql
@@ -0,0 +1,138 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_replication REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_createdb CREATEDB;
+CREATE ROLE regress_createrole CREATEROLE;
+CREATE ROLE regress_login LOGIN;
+CREATE ROLE regress_inherit INHERIT;
+CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
+CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_password_null PASSWORD NULL;
+
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_noiseword SYSID 12345;
+
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
+
+-- fail, database owner cannot have members
+CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+
+-- ok, can grant other users into a role
+CREATE ROLE regress_inroles ROLE
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
+
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_adminroles ADMIN
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
+
+-- fail, regress_createrole does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_createrole;
+CREATE DATABASE regress_nosuch_db;
+
+-- ok, regress_createrole can create new roles
+CREATE ROLE regress_plainrole;
+
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_rolecreator CREATEROLE;
+
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+
+-- ok, regress_tenant can create objects within the database
+SET SESSION AUTHORIZATION regress_tenant;
+CREATE TABLE tenant_table (i integer);
+CREATE INDEX tenant_idx ON tenant_table(i);
+CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
+
+-- fail, these objects belonging to regress_tenant
+SET SESSION AUTHORIZATION regress_createrole;
+DROP INDEX tenant_idx;
+ALTER TABLE tenant_table ADD COLUMN t text;
+DROP TABLE tenant_table;
+ALTER VIEW tenant_view OWNER TO regress_role_admin;
+DROP VIEW tenant_view;
+
+-- fail, cannot take ownership of these objects from regress_tenant
+REASSIGN OWNED BY regress_tenant TO regress_createrole;
+
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+CREATE ROLE regress_monitor IN ROLE pg_monitor;
+CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_admin;
+DROP ROLE regress_nosuch_superuser;
+DROP ROLE regress_nosuch_replication_bypassrls;
+DROP ROLE regress_nosuch_replication;
+DROP ROLE regress_nosuch_bypassrls;
+DROP ROLE regress_nosuch_super;
+DROP ROLE regress_nosuch_dbowner;
+DROP ROLE regress_nosuch_recursive;
+DROP ROLE regress_nosuch_admin_recursive;
+DROP ROLE regress_plainrole;
+
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_createdb;
+DROP ROLE regress_createrole;
+DROP ROLE regress_login;
+DROP ROLE regress_inherit;
+DROP ROLE regress_connection_limit;
+DROP ROLE regress_encrypted_password;
+DROP ROLE regress_password_null;
+DROP ROLE regress_noiseword;
+DROP ROLE regress_inroles;
+DROP ROLE regress_adminroles;
+DROP ROLE regress_rolecreator;
+DROP ROLE regress_read_all_data;
+DROP ROLE regress_write_all_data;
+DROP ROLE regress_monitor;
+DROP ROLE regress_read_all_settings;
+DROP ROLE regress_read_all_stats;
+DROP ROLE regress_stat_scan_tables;
+DROP ROLE regress_read_server_files;
+DROP ROLE regress_write_server_files;
+DROP ROLE regress_execute_server_program;
+DROP ROLE regress_signal_backend;
+
+-- fail, role still owns database objects
+DROP ROLE regress_tenant;
+
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+DROP ROLE regress_role_admin;
+
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX tenant_idx;
+DROP TABLE tenant_table;
+DROP VIEW tenant_view;
+DROP ROLE regress_tenant;
+DROP ROLE regress_role_admin;
+DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 83dea225a5baac7efd05e9b835055c031a290c2d Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 11:15:02 -0800
Subject: [PATCH v5 2/5] Add owners to roles

All roles now have owners.  By default, roles belong to the role
that created them, and initdb-time roles are owned by POSTGRES.

This is a preparatory patch for changing how CREATEROLE works.
---
 src/backend/catalog/aclchk.c                  |  59 ++++++-
 src/backend/catalog/pg_shdepend.c             |   5 +
 src/backend/catalog/system_views.sql          |   1 +
 src/backend/commands/alter.c                  |   3 +
 src/backend/commands/user.c                   | 148 +++++++++++++++++-
 src/backend/nodes/copyfuncs.c                 |   1 +
 src/backend/nodes/equalfuncs.c                |   1 +
 src/backend/parser/gram.y                     |  23 +++
 src/bin/psql/describe.c                       |  12 ++
 src/include/catalog/pg_authid.h               |   1 +
 src/include/commands/user.h                   |   2 +
 src/include/nodes/parsenodes.h                |   1 +
 src/include/utils/acl.h                       |   1 +
 .../unsafe_tests/expected/rolenames.out       |   6 +-
 .../modules/unsafe_tests/sql/rolenames.sql    |   3 +-
 src/test/regress/expected/create_role.out     | 136 ++++++++++++++--
 src/test/regress/expected/oidjoins.out        |   1 +
 src/test/regress/expected/privileges.out      |   9 +-
 src/test/regress/expected/rules.out           |   1 +
 src/test/regress/sql/create_role.sql          |  67 +++++++-
 src/test/regress/sql/privileges.sql           |  10 +-
 21 files changed, 470 insertions(+), 21 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1dd03a8e51..e5c7324340 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3385,6 +3385,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("permission denied for publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("permission denied for role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("permission denied for routine %s");
 						break;
@@ -3429,7 +3432,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_RULE:
 					case OBJECT_TABCONSTRAINT:
 					case OBJECT_TRANSFORM:
@@ -3511,6 +3513,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("must be owner of publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("must be owner of role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("must be owner of routine %s");
 						break;
@@ -3569,7 +3574,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_TRANSFORM:
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
@@ -5430,6 +5434,57 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for a role (specified by OID)
+ */
+bool
+pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid)
+{
+	HeapTuple		tuple;
+	Form_pg_authid	authform;
+	Oid				owner_oid;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(owner_roleid))
+		return true;
+
+	/* Otherwise, look up the owner of the role */
+	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(owned_role_oid));
+	if (!HeapTupleIsValid(tuple))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role with OID %u does not exist",
+						owned_role_oid)));
+	authform = (Form_pg_authid) GETSTRUCT(tuple);
+	owner_oid = authform->rolowner;
+
+	/*
+	 * Roles must necessarily have owners.  Even the bootstrap user has an
+	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 */
+	if (!OidIsValid(owner_oid))
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u has invalid owner",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner == authform->oid)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owns itself",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner != BOOTSTRAP_SUPERUSERID)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+						authform->rolname.data, authform->oid,
+						authform->rolowner)));
+	ReleaseSysCache(tuple);
+
+	return (owner_oid == owner_roleid);
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
diff --git a/src/backend/catalog/pg_shdepend.c b/src/backend/catalog/pg_shdepend.c
index 3e8fa008b9..52f69ad76e 100644
--- a/src/backend/catalog/pg_shdepend.c
+++ b/src/backend/catalog/pg_shdepend.c
@@ -61,6 +61,7 @@
 #include "commands/tablecmds.h"
 #include "commands/tablespace.h"
 #include "commands/typecmds.h"
+#include "commands/user.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -1578,6 +1579,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
 					AlterSubscriptionOwner_oid(sdepForm->objid, newrole);
 					break;
 
+				case AuthIdRelationId:
+					AlterRoleOwner_oid(sdepForm->objid, newrole);
+					break;
+
 					/* Generic alter owner cases */
 				case CollationRelationId:
 				case ConversionRelationId:
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 701ff38f76..af08b69864 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -17,6 +17,7 @@
 CREATE VIEW pg_roles AS
     SELECT
         rolname,
+        pg_get_userbyid(rolowner) AS rolowner,
         rolsuper,
         rolinherit,
         rolcreaterole,
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 1f64c8aa51..e6c7c84c87 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -840,6 +840,9 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 		case OBJECT_DATABASE:
 			return AlterDatabaseOwner(strVal(stmt->object), newowner);
 
+		case OBJECT_ROLE:
+			return AlterRoleOwner(strVal(stmt->object), newowner);
+
 		case OBJECT_SCHEMA:
 			return AlterSchemaOwner(strVal(stmt->object), newowner);
 
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 3b512a84b3..a4e2223a2d 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
+static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
+									Oid newOwnerId);
 
 
 /* Check if current user has createrole privileges */
@@ -77,6 +79,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	Datum		new_record[Natts_pg_authid];
 	bool		new_record_nulls[Natts_pg_authid];
 	Oid			roleid;
+	Oid			owner_uid;
+	Oid			saved_uid;
+	int			save_sec_context;
 	ListCell   *item;
 	ListCell   *option;
 	char	   *password = NULL;	/* user password */
@@ -108,6 +113,16 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
+	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+
+	/*
+	 * Who is supposed to own the new role?
+	 */
+	if (stmt->authrole)
+		owner_uid = get_rolespec_oid(stmt->authrole, false);
+	else
+		owner_uid = saved_uid;
+
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
 	{
@@ -254,6 +269,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
+		if (!superuser_arg(owner_uid))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must be superuser to own superusers")));
 	}
 	else if (isreplication)
 	{
@@ -310,6 +329,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 errmsg("role \"%s\" already exists",
 						stmt->role)));
 
+	/*
+	 * If the requested authorization is different from the current user,
+	 * temporarily set the current user so that the object(s) will be created
+	 * with the correct ownership.
+	 *
+	 * (The setting will be restored at the end of this routine, or in case of
+	 * error, transaction abort will clean things up.)
+	 */
+	if (saved_uid != owner_uid)
+		SetUserIdAndSecContext(owner_uid,
+							   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+
+
 	/* Convert validuntil to internal form */
 	if (validUntil)
 	{
@@ -345,6 +377,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolowner - 1] = ObjectIdGetDatum(owner_uid);
 	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
@@ -422,6 +455,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	CatalogTupleInsert(pg_authid_rel, tuple);
 
+	recordDependencyOnOwner(AuthIdRelationId, roleid, owner_uid);
+
 	/*
 	 * Advance command counter so we can see new record; else tests in
 	 * AddRoleMems may fail.
@@ -478,6 +513,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	table_close(pg_authid_rel, NoLock);
 
+	/* Reset current user and security context */
+	SetUserIdAndSecContext(saved_uid, save_sec_context);
+
 	return roleid;
 }
 
@@ -1078,8 +1116,9 @@ DropRole(DropRoleStmt *stmt)
 		systable_endscan(sscan);
 
 		/*
-		 * Remove any comments or security labels on this role.
+		 * Remove any dependencies, comments or security labels on this role.
 		 */
+		deleteSharedDependencyRecordsFor(AuthIdRelationId, roleid, 0);
 		DeleteSharedComments(roleid, AuthIdRelationId);
 		DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
 
@@ -1675,3 +1714,110 @@ DelRoleMems(const char *rolename, Oid roleid,
 	 */
 	table_close(pg_authmem_rel, NoLock);
 }
+
+/*
+ * Change role owner
+ */
+ObjectAddress
+AlterRoleOwner(const char *name, Oid newOwnerId)
+{
+	Oid                     roleid;
+	HeapTuple       tup;
+	Relation        rel;
+	ObjectAddress address;
+	Form_pg_authid authform;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHNAME, CStringGetDatum(name));
+	if (!HeapTupleIsValid(tup))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role \"%s\" does not exist", name)));
+
+	authform = (Form_pg_authid) GETSTRUCT(tup);
+	roleid = authform->oid;
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ObjectAddressSet(address, AuthIdRelationId, roleid);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+
+	return address;
+}
+
+void
+AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId)
+{
+	HeapTuple	tup;
+	Relation	rel;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
+	if (!HeapTupleIsValid(tup))
+		elog(ERROR, "cache lookup failed for role %u", roleOid);
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+}
+
+static void
+AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
+{
+	Form_pg_authid authForm;
+
+	Assert(tup->t_tableOid == AuthIdRelationId);
+	Assert(RelationGetRelid(rel) == AuthIdRelationId);
+
+	authForm = (Form_pg_authid) GETSTRUCT(tup);
+
+	/*
+	 * If the new owner is the same as the existing owner, consider the
+	 * command to have succeeded.  This is for dump restoration purposes.
+	 */
+	if (authForm->rolowner != newOwnerId)
+	{
+		/* Otherwise, must be owner of the existing object */
+		if (!pg_role_ownercheck(authForm->oid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Must be able to become new owner */
+		check_is_member_of_role(GetUserId(), newOwnerId);
+
+		/*
+		 * must have CREATEROLE rights
+		 *
+		 * NOTE: This is different from most other alter-owner checks in that
+		 * the current user is checked for create privileges instead of the
+		 * destination owner.  This is consistent with the CREATE case for
+		 * roles.  Because superusers will always have this right, we need no
+		 * special case for them.
+		 */
+		if (!have_createrole_privilege())
+			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Only the bootstrap superuser is allowed to own itself. */
+		if (newOwnerId != BOOTSTRAP_SUPERUSERID && authForm->oid == newOwnerId)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role may not own itself")));
+
+		authForm->rolowner = newOwnerId;
+		CatalogTupleUpdate(rel, &tup->t_self, tup);
+
+		/* Update owner dependency reference */
+		changeDependencyOnOwner(AuthIdRelationId, authForm->oid, newOwnerId);
+	}
+
+	InvokeObjectPostAlterHook(AuthIdRelationId,
+							  authForm->oid, 0);
+}
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index 456d563f34..cb0794e873 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -4519,6 +4519,7 @@ _copyCreateRoleStmt(const CreateRoleStmt *from)
 
 	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
+	COPY_NODE_FIELD(authrole);
 	COPY_NODE_FIELD(options);
 
 	return newnode;
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index 53beef1488..05dd05b170 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2128,6 +2128,7 @@ _equalCreateRoleStmt(const CreateRoleStmt *a, const CreateRoleStmt *b)
 {
 	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
+	COMPARE_NODE_FIELD(authrole);
 	COMPARE_NODE_FIELD(options);
 
 	return true;
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index 879018377b..ef56f87d66 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -1077,9 +1077,20 @@ CreateRoleStmt:
 					CreateRoleStmt *n = makeNode(CreateRoleStmt);
 					n->stmt_type = ROLESTMT_ROLE;
 					n->role = $3;
+					n->authrole = NULL;
 					n->options = $5;
 					$$ = (Node *)n;
 				}
+			|
+			CREATE ROLE RoleId AUTHORIZATION RoleSpec opt_with OptRoleList
+				{
+					CreateRoleStmt *n = makeNode(CreateRoleStmt);
+					n->stmt_type = ROLESTMT_ROLE;
+					n->role = $3;
+					n->authrole = $5;
+					n->options = $7;
+					$$ = (Node *)n;
+				}
 		;
 
 
@@ -1218,6 +1229,10 @@ CreateOptRoleElem:
 				{
 					$$ = makeDefElem("addroleto", (Node *)$3, @1);
 				}
+			| OWNER RoleSpec
+				{
+					$$ = makeDefElem("owner", (Node *)$2, @1);
+				}
 		;
 
 
@@ -9585,6 +9600,14 @@ AlterOwnerStmt: ALTER AGGREGATE aggregate_with_argtypes OWNER TO RoleSpec
 					n->newowner = $6;
 					$$ = (Node *)n;
 				}
+			| ALTER ROLE name OWNER TO RoleSpec
+				{
+					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
+					n->objectType = OBJECT_ROLE;
+					n->object = (Node *) makeString($3);
+					n->newowner = $6;
+					$$ = (Node *)n;
+				}
 			| ALTER ROUTINE function_with_argtypes OWNER TO RoleSpec
 				{
 					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c
index 8587b19160..fcf641ec41 100644
--- a/src/bin/psql/describe.c
+++ b/src/bin/psql/describe.c
@@ -3496,6 +3496,12 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 		appendPQExpBufferStr(&buf, "\n, r.rolbypassrls");
 	}
 
+	if (pset.sversion >= 150000)
+	{
+		appendPQExpBufferStr(&buf, "\n, r.rolowner");
+		ncols++;
+	}
+
 	appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n");
 
 	if (!showSystem && !pattern)
@@ -3516,6 +3522,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	printTableInit(&cont, &myopt, _("List of roles"), ncols, nrows);
 
 	printTableAddHeader(&cont, gettext_noop("Role name"), true, align);
+	if (pset.sversion >= 150000)
+		printTableAddHeader(&cont, gettext_noop("Owner"), true, align);
 	printTableAddHeader(&cont, gettext_noop("Attributes"), true, align);
 	/* ignores implicit memberships from superuser & pg_database_owner */
 	printTableAddHeader(&cont, gettext_noop("Member of"), true, align);
@@ -3527,6 +3535,10 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	{
 		printTableAddCell(&cont, PQgetvalue(res, i, 0), false, false);
 
+		if (pset.sversion >= 150000)
+			printTableAddCell(&cont, PQgetvalue(res, i, (verbose ? 12 : 11)),
+							  false, false);
+
 		resetPQExpBuffer(&buf);
 		if (strcmp(PQgetvalue(res, i, 1), "t") == 0)
 			add_role_attribute(&buf, _("Superuser"));
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 4b65e39a1f..3af0f3908c 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -32,6 +32,7 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 {
 	Oid			oid;			/* oid */
 	NameData	rolname;		/* name of role */
+	Oid			rolowner BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid); /* owner of this role */
 	bool		rolsuper;		/* read this field via superuser() only! */
 	bool		rolinherit;		/* inherit privileges from other roles? */
 	bool		rolcreaterole;	/* allowed to create more roles? */
diff --git a/src/include/commands/user.h b/src/include/commands/user.h
index 0b7a3cd65f..c32127e41e 100644
--- a/src/include/commands/user.h
+++ b/src/include/commands/user.h
@@ -33,5 +33,7 @@ extern ObjectAddress RenameRole(const char *oldname, const char *newname);
 extern void DropOwnedObjects(DropOwnedStmt *stmt);
 extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt);
 extern List *roleSpecsToIds(List *memberNames);
+extern ObjectAddress AlterRoleOwner(const char *name, Oid newOwnerId);
+extern void AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId);
 
 #endif							/* USER_H */
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 413e7c85a1..06ad44569b 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2622,6 +2622,7 @@ typedef struct CreateRoleStmt
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
+	RoleSpec   *authrole;		/* the owner of the created role */
 	List	   *options;		/* List of DefElem nodes */
 } CreateRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 1ce4c5556e..42f85d0e84 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -316,6 +316,7 @@ extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
+extern bool pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
 
diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out
index eb608fdc2e..8b79a63b80 100644
--- a/src/test/modules/unsafe_tests/expected/rolenames.out
+++ b/src/test/modules/unsafe_tests/expected/rolenames.out
@@ -1086,6 +1086,10 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 \c
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
+ERROR:  role "regress_testrol2" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_haspriv
+owner of role regress_role_nopriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql
index adac36536d..95a54ce70d 100644
--- a/src/test/modules/unsafe_tests/sql/rolenames.sql
+++ b/src/test/modules/unsafe_tests/sql/rolenames.sql
@@ -499,6 +499,7 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 4e67d72760..66d4c29cf7 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_admin;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
@@ -11,14 +12,98 @@ CREATE ROLE regress_nosuch_replication REPLICATION;
 ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 ERROR:  must be superuser to create bypassrls users
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
+ERROR:  must be superuser to own superusers
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
+\du+ regress_nosuch_superuser
+                                           List of roles
+        Role name         |       Owner        |       Attributes        | Member of | Description 
+--------------------------+--------------------+-------------------------+-----------+-------------
+ regress_nosuch_superuser | regress_role_super | Superuser, Cannot login | {}        | 
+
+\du+ regress_nosuch_replication_bypassrls
+                                                        List of roles
+              Role name               |       Owner        |              Attributes               | Member of | Description 
+--------------------------------------+--------------------+---------------------------------------+-----------+-------------
+ regress_nosuch_replication_bypassrls | regress_role_admin | Cannot login, Replication, Bypass RLS | {}        | 
+
+\du+ regress_nosuch_replication
+                                             List of roles
+         Role name          |       Owner        |        Attributes         | Member of | Description 
+----------------------------+--------------------+---------------------------+-----------+-------------
+ regress_nosuch_replication | regress_role_admin | Cannot login, Replication | {}        | 
+
+\du+ regress_nosuch_bypassrls
+                                           List of roles
+        Role name         |       Owner        |        Attributes        | Member of | Description 
+--------------------------+--------------------+--------------------------+-----------+-------------
+ regress_nosuch_bypassrls | regress_role_admin | Cannot login, Bypass RLS | {}        | 
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_nosuch_bypassrls OWNER TO regress_nosuch_bypassrls;
+ERROR:  role may not own itself
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
-CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_password_null PASSWORD NULL;
+CREATE ROLE regress_encrypted_password PASSWORD NULL;
+CREATE ROLE regress_password_null
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole, regress_login;
+\du+ regress_createdb
+                                       List of roles
+    Role name     |       Owner        |       Attributes        | Member of | Description 
+------------------+--------------------+-------------------------+-----------+-------------
+ regress_createdb | regress_role_admin | Create DB, Cannot login | {}        | 
+
+\du+ regress_createrole
+                                         List of roles
+     Role name      |       Owner        |        Attributes         | Member of | Description 
+--------------------+--------------------+---------------------------+-----------+-------------
+ regress_createrole | regress_role_admin | Create role, Cannot login | {}        | 
+
+\du+ regress_login
+                               List of roles
+   Role name   |       Owner        | Attributes | Member of | Description 
+---------------+--------------------+------------+-----------+-------------
+ regress_login | regress_role_admin |            | {}        | 
+
+\du+ regress_inherit
+                                 List of roles
+    Role name    |       Owner        |  Attributes  | Member of | Description 
+-----------------+--------------------+--------------+-----------+-------------
+ regress_inherit | regress_role_admin | Cannot login | {}        | 
+
+\du+ regress_connection_limit
+                                      List of roles
+        Role name         |       Owner        |  Attributes   | Member of | Description 
+--------------------------+--------------------+---------------+-----------+-------------
+ regress_connection_limit | regress_role_admin | Cannot login +| {}        | 
+                          |                    | 5 connections |           | 
+
+\du+ regress_encrypted_password
+                                      List of roles
+         Role name          |       Owner        |  Attributes  | Member of | Description 
+----------------------------+--------------------+--------------+-----------+-------------
+ regress_encrypted_password | regress_role_admin | Cannot login | {}        | 
+
+\du+ regress_password_null
+                                                              List of roles
+       Role name       |       Owner        |       Attributes       |                      Member of                      | Description 
+-----------------------+--------------------+------------------------+-----------------------------------------------------+-------------
+ regress_password_null | regress_role_admin | Create role, Create DB+| {regress_createdb,regress_createrole,regress_login} | 
+                       |                    | 2 connections          |                                                     | 
+
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
 NOTICE:  SYSID can no longer be specified
@@ -84,16 +169,24 @@ CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_createrole
 SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+ERROR:  must be owner of role regress_plainrole
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+ERROR:  permission denied to reassign objects
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_nosuch_superuser;
-ERROR:  role "regress_nosuch_superuser" does not exist
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
-ERROR:  role "regress_nosuch_replication_bypassrls" does not exist
 DROP ROLE regress_nosuch_replication;
-ERROR:  role "regress_nosuch_replication" does not exist
 DROP ROLE regress_nosuch_bypassrls;
-ERROR:  role "regress_nosuch_bypassrls" does not exist
 DROP ROLE regress_nosuch_super;
 ERROR:  role "regress_nosuch_super" does not exist
 DROP ROLE regress_nosuch_dbowner;
@@ -103,9 +196,23 @@ ERROR:  role "regress_nosuch_recursive" does not exist
 DROP ROLE regress_nosuch_admin_recursive;
 ERROR:  role "regress_nosuch_admin_recursive" does not exist
 DROP ROLE regress_plainrole;
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_createdb;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
+ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_rolecreator
+owner of role regress_tenant
+owner of role regress_read_all_data
+owner of role regress_write_all_data
+owner of role regress_monitor
+owner of role regress_read_all_settings
+owner of role regress_read_all_stats
+owner of role regress_stat_scan_tables
+owner of role regress_read_server_files
+owner of role regress_write_server_files
+owner of role regress_execute_server_program
+owner of role regress_signal_backend
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_createdb;
 DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
@@ -130,6 +237,10 @@ DROP ROLE regress_tenant;
 ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
 DETAIL:  owner of table tenant_table
 owner of view tenant_view
+-- fail, role still owns other roles
+DROP ROLE regress_createrole;
+ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_tenant
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
@@ -141,5 +252,12 @@ DROP INDEX tenant_idx;
 DROP TABLE tenant_table;
 DROP VIEW tenant_view;
 DROP ROLE regress_tenant;
+DROP ROLE regress_createrole;
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_admin;
+ERROR:  role "regress_role_admin" cannot be dropped because some objects depend on it
+DETAIL:  privileges for database regression
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_admin;
 DROP ROLE regress_role_admin;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 215eb899be..266a30a85b 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -194,6 +194,7 @@ NOTICE:  checking pg_database {dattablespace} => pg_tablespace {oid}
 NOTICE:  checking pg_db_role_setting {setdatabase} => pg_database {oid}
 NOTICE:  checking pg_db_role_setting {setrole} => pg_authid {oid}
 NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
+NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 291e21d7a6..9ce619fd5f 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -27,8 +27,10 @@ CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
 ERROR:  role "regress_priv_user5" already exists
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -2356,7 +2358,12 @@ DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
 DROP USER regress_priv_user6;
+ERROR:  role "regress_priv_user6" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_priv_user7
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 ERROR:  role "regress_priv_user8" does not exist
 -- permissions with LOCK TABLE
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index b58b062b10..6bce5a005d 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1482,6 +1482,7 @@ pg_replication_slots| SELECT l.slot_name,
    FROM (pg_get_replication_slots() l(slot_name, plugin, slot_type, datoid, temporary, active, active_pid, xmin, catalog_xmin, restart_lsn, confirmed_flush_lsn, wal_status, safe_wal_size, two_phase)
      LEFT JOIN pg_database d ON ((l.datoid = d.oid)));
 pg_roles| SELECT pg_authid.rolname,
+    pg_get_userbyid(pg_authid.rolowner) AS rolowner,
     pg_authid.rolsuper,
     pg_authid.rolinherit,
     pg_authid.rolcreaterole,
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 292dc08797..091b116dd6 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_admin;
 
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
@@ -9,14 +10,45 @@ CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
 CREATE ROLE regress_nosuch_replication REPLICATION;
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
+
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
+
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
+
+\du+ regress_nosuch_superuser
+\du+ regress_nosuch_replication_bypassrls
+\du+ regress_nosuch_replication
+\du+ regress_nosuch_bypassrls
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_nosuch_bypassrls OWNER TO regress_nosuch_bypassrls;
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
-CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_password_null PASSWORD NULL;
+CREATE ROLE regress_encrypted_password PASSWORD NULL;
+CREATE ROLE regress_password_null
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole, regress_login;
+
+\du+ regress_createdb
+\du+ regress_createrole
+\du+ regress_login
+\du+ regress_inherit
+\du+ regress_connection_limit
+\du+ regress_encrypted_password
+\du+ regress_password_null
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
@@ -86,9 +118,22 @@ CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
 
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_createrole
 SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_nosuch_superuser;
+
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
 DROP ROLE regress_nosuch_replication;
 DROP ROLE regress_nosuch_bypassrls;
@@ -98,9 +143,11 @@ DROP ROLE regress_nosuch_recursive;
 DROP ROLE regress_nosuch_admin_recursive;
 DROP ROLE regress_plainrole;
 
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_createdb;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
+
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_createdb;
 DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
@@ -124,6 +171,9 @@ DROP ROLE regress_signal_backend;
 -- fail, role still owns database objects
 DROP ROLE regress_tenant;
 
+-- fail, role still owns other roles
+DROP ROLE regress_createrole;
+
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_admin;
@@ -134,5 +184,12 @@ DROP INDEX tenant_idx;
 DROP TABLE tenant_table;
 DROP VIEW tenant_view;
 DROP ROLE regress_tenant;
+DROP ROLE regress_createrole;
+
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_admin;
+
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_admin;
 DROP ROLE regress_role_admin;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c8c545b64c..dcf84f91fd 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -30,8 +30,10 @@ CREATE USER regress_priv_user3;
 CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -1426,8 +1428,14 @@ DROP USER regress_priv_user2;
 DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
+
 DROP USER regress_priv_user6;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 
 
-- 
2.21.1 (Apple Git-122.3)

From 76bb0669c0792b228a5a7ff455ebe0bc0ffbfbdc Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 11:16:05 -0800
Subject: [PATCH v5 3/5] Give role owners control over owned roles

Create a role ownership hierarchy.  The previous commit added owners
to roles.  This goes further, making role ownership transitive.  If
role A owns role B, and role B owns role C, then role A can act as
the owner of role C.  Also, roles A and B can perform any action on
objects belonging to role C that role C could itself perform.
---
 src/backend/catalog/aclchk.c                  |  49 +-------
 src/backend/catalog/objectaddress.c           |  22 +---
 src/backend/commands/schemacmds.c             |   2 +-
 src/backend/commands/user.c                   |  28 +++--
 src/backend/utils/adt/acl.c                   | 118 ++++++++++++++++++
 src/include/utils/acl.h                       |   1 +
 .../expected/dummy_seclabel.out               |  12 +-
 .../dummy_seclabel/sql/dummy_seclabel.sql     |  12 +-
 src/test/regress/expected/create_role.out     |  68 ++++------
 src/test/regress/sql/create_role.sql          |  44 +++----
 10 files changed, 204 insertions(+), 152 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index e5c7324340..1e0ee503e4 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5440,61 +5440,16 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 bool
 pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid)
 {
-	HeapTuple		tuple;
-	Form_pg_authid	authform;
-	Oid				owner_oid;
-
 	/* Superusers bypass all permission checking. */
 	if (superuser_arg(owner_roleid))
 		return true;
 
-	/* Otherwise, look up the owner of the role */
-	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(owned_role_oid));
-	if (!HeapTupleIsValid(tuple))
-		ereport(ERROR,
-				(errcode(ERRCODE_UNDEFINED_OBJECT),
-				 errmsg("role with OID %u does not exist",
-						owned_role_oid)));
-	authform = (Form_pg_authid) GETSTRUCT(tuple);
-	owner_oid = authform->rolowner;
-
-	/*
-	 * Roles must necessarily have owners.  Even the bootstrap user has an
-	 * owner.  (It owns itself).  Other roles must form a proper tree.
-	 */
-	if (!OidIsValid(owner_oid))
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u has invalid owner",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner == authform->oid)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owns itself",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner != BOOTSTRAP_SUPERUSERID)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
-						authform->rolname.data, authform->oid,
-						authform->rolowner)));
-	ReleaseSysCache(tuple);
-
-	return (owner_oid == owner_roleid);
+	/* Otherwise, check the role ownership hierarchy */
+	return is_owner_of_role_nosuper(owner_roleid, owned_role_oid);
 }
 
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
- *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!	Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
  */
 bool
 has_createrole_privilege(Oid roleid)
diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c
index f30c742d48..1a47f28829 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2596,25 +2596,9 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 							   NameListToString(castNode(List, object)));
 			break;
 		case OBJECT_ROLE:
-
-			/*
-			 * We treat roles as being "owned" by those with CREATEROLE priv,
-			 * except that superusers are only owned by superusers.
-			 */
-			if (superuser_arg(address.objectId))
-			{
-				if (!superuser_arg(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must be superuser")));
-			}
-			else
-			{
-				if (!has_createrole_privilege(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must have CREATEROLE privilege")));
-			}
+			if (!pg_role_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
+							   strVal(object));
 			break;
 		case OBJECT_TSPARSER:
 		case OBJECT_TSTEMPLATE:
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 984000a5bc..e5405db658 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -363,7 +363,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		/*
 		 * must have create-schema rights
 		 *
-		 * NOTE: This is different from other alter-owner checks in that the
+		 * NOTE: This is different from most other alter-owner checks in that the
 		 * current user is checked for create privileges instead of the
 		 * destination owner.  This is consistent with the CREATE case for
 		 * schemas.  Because superusers will always have this right, we need
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index a4e2223a2d..cccb24a498 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -724,7 +724,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			  !rolemembers &&
 			  !validUntil &&
 			  dpassword &&
-			  roleid == GetUserId()))
+			  !pg_role_ownercheck(roleid, GetUserId())))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied")));
@@ -925,7 +925,8 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() && roleid != GetUserId())
+			if (!have_createrole_privilege() &&
+				!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -977,11 +978,6 @@ DropRole(DropRoleStmt *stmt)
 				pg_auth_members_rel;
 	ListCell   *item;
 
-	if (!have_createrole_privilege())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied to drop role")));
-
 	/*
 	 * Scan the pg_authid relation to find the Oid of the role(s) to be
 	 * deleted.
@@ -1053,6 +1049,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
+		if (!have_createrole_privilege() &&
+			!pg_role_ownercheck(roleid, GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied to drop role")));
+
 		/* DROP hook for the role being removed */
 		InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
 
@@ -1811,6 +1813,18 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 					 errmsg("role may not own itself")));
 
+		/*
+		 * Must not create cycles in the role ownership hierarchy.  If this
+		 * role owns (directly or indirectly) the proposed new owner, disallow
+		 * the ownership transfer.
+		 */
+		if (is_owner_of_role_nosuper(authForm->oid, newOwnerId))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role \"%s\" may not both own and be owned by role \"%s\"",
+							NameStr(authForm->rolname),
+							GetUserNameFromId(newOwnerId, false))));
+
 		authForm->rolowner = newOwnerId;
 		CatalogTupleUpdate(rel, &tup->t_self, tup);
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 0a16f8156c..97336db058 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4832,6 +4832,111 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 }
 
 
+/*
+ * Get a list of roles which own the given role, directly or indirectly.
+ *
+ * Each role has only one direct owner.  The returned list contains the given
+ * role's owner, that role's owner, etc., up to the top of the ownership
+ * hierarchy, which is always the bootstrap superuser.
+ *
+ * Raises an error if any role ownership invariant is violated.  Returns NIL if
+ * the given roleid is invalid.
+ */
+static List *
+roles_is_owned_by(Oid roleid)
+{
+	List	   *owners_list = NIL;
+	Oid			role_oid = roleid;
+
+	/*
+	 * Start with the current role and follow the ownership chain upwards until
+	 * we reach the bootstrap superuser.  To defend against getting into an
+	 * infinite loop, we must check for ownership cycles.  We choose to perform
+	 * other corruption checks on the ownership structure while iterating, too.
+	 */
+	while (OidIsValid(role_oid))
+	{
+		HeapTuple		tuple;
+		Form_pg_authid	authform;
+		Oid				owner_oid;
+
+		/* Find the owner of the current iteration's role */
+		tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+		if (!HeapTupleIsValid(tuple))
+			ereport(ERROR,
+					(errcode(ERRCODE_UNDEFINED_OBJECT),
+					 errmsg("role with OID %u does not exist", role_oid)));
+
+		authform = (Form_pg_authid) GETSTRUCT(tuple);
+		owner_oid = authform->rolowner;
+
+		/*
+		 * Roles must necessarily have owners.  Even the bootstrap user has an
+		 * owner.  (It owns itself).
+		 */
+		if (!OidIsValid(owner_oid))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u has invalid owner",
+							NameStr(authform->rolname), authform->oid)));
+
+		/* The bootstrap user must own itself */
+		if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+			owner_oid != BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+							NameStr(authform->rolname), authform->oid,
+							authform->rolowner)));
+
+		/*
+		 * Roles other than the bootstrap user must not be their own direct
+		 * owners.
+		 */
+		if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+			authform->oid == owner_oid)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owns itself",
+							NameStr(authform->rolname), authform->oid)));
+
+		ReleaseSysCache(tuple);
+
+		/* If we have reached the bootstrap user, we're done. */
+		if (role_oid == BOOTSTRAP_SUPERUSERID)
+		{
+			if (!owners_list)
+				owners_list = lappend_oid(owners_list, owner_oid);
+			break;
+		}
+
+		/*
+		 * For all other users, check they do not own themselves indirectly
+		 * through an ownership cycle.
+		 *
+		 * Scanning the list each time through this loop results in overall
+		 * quadratic work in the depth of the ownership chain, but we're
+		 * not on a critical performance path, nor do we expect ownership
+		 * hierarchies to be deep.
+		 */
+		if (owners_list && list_member_oid(owners_list,
+										   ObjectIdGetDatum(owner_oid)))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u indirectly owns itself",
+							GetUserNameFromId(owner_oid, false),
+							owner_oid)));
+
+		/* Done with sanity checks.  Add this owner to the list. */
+		owners_list = lappend_oid(owners_list, owner_oid);
+
+		/* Otherwise, iterate on this iteration's owner_oid. */
+		role_oid = owner_oid;
+	}
+
+	return owners_list;
+}
+
 /*
  * Does member have the privileges of role (directly or indirectly)?
  *
@@ -4850,6 +4955,10 @@ has_privs_of_role(Oid member, Oid role)
 	if (superuser_arg(member))
 		return true;
 
+	/* Owners of roles have every privilege the owned role has */
+	if (pg_role_ownercheck(role, member))
+		return true;
+
 	/*
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
@@ -4921,6 +5030,15 @@ is_member_of_role_nosuper(Oid member, Oid role)
 						   role);
 }
 
+/*
+ * Is owner a direct or indirect owner of the role, not considering
+ * superuserness?
+ */
+bool
+is_owner_of_role_nosuper(Oid owner, Oid role)
+{
+	return list_member_oid(roles_is_owned_by(role), owner);
+}
 
 /*
  * Is member an admin of role?	That is, is member the role itself (subject to
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 42f85d0e84..572cae0f27 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -209,6 +209,7 @@ extern bool has_privs_of_role(Oid member, Oid role);
 extern bool is_member_of_role(Oid member, Oid role);
 extern bool is_member_of_role_nosuper(Oid member, Oid role);
 extern bool is_admin_of_role(Oid member, Oid role);
+extern bool is_owner_of_role_nosuper(Oid owner, Oid role);
 extern void check_is_member_of_role(Oid member, Oid role);
 extern Oid	get_role_oid(const char *rolename, bool missing_ok);
 extern Oid	get_role_oid_or_public(const char *rolename);
diff --git a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
index b2d898a7d1..93cf82b750 100644
--- a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
+++ b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
@@ -7,8 +7,11 @@ SET client_min_messages TO 'warning';
 DROP ROLE IF EXISTS regress_dummy_seclabel_user1;
 DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 RESET client_min_messages;
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
 CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
@@ -19,7 +22,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
@@ -29,6 +32,7 @@ ERROR:  '...invalid label...' is not a valid security label
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
 ERROR:  security label provider "unknown_seclabel" is not loaded
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 ERROR:  must be owner of table dummy_seclabel_tbl2
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
@@ -42,7 +46,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
 ERROR:  '...invalid label...' is not a valid security label
@@ -55,7 +59,7 @@ SECURITY LABEL ON ROLE regress_dummy_seclabel_user3 IS 'unclassified';	-- fail (
 ERROR:  role "regress_dummy_seclabel_user3" does not exist
 SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
+ERROR:  must be owner of role regress_dummy_seclabel_user2
 RESET SESSION AUTHORIZATION;
 --
 -- Test for various types of object
diff --git a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
index 8c347b6a68..bf575343cf 100644
--- a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
+++ b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
@@ -11,8 +11,12 @@ DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 
 RESET client_min_messages;
 
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
@@ -26,7 +30,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
@@ -34,6 +38,8 @@ SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
@@ -45,7 +51,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 66d4c29cf7..2c42c8ad8d 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -58,8 +58,9 @@ CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
 CREATE ROLE regress_password_null
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_createdb, regress_createrole, regress_login;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole;
+COMMENT ON ROLE regress_password_null IS 'no login test role';
 \du+ regress_createdb
                                        List of roles
     Role name     |       Owner        |       Attributes        | Member of | Description 
@@ -98,11 +99,11 @@ CREATE ROLE regress_password_null
  regress_encrypted_password | regress_role_admin | Cannot login | {}        | 
 
 \du+ regress_password_null
-                                                              List of roles
-       Role name       |       Owner        |       Attributes       |                      Member of                      | Description 
------------------------+--------------------+------------------------+-----------------------------------------------------+-------------
- regress_password_null | regress_role_admin | Create role, Create DB+| {regress_createdb,regress_createrole,regress_login} | 
-                       |                    | 2 connections          |                                                     | 
+                                                                 List of roles
+       Role name       |       Owner        |              Attributes              |               Member of               |    Description     
+-----------------------+--------------------+--------------------------------------+---------------------------------------+--------------------
+ regress_password_null | regress_role_admin | Create role, Create DB, Cannot login+| {regress_createdb,regress_createrole} | no login test role
+                       |                    | 2 connections                        |                                       | 
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
@@ -143,21 +144,18 @@ CREATE TABLE tenant_table (i integer);
 CREATE INDEX tenant_idx ON tenant_table(i);
 CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
--- fail, these objects belonging to regress_tenant
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_createrole;
 DROP INDEX tenant_idx;
-ERROR:  must be owner of index tenant_idx
 ALTER TABLE tenant_table ADD COLUMN t text;
-ERROR:  must be owner of table tenant_table
 DROP TABLE tenant_table;
-ERROR:  must be owner of table tenant_table
+-- fail, not a member of target role
 ALTER VIEW tenant_view OWNER TO regress_role_admin;
-ERROR:  must be owner of view tenant_view
+ERROR:  must be member of role "regress_role_admin"
+-- ok
 DROP VIEW tenant_view;
-ERROR:  must be owner of view tenant_view
--- fail, cannot take ownership of these objects from regress_tenant
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
-ERROR:  permission denied to reassign objects
 -- ok, having CREATEROLE is enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
@@ -169,14 +167,14 @@ CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
--- fail, cannot take ownership of these objects from regress_createrole
-SET SESSION AUTHORIZATION regress_role_admin;
-ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
-ERROR:  must be owner of role regress_plainrole
-REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
-ERROR:  permission denied to reassign objects
--- superuser can do it, though
+-- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_admin TO regress_tenant;
+ERROR:  role "regress_createrole" may not both own and be owned by role "regress_tenant"
+ALTER ROLE regress_role_admin OWNER TO regress_tenant;
+ERROR:  role "regress_role_admin" may not both own and be owned by role "regress_tenant"
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_admin;
 ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
 REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
 -- ok, superuser roles can drop superuser roles they own
@@ -187,14 +185,6 @@ SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
 DROP ROLE regress_nosuch_replication;
 DROP ROLE regress_nosuch_bypassrls;
-DROP ROLE regress_nosuch_super;
-ERROR:  role "regress_nosuch_super" does not exist
-DROP ROLE regress_nosuch_dbowner;
-ERROR:  role "regress_nosuch_dbowner" does not exist
-DROP ROLE regress_nosuch_recursive;
-ERROR:  role "regress_nosuch_recursive" does not exist
-DROP ROLE regress_nosuch_admin_recursive;
-ERROR:  role "regress_nosuch_admin_recursive" does not exist
 DROP ROLE regress_plainrole;
 -- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
@@ -222,6 +212,7 @@ DROP ROLE regress_noiseword;
 DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
+DROP ROLE regress_tenant;
 DROP ROLE regress_read_all_data;
 DROP ROLE regress_write_all_data;
 DROP ROLE regress_monitor;
@@ -232,28 +223,15 @@ DROP ROLE regress_read_server_files;
 DROP ROLE regress_write_server_files;
 DROP ROLE regress_execute_server_program;
 DROP ROLE regress_signal_backend;
--- fail, role still owns database objects
-DROP ROLE regress_tenant;
-ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
-DETAIL:  owner of table tenant_table
-owner of view tenant_view
--- fail, role still owns other roles
-DROP ROLE regress_createrole;
-ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
-DETAIL:  owner of role regress_tenant
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
 DROP ROLE regress_role_admin;
 ERROR:  current user cannot be dropped
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX tenant_idx;
-DROP TABLE tenant_table;
-DROP VIEW tenant_view;
-DROP ROLE regress_tenant;
+-- ok, no more owned roles remain
 DROP ROLE regress_createrole;
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_admin;
 ERROR:  role "regress_role_admin" cannot be dropped because some objects depend on it
 DETAIL:  privileges for database regression
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 091b116dd6..00e63b7d93 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -39,8 +39,9 @@ CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
 CREATE ROLE regress_password_null
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_createdb, regress_createrole, regress_login;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole;
+COMMENT ON ROLE regress_password_null IS 'no login test role';
 
 \du+ regress_createdb
 \du+ regress_createrole
@@ -95,15 +96,19 @@ CREATE INDEX tenant_idx ON tenant_table(i);
 CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
 
--- fail, these objects belonging to regress_tenant
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_createrole;
 DROP INDEX tenant_idx;
 ALTER TABLE tenant_table ADD COLUMN t text;
 DROP TABLE tenant_table;
+
+-- fail, not a member of target role
 ALTER VIEW tenant_view OWNER TO regress_role_admin;
+
+-- ok
 DROP VIEW tenant_view;
 
--- fail, cannot take ownership of these objects from regress_tenant
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
 -- ok, having CREATEROLE is enough to create roles in privileged roles
@@ -118,13 +123,13 @@ CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
 
--- fail, cannot take ownership of these objects from regress_createrole
-SET SESSION AUTHORIZATION regress_role_admin;
-ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
-REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
-
--- superuser can do it, though
+-- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_admin TO regress_tenant;
+ALTER ROLE regress_role_admin OWNER TO regress_tenant;
+
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_admin;
 ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
 REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
 
@@ -137,10 +142,6 @@ SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
 DROP ROLE regress_nosuch_replication;
 DROP ROLE regress_nosuch_bypassrls;
-DROP ROLE regress_nosuch_super;
-DROP ROLE regress_nosuch_dbowner;
-DROP ROLE regress_nosuch_recursive;
-DROP ROLE regress_nosuch_admin_recursive;
 DROP ROLE regress_plainrole;
 
 -- fail, cannot drop roles that own other roles
@@ -157,6 +158,7 @@ DROP ROLE regress_noiseword;
 DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
+DROP ROLE regress_tenant;
 DROP ROLE regress_read_all_data;
 DROP ROLE regress_write_all_data;
 DROP ROLE regress_monitor;
@@ -168,25 +170,15 @@ DROP ROLE regress_write_server_files;
 DROP ROLE regress_execute_server_program;
 DROP ROLE regress_signal_backend;
 
--- fail, role still owns database objects
-DROP ROLE regress_tenant;
-
--- fail, role still owns other roles
-DROP ROLE regress_createrole;
-
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_admin;
 
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX tenant_idx;
-DROP TABLE tenant_table;
-DROP VIEW tenant_view;
-DROP ROLE regress_tenant;
+-- ok, no more owned roles remain
 DROP ROLE regress_createrole;
 
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_admin;
 
 -- ok, can drop role if we revoke privileges first
-- 
2.21.1 (Apple Git-122.3)

From 99b5da77dc05d6269cc4cb53f69754924885f92c Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 12:01:50 -0800
Subject: [PATCH v5 4/5] Restrict power granted via CREATEROLE.

The CREATEROLE attribute no longer has anything to do with the power
to alter roles or to grant or revoke role membership, but merely the
ability to create new roles, as its name suggests.  The ability to
alter a role is based on role ownership; the ability to grant and
revoke role membership is based on having admin privilege on the
relevant role or alternatively on role ownership, as owners now
implicitly have admin privileges on roles they own.

A role must either be superuser or have the CREATEROLE attribute to
create roles.  This is unchanged from the prior behavior.  A new
principle is adopted, though, to make CREATEROLE less dangerous:  a
role may not create new roles with privileges that the creating role
lacks.  This new principle is intended to prevent privilege
escalation attacks stemming from giving CREATEROLE to a user.  This
is not backwards compatible.  The idea is to fix the CREATEROLE
privilege to not be pathway to gaining superuser, and no
non-breaking change to accomplish that is apparent.

SUPERUSER, REPLICATION, BYPASSRLS, CREATEDB, CREATEROLE and LOGIN
privilege can only be given to new roles by creators who have the
same privilege.  In the case of the CREATEROLE privilege, this is
trivially true, as the creator must necessarily have it or they
couldn't be creating the role to begin with.

The INHERIT attribute is not considered a privilege, and since a
user who belongs to a role may SET ROLE to that role and do anything
that role can do, it isn't clear that treating it as a privilege
would stop any privilege escalation attacks.

The CONNECTION LIMIT and VALID UNTIL attributes are also not
considered privileges, but this design choice is debatable.  One
could think of the ability to log in during a given window of time,
or up to a certain number of connections as a privilege, and
allowing such a restricted role to create a new role with unlimited
connections or no expiration as a privilege escalation which escapes
the intended restrictions.  However, it is just as easy to think of
these limitations as being used to guard against badly written
client programs connecting too many times, or connecting at a time
of day that is not intended.  Since it is unclear which design is
better, this commit is conservative and the handling of these
attributes is unchanged relative to prior behavior.

Since the grammar of the CREATE ROLE command allows specifying roles
into which the new role should be enrolled, and also lists of roles
which become members of the newly created role (as admin or not),
the CREATE ROLE command may now fail if the creating role has
insufficient privilege on the roles so listed.  Such failures were
not possible before, since the CREATEROLE privilege was always
sufficient.
---
 doc/src/sgml/ddl.sgml                     |  12 +--
 doc/src/sgml/ref/alter_role.sgml          |  20 ++--
 doc/src/sgml/ref/comment.sgml             |   8 +-
 doc/src/sgml/ref/create_role.sgml         |  26 +++--
 doc/src/sgml/ref/drop_role.sgml           |   3 +-
 doc/src/sgml/ref/dropuser.sgml            |   6 +-
 doc/src/sgml/ref/grant.sgml               |   4 +-
 doc/src/sgml/user-manag.sgml              |  44 +++++----
 src/backend/catalog/aclchk.c              | 111 ++++++++++++++++++++++
 src/backend/commands/user.c               |  60 +++++-------
 src/backend/utils/adt/acl.c               |  21 +---
 src/include/utils/acl.h                   |   5 +
 src/test/regress/expected/create_role.out |  63 +++++-------
 src/test/regress/sql/create_role.sql      |  36 +++----
 14 files changed, 250 insertions(+), 169 deletions(-)

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 22f6c5c7ab..5596a359e3 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -3132,9 +3132,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
            doesn't preserve that DROP.
 
            A database owner can attack the database's users via "CREATE SCHEMA
-           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
-           CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
-           database owner attack. -->
+           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". -->
       <para>
        Constrain ordinary users to user-private schemas.  To implement this,
        first issue <literal>REVOKE CREATE ON SCHEMA public FROM
@@ -3146,9 +3144,8 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        pattern in a database where untrusted users had already logged in,
        consider auditing the public schema for objects named like objects in
        schema <literal>pg_catalog</literal>.  This pattern is a secure schema
-       usage pattern unless an untrusted user is the database owner or holds
-       the <literal>CREATEROLE</literal> privilege, in which case no secure
-       schema usage pattern exists.
+       usage pattern unless an untrusted user is the database owner, in which
+       case no secure schema usage pattern exists.
       </para>
       <para>
        If the database originated in an upgrade
@@ -3170,8 +3167,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        schema <link linkend="typeconv-func">will be unsafe or
        unreliable</link>.  If you create functions or extensions in the public
        schema, use the first pattern instead.  Otherwise, like the first
-       pattern, this is secure unless an untrusted user is the database owner
-       or holds the <literal>CREATEROLE</literal> privilege.
+       pattern, this is secure unless an untrusted user is the database owner.
       </para>
      </listitem>
 
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 5aa5648ae7..fc9bea8072 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -70,18 +70,18 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
    Database superusers can change any of these settings for any role.
-   Roles having <literal>CREATEROLE</literal> privilege can change any of these
-   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
-   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
-   Ordinary roles can only change their own password.
+   Role owners can change any of these settings on roles they directly or
+   indirectly own except <literal>SUPERUSER</literal>,
+   <literal>REPLICATION</literal>, and <literal>BYPASSRLS</literal>; but only
+   for non-superuser and non-replication roles, and only if the role owner does
+   not alter the target role to have a privilege which the role owner itself
+   lacks.  Ordinary roles can only change their own password.
   </para>
 
   <para>
    The second variant changes the name of the role.
    Database superusers can rename any role.
-   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   Roles can rename non-superuser roles they directly or indirectly own.
    The current session user cannot be renamed.
    (Connect as a different user if you need to do that.)
    Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -114,9 +114,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   </para>
 
   <para>
-   Superusers can change anyone's session defaults. Roles having
-   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   Superusers can change anyone's session defaults. Roles may change
+   privilege for non-superuser roles they directly or indirectly own. Ordinary roles can only set
+   defaults for themselves.
    Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.  Only superusers can change a setting
    for all roles in all databases.
diff --git a/doc/src/sgml/ref/comment.sgml b/doc/src/sgml/ref/comment.sgml
index e07fc47fd3..1ba374f3a1 100644
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -92,12 +92,8 @@ COMMENT ON
 
   <para>
    For most kinds of object, only the object's owner can set the comment.
-   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
-   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
-   Likewise, access methods don't have owners either; you must be superuser
-   to comment on an access method.
-   Of course, a superuser can comment on anything.
+   Access methods don't have owners; you must be superuser to comment on an
+   access method.  Of course, a superuser can comment on anything.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..2e73102562 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -107,8 +107,10 @@ in sync when changing the above synopsis!
         <literal>CREATEDB</literal> is specified, the role being
         defined will be allowed to create new databases. Specifying
         <literal>NOCREATEDB</literal> will deny a role the ability to
-        create databases. If not specified,
-        <literal>NOCREATEDB</literal> is the default.
+        create databases. Only roles with the <literal>CREATEDB</literal>
+        attribute may create roles with the <literal>CREATEDB</literal>
+        attribute. If not specified, <literal>NOCREATEDB</literal> is the
+        default.
        </para>
       </listitem>
      </varlistentry>
@@ -120,8 +122,6 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role will be permitted to
         create new roles (that is, execute <command>CREATE ROLE</command>).
-        A role with <literal>CREATEROLE</literal> privilege can also alter
-        and drop other roles.
         If not specified,
         <literal>NOCREATEROLE</literal> is the default.
        </para>
@@ -163,6 +163,8 @@ in sync when changing the above synopsis!
         <literal>NOLOGIN</literal> is the default, except when
         <command>CREATE ROLE</command> is invoked through its alternative spelling
         <link linkend="sql-createuser"><command>CREATE USER</command></link>.
+        You must have the <literal>LOGIN</literal> attribute to create a new role
+        with the <literal>LOGIN</literal> attribute.
        </para>
       </listitem>
      </varlistentry>
@@ -194,8 +196,8 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role bypasses every row-level
         security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
-        You must be a superuser to create a new role having
-        the <literal>BYPASSRLS</literal> attribute.
+        You must have the <literal>BYPASSRLS</literal> attribute to create a
+        new role having the <literal>BYPASSRLS</literal> attribute.
        </para>
 
        <para>
@@ -281,6 +283,10 @@ in sync when changing the above synopsis!
         member.  (Note that there is no option to add the new role as an
         administrator; use a separate <command>GRANT</command> command to do that.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -301,6 +307,10 @@ in sync when changing the above synopsis!
         roles which are automatically added as members of the new role.
         (This in effect makes the new role a <quote>group</quote>.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -313,6 +323,10 @@ in sync when changing the above synopsis!
         OPTION</literal>, giving them the right to grant membership in this role
         to others.
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/drop_role.sgml b/doc/src/sgml/ref/drop_role.sgml
index 13dc1cc649..c3d57ee8db 100644
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -31,8 +31,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <para>
    <command>DROP ROLE</command> removes the specified role(s).
    To drop a superuser role, you must be a superuser yourself;
-   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   to drop non-superuser roles, you must own the target role.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 81580507e8..30a99eaf68 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,9 @@ PostgreSQL documentation
   <para>
    <application>dropuser</application> removes an existing
    <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   A <productname>PostgreSQL</productname> user may only be removed by its
+   owner or by a superuser.  (To remove a superuser, you must yourself be a
+   superuser.)
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a897712de2..86fc387af2 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -254,8 +254,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
    OPTION</literal> on itself, but it may grant or revoke membership in
    itself from a database session where the session user matches the
    role.  Database superusers can grant or revoke membership in any role
-   to anyone.  Roles having <literal>CREATEROLE</literal> privilege can grant
-   or revoke membership in any role that is not a superuser.
+   to anyone.  Roles can revoke membership in any role they own, and 
+   may grant membership in any role they own to any role they own.
   </para>
 
   <para>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 9067be1d9c..e65b55a004 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -198,9 +198,10 @@ CREATE USER <replaceable>name</replaceable>;
         (except for superusers, since those bypass all permission
         checks). To create such a role, use <literal>CREATE ROLE
         <replaceable>name</replaceable> CREATEROLE</literal>.
-        A role with <literal>CREATEROLE</literal> privilege can alter and drop
-        other roles, too, as well as grant or revoke membership in them.
-        However, to create, alter, drop, or change membership of a
+        A role which creates a new role becomes the new role's owner, able to
+        alter or drop that new role, and sharing ownership of any additional
+        objects (including additional roles) that new role creates.
+        To create, alter, drop, or change membership of a
         superuser role, superuser status is required;
         <literal>CREATEROLE</literal> is insufficient for that.
        </para>
@@ -246,11 +247,14 @@ CREATE USER <replaceable>name</replaceable>;
 
   <tip>
    <para>
-    It is good practice to create a role that has the <literal>CREATEDB</literal>
-    and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
+    It is good practice to create a role that has the
+    <literal>CREATEDB</literal>, <literal>LOGIN</literal> and
+    <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
     use this role for all routine management of databases and roles.  This
-    approach avoids the dangers of operating as a superuser for tasks that
-    do not really require it.
+    approach avoids the dangers of operating as a superuser for tasks that do
+    not really require it.  This role must also have
+    <literal>REPLICATION</literal> if it will create replication users, and
+    must have <literal>BYPASSRLS</literal> if it will create bypassrls users.
    </para>
   </tip>
 
@@ -387,15 +391,22 @@ RESET ROLE;
 
   <para>
    The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
-   <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
-   special privileges, but they are never inherited as ordinary privileges
-   on database objects are.  You must actually <command>SET ROLE</command> to a
-   specific role having one of these attributes in order to make use of
-   the attribute.  Continuing the above example, we might choose to
+   <literal>CREATEDB</literal>, <literal>REPLICATION</literal>,
+   <literal>BYPASSRLS</literal>, and <literal>CREATEROLE</literal> can be
+   thought of as special privileges, but they are never inherited as ordinary
+   privileges on database objects are.  You must actually <command>SET
+   ROLE</command> to a specific role having one of these attributes in order to
+   make use of the attribute.  Continuing the above example, we might choose to
    grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
-   <literal>admin</literal> role.  Then a session connecting as role <literal>joe</literal>
-   would not have these privileges immediately, only after doing
-   <command>SET ROLE admin</command>.
+   <literal>admin</literal> role.  Then a session connecting as role
+   <literal>joe</literal> would not have these privileges immediately, only
+   after doing <command>SET ROLE admin</command>.  Roles with these attributes
+   may only be created by roles which themselves have these attributes.
+   Superusers may always do so, but non-superuser roles with
+   <literal>CREATEROLE</literal> may only create new roles with
+   <literal>LOGIN</literal>, <literal>CREATEDB</literal>,
+   <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> if they
+   themselves have the same attribute.
   </para>
 
   <para>
@@ -493,8 +504,7 @@ DROP ROLE doomed_role;
   <para>
    <productname>PostgreSQL</productname> provides a set of predefined roles
    that provide access to certain, commonly needed, privileged capabilities
-   and information.  Administrators (including roles that have the
-   <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+   and information.  Administrators can <command>GRANT</command> these
    roles to users and/or other roles in their environment, providing those
    users with access to the specified capabilities and information.
   </para>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1e0ee503e4..8327005404 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5470,6 +5470,9 @@ has_createrole_privilege(Oid roleid)
 	return result;
 }
 
+/*
+ * Check whether specified role has BYPASSRLS privilege (or is a superuser)
+ */
 bool
 has_bypassrls_privilege(Oid roleid)
 {
@@ -5489,6 +5492,114 @@ has_bypassrls_privilege(Oid roleid)
 	return result;
 }
 
+/*
+ * Check whether specified role has INHERIT privilege (or is a superuser)
+ */
+bool
+has_inherit_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has CREATEDB privilege (or is a superuser)
+ */
+bool
+has_createdb_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreatedb;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has LOGIN privilege (or is a superuser)
+ */
+bool
+has_login_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcanlogin;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has REPLICATION privilege (or is a superuser)
+ */
+bool
+has_replication_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Get the connection limit for the specified role.
+ *
+ * Returns -1 if the role has no connection limit.
+ */
+int32
+role_connection_limit(Oid roleid)
+{
+	int32		result = -1;
+	HeapTuple	utup;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolconnlimit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index cccb24a498..e8fcecc340 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -58,15 +58,6 @@ static void DelRoleMems(const char *rolename, Oid roleid,
 static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
 									Oid newOwnerId);
 
-
-/* Check if current user has createrole privileges */
-static bool
-have_createrole_privilege(void)
-{
-	return has_createrole_privilege(GetUserId());
-}
-
-
 /*
  * CREATE ROLE
  */
@@ -276,24 +267,32 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	}
 	else if (isreplication)
 	{
-		if (!superuser())
+		if (!has_replication_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
+					 errmsg("must have replication privilege to create replication users")));
 	}
 	else if (bypassrls)
 	{
-		if (!superuser())
+		if (!has_bypassrls_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
+					 errmsg("must have bypassrls privilege to create bypassrls users")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create role")));
+		if (createdb && !has_createdb_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have createdb privilege to create createdb users")));
+		if (canlogin && !has_login_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have login privilege to create login users")));
 	}
 
 	/*
@@ -713,7 +712,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to change bypassrls attribute")));
 	}
-	else if (!have_createrole_privilege())
+	else if (!superuser())
 	{
 		/* We already checked issuper, isreplication, and bypassrls */
 		if (!(inherit < 0 &&
@@ -914,7 +913,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 
 		/*
 		 * To mess with a superuser you gotta be superuser; else you need
-		 * createrole, or just want to change your own settings
+		 * to own the role, or just want to change your own settings
 		 */
 		if (roleform->rolsuper)
 		{
@@ -925,8 +924,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() &&
-				!pg_role_ownercheck(roleid, GetUserId()))
+			if (!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -1039,18 +1037,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_OBJECT_IN_USE),
 					 errmsg("session user cannot be dropped")));
 
-		/*
-		 * For safety's sake, we allow createrole holders to drop ordinary
-		 * roles but not superuser roles.  This is mainly to avoid the
-		 * scenario where you accidentally drop the last superuser.
-		 */
 		if (roleform->rolsuper && !superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
-		if (!have_createrole_privilege() &&
-			!pg_role_ownercheck(roleid, GetUserId()))
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to drop role")));
@@ -1231,7 +1223,7 @@ RenameRole(const char *oldname, const char *newname)
 				 errmsg("role \"%s\" already exists", newname)));
 
 	/*
-	 * createrole is enough privilege unless you want to mess with a superuser
+	 * role ownership is enough privilege unless you want to mess with a superuser
 	 */
 	if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
 	{
@@ -1242,7 +1234,7 @@ RenameRole(const char *oldname, const char *newname)
 	}
 	else
 	{
-		if (!have_createrole_privilege())
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to rename role")));
@@ -1457,7 +1449,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 		return;
 
 	/*
-	 * Check permissions: must have createrole or admin option on the role to
+	 * Check permissions: must be owner or have admin option on the role to
 	 * be changed.  To mess with a superuser role, you gotta be superuser.
 	 */
 	if (superuser_arg(roleid))
@@ -1467,9 +1459,9 @@ AddRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, grantorId) &&
 			!is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1645,9 +1637,9 @@ DelRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, GetUserId()) &&
 			!is_admin_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1803,7 +1795,7 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		 * roles.  Because superusers will always have this right, we need no
 		 * special case for them.
 		 */
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
 						   NameStr(authForm->rolname));
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 97336db058..cdcce9c569 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4656,7 +4656,7 @@ initialize_acl(void)
 		/*
 		 * In normal mode, set a callback on any syscache invalidation of rows
 		 * of pg_auth_members (for roles_is_member_of()), pg_authid (for
-		 * has_rolinherit()), or pg_database (for roles_is_member_of())
+		 * has_inherit_privilege()), or pg_database (for roles_is_member_of())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
@@ -4690,23 +4690,6 @@ RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue)
 }
 
 
-/* Check if specified role has rolinherit set */
-static bool
-has_rolinherit(Oid roleid)
-{
-	bool		result = false;
-	HeapTuple	utup;
-
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
-		ReleaseSysCache(utup);
-	}
-	return result;
-}
-
-
 /*
  * Get a list of roles that the specified roleid is a member of
  *
@@ -4776,7 +4759,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 		CatCList   *memlist;
 		int			i;
 
-		if (type == ROLERECURSE_PRIVS && !has_rolinherit(memberid))
+		if (type == ROLERECURSE_PRIVS && !has_inherit_privilege(memberid))
 			continue;			/* ignore non-inheriting roles */
 
 		/* Find roles that memberid is directly a member of */
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 572cae0f27..7a6640dfc9 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -320,5 +320,10 @@ extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool has_inherit_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_login_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
+extern int32 role_connection_limit(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 2c42c8ad8d..26d2ef43d9 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -6,22 +6,16 @@ GRANT CREATE ON DATABASE regression TO regress_role_admin;
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
 ERROR:  must be superuser to create superusers
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_replication REPLICATION;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
 ERROR:  must be superuser to own superusers
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
-CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
-CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
 \du+ regress_nosuch_superuser
                                            List of roles
         Role name         |       Owner        |       Attributes        | Member of | Description 
@@ -53,7 +47,10 @@ ERROR:  role may not own itself
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_login LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
@@ -73,12 +70,6 @@ COMMENT ON ROLE regress_password_null IS 'no login test role';
 --------------------+--------------------+---------------------------+-----------+-------------
  regress_createrole | regress_role_admin | Create role, Cannot login | {}        | 
 
-\du+ regress_login
-                               List of roles
-   Role name   |       Owner        | Attributes | Member of | Description 
----------------+--------------------+------------+-----------+-------------
- regress_login | regress_role_admin |            | {}        | 
-
 \du+ regress_inherit
                                  List of roles
     Role name    |       Owner        |  Attributes  | Member of | Description 
@@ -111,19 +102,19 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
-ERROR:  role "pg_database_owner" cannot have explicit members
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 -- fail, cannot grant a role into itself
 CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
 ERROR:  role "regress_nosuch_recursive" is a member of role "regress_nosuch_recursive"
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_adminroles ADMIN
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 -- fail, cannot grant a role into itself with admin option
 CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
@@ -136,8 +127,11 @@ ERROR:  permission denied to create database
 CREATE ROLE regress_plainrole;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_rolecreator CREATEROLE;
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+ERROR:  must have createdb privilege to create createdb users
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_tenant CREATEROLE INHERIT CONNECTION LIMIT 5;
 -- ok, regress_tenant can create objects within the database
 SET SESSION AUTHORIZATION regress_tenant;
 CREATE TABLE tenant_table (i integer);
@@ -156,17 +150,27 @@ ERROR:  must be member of role "regress_role_admin"
 DROP VIEW tenant_view;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
 CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
 CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
 CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
 CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
 -- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
 REASSIGN OWNED BY regress_role_admin TO regress_tenant;
@@ -191,19 +195,8 @@ DROP ROLE regress_createrole;
 ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
 DETAIL:  owner of role regress_rolecreator
 owner of role regress_tenant
-owner of role regress_read_all_data
-owner of role regress_write_all_data
-owner of role regress_monitor
-owner of role regress_read_all_settings
-owner of role regress_read_all_stats
-owner of role regress_stat_scan_tables
-owner of role regress_read_server_files
-owner of role regress_write_server_files
-owner of role regress_execute_server_program
-owner of role regress_signal_backend
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_createdb;
-DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
 DROP ROLE regress_encrypted_password;
@@ -213,16 +206,6 @@ DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
 DROP ROLE regress_tenant;
-DROP ROLE regress_read_all_data;
-DROP ROLE regress_write_all_data;
-DROP ROLE regress_monitor;
-DROP ROLE regress_read_all_settings;
-DROP ROLE regress_read_all_stats;
-DROP ROLE regress_stat_scan_tables;
-DROP ROLE regress_read_server_files;
-DROP ROLE regress_write_server_files;
-DROP ROLE regress_execute_server_program;
-DROP ROLE regress_signal_backend;
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 00e63b7d93..c484d77aa7 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -6,6 +6,8 @@ GRANT CREATE ON DATABASE regression TO regress_role_admin;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
+
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
 CREATE ROLE regress_nosuch_replication REPLICATION;
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
@@ -17,11 +19,6 @@ CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
 
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
-CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
-CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
-
 \du+ regress_nosuch_superuser
 \du+ regress_nosuch_replication_bypassrls
 \du+ regress_nosuch_replication
@@ -34,7 +31,11 @@ ALTER ROLE regress_nosuch_bypassrls OWNER TO regress_nosuch_bypassrls;
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
+
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_login LOGIN;
+
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
@@ -45,7 +46,6 @@ COMMENT ON ROLE regress_password_null IS 'no login test role';
 
 \du+ regress_createdb
 \du+ regress_createrole
-\du+ regress_login
 \du+ regress_inherit
 \du+ regress_connection_limit
 \du+ regress_encrypted_password
@@ -57,12 +57,12 @@ CREATE ROLE regress_noiseword SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 
 -- fail, cannot grant a role into itself
@@ -70,7 +70,7 @@ CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
 
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_adminroles ADMIN
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 
 -- fail, cannot grant a role into itself with admin option
@@ -86,9 +86,12 @@ CREATE ROLE regress_plainrole;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_rolecreator CREATEROLE;
 
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
 
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_tenant CREATEROLE INHERIT CONNECTION LIMIT 5;
+
 -- ok, regress_tenant can create objects within the database
 SET SESSION AUTHORIZATION regress_tenant;
 CREATE TABLE tenant_table (i integer);
@@ -111,7 +114,7 @@ DROP VIEW tenant_view;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
@@ -149,7 +152,6 @@ DROP ROLE regress_createrole;
 
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_createdb;
-DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
 DROP ROLE regress_encrypted_password;
@@ -159,16 +161,6 @@ DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
 DROP ROLE regress_tenant;
-DROP ROLE regress_read_all_data;
-DROP ROLE regress_write_all_data;
-DROP ROLE regress_monitor;
-DROP ROLE regress_read_all_settings;
-DROP ROLE regress_read_all_stats;
-DROP ROLE regress_stat_scan_tables;
-DROP ROLE regress_read_server_files;
-DROP ROLE regress_write_server_files;
-DROP ROLE regress_execute_server_program;
-DROP ROLE regress_signal_backend;
 
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 78b024b5817e337ec1bedc608af36ad92e615113 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 10:26:05 -0800
Subject: [PATCH v5 5/5] Remove grantor field from pg_auth_members

The "grantor" field of pg_auth_members is unused and, more to the
point, unreliable.  The system does not avoid dangling references
from the grantor field to dropped roles in pg_authid.  This creates
the risk that, if an oid is reused for a new role, the grantor field
may point to a role other than the one that performed the grant.

We could fix the bug, but there is no clear solution to the problem
that existing installations may have broken data.  Since the field
is not used for any purpose, removing it seems the best option.
---
 src/backend/commands/user.c            | 17 -----------------
 src/bin/pg_dump/pg_dumpall.c           | 17 ++---------------
 src/include/catalog/pg_auth_members.h  |  1 -
 src/test/regress/expected/oidjoins.out |  1 -
 4 files changed, 2 insertions(+), 34 deletions(-)

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index e8fcecc340..2540963d8a 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -1481,21 +1481,6 @@ AddRoleMems(const char *rolename, Oid roleid,
 		ereport(ERROR,
 				errmsg("role \"%s\" cannot have explicit members", rolename));
 
-	/*
-	 * The role membership grantor of record has little significance at
-	 * present.  Nonetheless, inasmuch as users might look to it for a crude
-	 * audit trail, let only superusers impute the grant to a third party.
-	 *
-	 * Before lifting this restriction, give the member == role case of
-	 * is_admin_of_role() a fresh look.  Ensure that the current role cannot
-	 * use an explicit grantor specification to take advantage of the session
-	 * user's self-admin right.
-	 */
-	if (grantorId != GetUserId() && !superuser())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("must be superuser to set grantor")));
-
 	pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
 	pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
 
@@ -1571,12 +1556,10 @@ AddRoleMems(const char *rolename, Oid roleid,
 
 		new_record[Anum_pg_auth_members_roleid - 1] = ObjectIdGetDatum(roleid);
 		new_record[Anum_pg_auth_members_member - 1] = ObjectIdGetDatum(memberid);
-		new_record[Anum_pg_auth_members_grantor - 1] = ObjectIdGetDatum(grantorId);
 		new_record[Anum_pg_auth_members_admin_option - 1] = BoolGetDatum(admin_opt);
 
 		if (HeapTupleIsValid(authmem_tuple))
 		{
-			new_record_repl[Anum_pg_auth_members_grantor - 1] = true;
 			new_record_repl[Anum_pg_auth_members_admin_option - 1] = true;
 			tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
 									  new_record,
diff --git a/src/bin/pg_dump/pg_dumpall.c b/src/bin/pg_dump/pg_dumpall.c
index 868f15ed37..fdcbdc2851 100644
--- a/src/bin/pg_dump/pg_dumpall.c
+++ b/src/bin/pg_dump/pg_dumpall.c
@@ -940,14 +940,12 @@ dumpRoleMembership(PGconn *conn)
 
 	printfPQExpBuffer(buf, "SELECT ur.rolname AS roleid, "
 					  "um.rolname AS member, "
-					  "a.admin_option, "
-					  "ug.rolname AS grantor "
+					  "a.admin_option "
 					  "FROM pg_auth_members a "
 					  "LEFT JOIN %s ur on ur.oid = a.roleid "
 					  "LEFT JOIN %s um on um.oid = a.member "
-					  "LEFT JOIN %s ug on ug.oid = a.grantor "
 					  "WHERE NOT (ur.rolname ~ '^pg_' AND um.rolname ~ '^pg_')"
-					  "ORDER BY 1,2,3", role_catalog, role_catalog, role_catalog);
+					  "ORDER BY 1,2,3", role_catalog, role_catalog);
 	res = executeQuery(conn, buf->data);
 
 	if (PQntuples(res) > 0)
@@ -963,17 +961,6 @@ dumpRoleMembership(PGconn *conn)
 		fprintf(OPF, " TO %s", fmtId(member));
 		if (*option == 't')
 			fprintf(OPF, " WITH ADMIN OPTION");
-
-		/*
-		 * We don't track the grantor very carefully in the backend, so cope
-		 * with the possibility that it has been dropped.
-		 */
-		if (!PQgetisnull(res, i, 3))
-		{
-			char	   *grantor = PQgetvalue(res, i, 3);
-
-			fprintf(OPF, " GRANTED BY %s", fmtId(grantor));
-		}
 		fprintf(OPF, ";\n");
 	}
 
diff --git a/src/include/catalog/pg_auth_members.h b/src/include/catalog/pg_auth_members.h
index 1bc027f133..c873201688 100644
--- a/src/include/catalog/pg_auth_members.h
+++ b/src/include/catalog/pg_auth_members.h
@@ -31,7 +31,6 @@ CATALOG(pg_auth_members,1261,AuthMemRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_
 {
 	Oid			roleid BKI_LOOKUP(pg_authid);	/* ID of a role */
 	Oid			member BKI_LOOKUP(pg_authid);	/* ID of a member of that role */
-	Oid			grantor BKI_LOOKUP(pg_authid);	/* who granted the membership */
 	bool		admin_option;	/* granted with admin option? */
 } FormData_pg_auth_members;
 
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 266a30a85b..a6a73df7ff 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -197,7 +197,6 @@ NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
 NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
-NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
 NOTICE:  checking pg_shdepend {dbid} => pg_database {oid}
 NOTICE:  checking pg_shdepend {classid} => pg_class {oid}
 NOTICE:  checking pg_shdepend {refclassid} => pg_class {oid}
-- 
2.21.1 (Apple Git-122.3)

From 6cd7df4189dfca42a09e04beecc532962bf3e562 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 11:14:23 -0800
Subject: [PATCH v6 1/5] Add tests of the CREATEROLE attribute.

While developing alternate rules for what privileges CREATEROLE has,
I noticed that none of the changes to how CREATEROLE works triggered
any regression test failures.  This is problematic for two reasons.
It means the existing code has insufficient test coverage, and it
means that unintended changes introduced by subsequent patches may
go unnoticed.  Fix that.
---
 src/test/regress/expected/create_role.out | 145 ++++++++++++++++++++++
 src/test/regress/parallel_schedule        |   2 +-
 src/test/regress/sql/create_role.sql      | 138 ++++++++++++++++++++
 3 files changed, 284 insertions(+), 1 deletion(-)
 create mode 100644 src/test/regress/expected/create_role.out
 create mode 100644 src/test/regress/sql/create_role.sql

diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
new file mode 100644
index 0000000000..4e67d72760
--- /dev/null
+++ b/src/test/regress/expected/create_role.out
@@ -0,0 +1,145 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_nosuch_replication REPLICATION;
+ERROR:  must be superuser to create replication users
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+ERROR:  must be superuser to create bypassrls users
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_createdb CREATEDB;
+CREATE ROLE regress_createrole CREATEROLE;
+CREATE ROLE regress_login LOGIN;
+CREATE ROLE regress_inherit INHERIT;
+CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
+CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_password_null PASSWORD NULL;
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_noiseword SYSID 12345;
+NOTICE:  SYSID can no longer be specified
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
+ERROR:  must be superuser to alter superusers
+-- fail, database owner cannot have members
+CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+ERROR:  role "pg_database_owner" cannot have explicit members
+-- ok, can grant other users into a role
+CREATE ROLE regress_inroles ROLE
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
+ERROR:  role "regress_nosuch_recursive" is a member of role "regress_nosuch_recursive"
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_adminroles ADMIN
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
+ERROR:  role "regress_nosuch_admin_recursive" is a member of role "regress_nosuch_admin_recursive"
+-- fail, regress_createrole does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_createrole;
+CREATE DATABASE regress_nosuch_db;
+ERROR:  permission denied to create database
+-- ok, regress_createrole can create new roles
+CREATE ROLE regress_plainrole;
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_rolecreator CREATEROLE;
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+-- ok, regress_tenant can create objects within the database
+SET SESSION AUTHORIZATION regress_tenant;
+CREATE TABLE tenant_table (i integer);
+CREATE INDEX tenant_idx ON tenant_table(i);
+CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
+-- fail, these objects belonging to regress_tenant
+SET SESSION AUTHORIZATION regress_createrole;
+DROP INDEX tenant_idx;
+ERROR:  must be owner of index tenant_idx
+ALTER TABLE tenant_table ADD COLUMN t text;
+ERROR:  must be owner of table tenant_table
+DROP TABLE tenant_table;
+ERROR:  must be owner of table tenant_table
+ALTER VIEW tenant_view OWNER TO regress_role_admin;
+ERROR:  must be owner of view tenant_view
+DROP VIEW tenant_view;
+ERROR:  must be owner of view tenant_view
+-- fail, cannot take ownership of these objects from regress_tenant
+REASSIGN OWNED BY regress_tenant TO regress_createrole;
+ERROR:  permission denied to reassign objects
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+CREATE ROLE regress_monitor IN ROLE pg_monitor;
+CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_admin;
+DROP ROLE regress_nosuch_superuser;
+ERROR:  role "regress_nosuch_superuser" does not exist
+DROP ROLE regress_nosuch_replication_bypassrls;
+ERROR:  role "regress_nosuch_replication_bypassrls" does not exist
+DROP ROLE regress_nosuch_replication;
+ERROR:  role "regress_nosuch_replication" does not exist
+DROP ROLE regress_nosuch_bypassrls;
+ERROR:  role "regress_nosuch_bypassrls" does not exist
+DROP ROLE regress_nosuch_super;
+ERROR:  role "regress_nosuch_super" does not exist
+DROP ROLE regress_nosuch_dbowner;
+ERROR:  role "regress_nosuch_dbowner" does not exist
+DROP ROLE regress_nosuch_recursive;
+ERROR:  role "regress_nosuch_recursive" does not exist
+DROP ROLE regress_nosuch_admin_recursive;
+ERROR:  role "regress_nosuch_admin_recursive" does not exist
+DROP ROLE regress_plainrole;
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_createdb;
+DROP ROLE regress_createrole;
+DROP ROLE regress_login;
+DROP ROLE regress_inherit;
+DROP ROLE regress_connection_limit;
+DROP ROLE regress_encrypted_password;
+DROP ROLE regress_password_null;
+DROP ROLE regress_noiseword;
+DROP ROLE regress_inroles;
+DROP ROLE regress_adminroles;
+DROP ROLE regress_rolecreator;
+DROP ROLE regress_read_all_data;
+DROP ROLE regress_write_all_data;
+DROP ROLE regress_monitor;
+DROP ROLE regress_read_all_settings;
+DROP ROLE regress_read_all_stats;
+DROP ROLE regress_stat_scan_tables;
+DROP ROLE regress_read_server_files;
+DROP ROLE regress_write_server_files;
+DROP ROLE regress_execute_server_program;
+DROP ROLE regress_signal_backend;
+-- fail, role still owns database objects
+DROP ROLE regress_tenant;
+ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
+DETAIL:  owner of table tenant_table
+owner of view tenant_view
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+ERROR:  must be superuser to drop superusers
+DROP ROLE regress_role_admin;
+ERROR:  current user cannot be dropped
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX tenant_idx;
+DROP TABLE tenant_table;
+DROP VIEW tenant_view;
+DROP ROLE regress_tenant;
+DROP ROLE regress_role_admin;
+DROP ROLE regress_role_super;
diff --git a/src/test/regress/parallel_schedule b/src/test/regress/parallel_schedule
index 5b0c73d7e3..861c30a73a 100644
--- a/src/test/regress/parallel_schedule
+++ b/src/test/regress/parallel_schedule
@@ -89,7 +89,7 @@ test: brin_bloom brin_multi
 # ----------
 # Another group of parallel tests
 # ----------
-test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort
+test: create_table_like alter_generic alter_operator misc async dbsize misc_functions sysviews tsrf tid tidscan tidrangescan collate.icu.utf8 incremental_sort create_role
 
 # rules cannot run concurrently with any test that creates
 # a view or rule in the public schema
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
new file mode 100644
index 0000000000..292dc08797
--- /dev/null
+++ b/src/test/regress/sql/create_role.sql
@@ -0,0 +1,138 @@
+-- ok, superuser can create users with any set of privileges
+CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+
+-- fail, only superusers can create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_replication REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+
+-- ok, having CREATEROLE is enough to create users with these privileges
+CREATE ROLE regress_createdb CREATEDB;
+CREATE ROLE regress_createrole CREATEROLE;
+CREATE ROLE regress_login LOGIN;
+CREATE ROLE regress_inherit INHERIT;
+CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
+CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
+CREATE ROLE regress_password_null PASSWORD NULL;
+
+-- ok, backwards compatible noise words should be ignored
+CREATE ROLE regress_noiseword SYSID 12345;
+
+-- fail, cannot grant membership in superuser role
+CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
+
+-- fail, database owner cannot have members
+CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+
+-- ok, can grant other users into a role
+CREATE ROLE regress_inroles ROLE
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+
+-- fail, cannot grant a role into itself
+CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
+
+-- ok, can grant other users into a role with admin option
+CREATE ROLE regress_adminroles ADMIN
+	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
+
+-- fail, cannot grant a role into itself with admin option
+CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
+
+-- fail, regress_createrole does not have CREATEDB privilege
+SET SESSION AUTHORIZATION regress_createrole;
+CREATE DATABASE regress_nosuch_db;
+
+-- ok, regress_createrole can create new roles
+CREATE ROLE regress_plainrole;
+
+-- ok, roles with CREATEROLE can create new roles with it
+CREATE ROLE regress_rolecreator CREATEROLE;
+
+-- ok, roles with CREATEROLE can create new roles with privilege they lack
+CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+
+-- ok, regress_tenant can create objects within the database
+SET SESSION AUTHORIZATION regress_tenant;
+CREATE TABLE tenant_table (i integer);
+CREATE INDEX tenant_idx ON tenant_table(i);
+CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
+REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
+
+-- fail, these objects belonging to regress_tenant
+SET SESSION AUTHORIZATION regress_createrole;
+DROP INDEX tenant_idx;
+ALTER TABLE tenant_table ADD COLUMN t text;
+DROP TABLE tenant_table;
+ALTER VIEW tenant_view OWNER TO regress_role_admin;
+DROP VIEW tenant_view;
+
+-- fail, cannot take ownership of these objects from regress_tenant
+REASSIGN OWNED BY regress_tenant TO regress_createrole;
+
+-- ok, having CREATEROLE is enough to create roles in privileged roles
+CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+CREATE ROLE regress_monitor IN ROLE pg_monitor;
+CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+
+-- fail, creation of these roles failed above so they do not now exist
+SET SESSION AUTHORIZATION regress_role_admin;
+DROP ROLE regress_nosuch_superuser;
+DROP ROLE regress_nosuch_replication_bypassrls;
+DROP ROLE regress_nosuch_replication;
+DROP ROLE regress_nosuch_bypassrls;
+DROP ROLE regress_nosuch_super;
+DROP ROLE regress_nosuch_dbowner;
+DROP ROLE regress_nosuch_recursive;
+DROP ROLE regress_nosuch_admin_recursive;
+DROP ROLE regress_plainrole;
+
+-- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_createdb;
+DROP ROLE regress_createrole;
+DROP ROLE regress_login;
+DROP ROLE regress_inherit;
+DROP ROLE regress_connection_limit;
+DROP ROLE regress_encrypted_password;
+DROP ROLE regress_password_null;
+DROP ROLE regress_noiseword;
+DROP ROLE regress_inroles;
+DROP ROLE regress_adminroles;
+DROP ROLE regress_rolecreator;
+DROP ROLE regress_read_all_data;
+DROP ROLE regress_write_all_data;
+DROP ROLE regress_monitor;
+DROP ROLE regress_read_all_settings;
+DROP ROLE regress_read_all_stats;
+DROP ROLE regress_stat_scan_tables;
+DROP ROLE regress_read_server_files;
+DROP ROLE regress_write_server_files;
+DROP ROLE regress_execute_server_program;
+DROP ROLE regress_signal_backend;
+
+-- fail, role still owns database objects
+DROP ROLE regress_tenant;
+
+-- fail, cannot drop ourself nor superusers
+DROP ROLE regress_role_super;
+DROP ROLE regress_role_admin;
+
+-- ok
+RESET SESSION AUTHORIZATION;
+DROP INDEX tenant_idx;
+DROP TABLE tenant_table;
+DROP VIEW tenant_view;
+DROP ROLE regress_tenant;
+DROP ROLE regress_role_admin;
+DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 499d7d5e41c9b3abc6b8d492e207b1e585a388f5 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 11:15:02 -0800
Subject: [PATCH v6 2/5] Add owners to roles

All roles now have owners.  By default, roles belong to the role
that created them, and initdb-time roles are owned by POSTGRES.

This is a preparatory patch for changing how CREATEROLE works.
---
 src/backend/catalog/aclchk.c                  |  59 ++++++-
 src/backend/catalog/pg_shdepend.c             |   5 +
 src/backend/catalog/system_views.sql          |   1 +
 src/backend/commands/alter.c                  |   3 +
 src/backend/commands/user.c                   | 148 +++++++++++++++++-
 src/backend/nodes/copyfuncs.c                 |   1 +
 src/backend/nodes/equalfuncs.c                |   1 +
 src/backend/parser/gram.y                     |  23 +++
 src/bin/psql/describe.c                       |  12 ++
 src/include/catalog/pg_authid.h               |   1 +
 src/include/commands/user.h                   |   2 +
 src/include/nodes/parsenodes.h                |   1 +
 src/include/utils/acl.h                       |   1 +
 .../unsafe_tests/expected/rolenames.out       |   6 +-
 .../modules/unsafe_tests/sql/rolenames.sql    |   3 +-
 src/test/regress/expected/create_role.out     | 136 ++++++++++++++--
 src/test/regress/expected/oidjoins.out        |   1 +
 src/test/regress/expected/privileges.out      |   9 +-
 src/test/regress/expected/rules.out           |   1 +
 src/test/regress/sql/create_role.sql          |  67 +++++++-
 src/test/regress/sql/privileges.sql           |  10 +-
 21 files changed, 470 insertions(+), 21 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1dd03a8e51..e5c7324340 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3385,6 +3385,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("permission denied for publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("permission denied for role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("permission denied for routine %s");
 						break;
@@ -3429,7 +3432,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_RULE:
 					case OBJECT_TABCONSTRAINT:
 					case OBJECT_TRANSFORM:
@@ -3511,6 +3513,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("must be owner of publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("must be owner of role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("must be owner of routine %s");
 						break;
@@ -3569,7 +3574,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_TRANSFORM:
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
@@ -5430,6 +5434,57 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for a role (specified by OID)
+ */
+bool
+pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid)
+{
+	HeapTuple		tuple;
+	Form_pg_authid	authform;
+	Oid				owner_oid;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(owner_roleid))
+		return true;
+
+	/* Otherwise, look up the owner of the role */
+	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(owned_role_oid));
+	if (!HeapTupleIsValid(tuple))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role with OID %u does not exist",
+						owned_role_oid)));
+	authform = (Form_pg_authid) GETSTRUCT(tuple);
+	owner_oid = authform->rolowner;
+
+	/*
+	 * Roles must necessarily have owners.  Even the bootstrap user has an
+	 * owner.  (It owns itself).  Other roles must form a proper tree.
+	 */
+	if (!OidIsValid(owner_oid))
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u has invalid owner",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner == authform->oid)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owns itself",
+						authform->rolname.data, authform->oid)));
+	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+		authform->rolowner != BOOTSTRAP_SUPERUSERID)
+		ereport(ERROR,
+				(errcode(ERRCODE_DATA_CORRUPTED),
+				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+						authform->rolname.data, authform->oid,
+						authform->rolowner)));
+	ReleaseSysCache(tuple);
+
+	return (owner_oid == owner_roleid);
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
diff --git a/src/backend/catalog/pg_shdepend.c b/src/backend/catalog/pg_shdepend.c
index 3e8fa008b9..52f69ad76e 100644
--- a/src/backend/catalog/pg_shdepend.c
+++ b/src/backend/catalog/pg_shdepend.c
@@ -61,6 +61,7 @@
 #include "commands/tablecmds.h"
 #include "commands/tablespace.h"
 #include "commands/typecmds.h"
+#include "commands/user.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -1578,6 +1579,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
 					AlterSubscriptionOwner_oid(sdepForm->objid, newrole);
 					break;
 
+				case AuthIdRelationId:
+					AlterRoleOwner_oid(sdepForm->objid, newrole);
+					break;
+
 					/* Generic alter owner cases */
 				case CollationRelationId:
 				case ConversionRelationId:
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 3cb69b1f87..057d17460b 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -17,6 +17,7 @@
 CREATE VIEW pg_roles AS
     SELECT
         rolname,
+        pg_get_userbyid(rolowner) AS rolowner,
         rolsuper,
         rolinherit,
         rolcreaterole,
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 1f64c8aa51..e6c7c84c87 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -840,6 +840,9 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 		case OBJECT_DATABASE:
 			return AlterDatabaseOwner(strVal(stmt->object), newowner);
 
+		case OBJECT_ROLE:
+			return AlterRoleOwner(strVal(stmt->object), newowner);
+
 		case OBJECT_SCHEMA:
 			return AlterSchemaOwner(strVal(stmt->object), newowner);
 
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index f9d3c1246b..3903791ff0 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
+static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
+									Oid newOwnerId);
 
 
 /* Check if current user has createrole privileges */
@@ -77,6 +79,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	Datum		new_record[Natts_pg_authid];
 	bool		new_record_nulls[Natts_pg_authid];
 	Oid			roleid;
+	Oid			owner_uid;
+	Oid			saved_uid;
+	int			save_sec_context;
 	ListCell   *item;
 	ListCell   *option;
 	char	   *password = NULL;	/* user password */
@@ -108,6 +113,16 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
+	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+
+	/*
+	 * Who is supposed to own the new role?
+	 */
+	if (stmt->authrole)
+		owner_uid = get_rolespec_oid(stmt->authrole, false);
+	else
+		owner_uid = saved_uid;
+
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
 	{
@@ -254,6 +269,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
+		if (!superuser_arg(owner_uid))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must be superuser to own superusers")));
 	}
 	else if (isreplication)
 	{
@@ -310,6 +329,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 errmsg("role \"%s\" already exists",
 						stmt->role)));
 
+	/*
+	 * If the requested authorization is different from the current user,
+	 * temporarily set the current user so that the object(s) will be created
+	 * with the correct ownership.
+	 *
+	 * (The setting will be restored at the end of this routine, or in case of
+	 * error, transaction abort will clean things up.)
+	 */
+	if (saved_uid != owner_uid)
+		SetUserIdAndSecContext(owner_uid,
+							   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+
+
 	/* Convert validuntil to internal form */
 	if (validUntil)
 	{
@@ -345,6 +377,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolowner - 1] = ObjectIdGetDatum(owner_uid);
 	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
@@ -422,6 +455,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	CatalogTupleInsert(pg_authid_rel, tuple);
 
+	recordDependencyOnOwner(AuthIdRelationId, roleid, owner_uid);
+
 	/*
 	 * Advance command counter so we can see new record; else tests in
 	 * AddRoleMems may fail.
@@ -478,6 +513,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	table_close(pg_authid_rel, NoLock);
 
+	/* Reset current user and security context */
+	SetUserIdAndSecContext(saved_uid, save_sec_context);
+
 	return roleid;
 }
 
@@ -1051,8 +1089,9 @@ DropRole(DropRoleStmt *stmt)
 		systable_endscan(sscan);
 
 		/*
-		 * Remove any comments or security labels on this role.
+		 * Remove any dependencies, comments or security labels on this role.
 		 */
+		deleteSharedDependencyRecordsFor(AuthIdRelationId, roleid, 0);
 		DeleteSharedComments(roleid, AuthIdRelationId);
 		DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
 
@@ -1648,3 +1687,110 @@ DelRoleMems(const char *rolename, Oid roleid,
 	 */
 	table_close(pg_authmem_rel, NoLock);
 }
+
+/*
+ * Change role owner
+ */
+ObjectAddress
+AlterRoleOwner(const char *name, Oid newOwnerId)
+{
+	Oid                     roleid;
+	HeapTuple       tup;
+	Relation        rel;
+	ObjectAddress address;
+	Form_pg_authid authform;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHNAME, CStringGetDatum(name));
+	if (!HeapTupleIsValid(tup))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role \"%s\" does not exist", name)));
+
+	authform = (Form_pg_authid) GETSTRUCT(tup);
+	roleid = authform->oid;
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ObjectAddressSet(address, AuthIdRelationId, roleid);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+
+	return address;
+}
+
+void
+AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId)
+{
+	HeapTuple	tup;
+	Relation	rel;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
+	if (!HeapTupleIsValid(tup))
+		elog(ERROR, "cache lookup failed for role %u", roleOid);
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+}
+
+static void
+AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
+{
+	Form_pg_authid authForm;
+
+	Assert(tup->t_tableOid == AuthIdRelationId);
+	Assert(RelationGetRelid(rel) == AuthIdRelationId);
+
+	authForm = (Form_pg_authid) GETSTRUCT(tup);
+
+	/*
+	 * If the new owner is the same as the existing owner, consider the
+	 * command to have succeeded.  This is for dump restoration purposes.
+	 */
+	if (authForm->rolowner != newOwnerId)
+	{
+		/* Otherwise, must be owner of the existing object */
+		if (!pg_role_ownercheck(authForm->oid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Must be able to become new owner */
+		check_is_member_of_role(GetUserId(), newOwnerId);
+
+		/*
+		 * must have CREATEROLE rights
+		 *
+		 * NOTE: This is different from most other alter-owner checks in that
+		 * the current user is checked for create privileges instead of the
+		 * destination owner.  This is consistent with the CREATE case for
+		 * roles.  Because superusers will always have this right, we need no
+		 * special case for them.
+		 */
+		if (!have_createrole_privilege())
+			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Only the bootstrap superuser is allowed to own itself. */
+		if (newOwnerId != BOOTSTRAP_SUPERUSERID && authForm->oid == newOwnerId)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role may not own itself")));
+
+		authForm->rolowner = newOwnerId;
+		CatalogTupleUpdate(rel, &tup->t_self, tup);
+
+		/* Update owner dependency reference */
+		changeDependencyOnOwner(AuthIdRelationId, authForm->oid, newOwnerId);
+	}
+
+	InvokeObjectPostAlterHook(AuthIdRelationId,
+							  authForm->oid, 0);
+}
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index 90b5da51c9..f43c92a70f 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -4522,6 +4522,7 @@ _copyCreateRoleStmt(const CreateRoleStmt *from)
 
 	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
+	COPY_NODE_FIELD(authrole);
 	COPY_NODE_FIELD(options);
 
 	return newnode;
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index 06345da3ba..328f155208 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2128,6 +2128,7 @@ _equalCreateRoleStmt(const CreateRoleStmt *a, const CreateRoleStmt *b)
 {
 	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
+	COMPARE_NODE_FIELD(authrole);
 	COMPARE_NODE_FIELD(options);
 
 	return true;
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index b5966712ce..df2f84143f 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -1077,9 +1077,20 @@ CreateRoleStmt:
 					CreateRoleStmt *n = makeNode(CreateRoleStmt);
 					n->stmt_type = ROLESTMT_ROLE;
 					n->role = $3;
+					n->authrole = NULL;
 					n->options = $5;
 					$$ = (Node *)n;
 				}
+			|
+			CREATE ROLE RoleId AUTHORIZATION RoleSpec opt_with OptRoleList
+				{
+					CreateRoleStmt *n = makeNode(CreateRoleStmt);
+					n->stmt_type = ROLESTMT_ROLE;
+					n->role = $3;
+					n->authrole = $5;
+					n->options = $7;
+					$$ = (Node *)n;
+				}
 		;
 
 
@@ -1218,6 +1229,10 @@ CreateOptRoleElem:
 				{
 					$$ = makeDefElem("addroleto", (Node *)$3, @1);
 				}
+			| OWNER RoleSpec
+				{
+					$$ = makeDefElem("owner", (Node *)$2, @1);
+				}
 		;
 
 
@@ -9585,6 +9600,14 @@ AlterOwnerStmt: ALTER AGGREGATE aggregate_with_argtypes OWNER TO RoleSpec
 					n->newowner = $6;
 					$$ = (Node *)n;
 				}
+			| ALTER ROLE name OWNER TO RoleSpec
+				{
+					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
+					n->objectType = OBJECT_ROLE;
+					n->object = (Node *) makeString($3);
+					n->newowner = $6;
+					$$ = (Node *)n;
+				}
 			| ALTER ROUTINE function_with_argtypes OWNER TO RoleSpec
 				{
 					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c
index 40433e32fa..e6198c0332 100644
--- a/src/bin/psql/describe.c
+++ b/src/bin/psql/describe.c
@@ -3518,6 +3518,12 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 		appendPQExpBufferStr(&buf, "\n, r.rolbypassrls");
 	}
 
+	if (pset.sversion >= 150000)
+	{
+		appendPQExpBufferStr(&buf, "\n, r.rolowner");
+		ncols++;
+	}
+
 	appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n");
 
 	if (!showSystem && !pattern)
@@ -3538,6 +3544,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	printTableInit(&cont, &myopt, _("List of roles"), ncols, nrows);
 
 	printTableAddHeader(&cont, gettext_noop("Role name"), true, align);
+	if (pset.sversion >= 150000)
+		printTableAddHeader(&cont, gettext_noop("Owner"), true, align);
 	printTableAddHeader(&cont, gettext_noop("Attributes"), true, align);
 	/* ignores implicit memberships from superuser & pg_database_owner */
 	printTableAddHeader(&cont, gettext_noop("Member of"), true, align);
@@ -3549,6 +3557,10 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	{
 		printTableAddCell(&cont, PQgetvalue(res, i, 0), false, false);
 
+		if (pset.sversion >= 150000)
+			printTableAddCell(&cont, PQgetvalue(res, i, (verbose ? 12 : 11)),
+							  false, false);
+
 		resetPQExpBuffer(&buf);
 		if (strcmp(PQgetvalue(res, i, 1), "t") == 0)
 			add_role_attribute(&buf, _("Superuser"));
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 4b65e39a1f..3af0f3908c 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -32,6 +32,7 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 {
 	Oid			oid;			/* oid */
 	NameData	rolname;		/* name of role */
+	Oid			rolowner BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid); /* owner of this role */
 	bool		rolsuper;		/* read this field via superuser() only! */
 	bool		rolinherit;		/* inherit privileges from other roles? */
 	bool		rolcreaterole;	/* allowed to create more roles? */
diff --git a/src/include/commands/user.h b/src/include/commands/user.h
index 0b7a3cd65f..c32127e41e 100644
--- a/src/include/commands/user.h
+++ b/src/include/commands/user.h
@@ -33,5 +33,7 @@ extern ObjectAddress RenameRole(const char *oldname, const char *newname);
 extern void DropOwnedObjects(DropOwnedStmt *stmt);
 extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt);
 extern List *roleSpecsToIds(List *memberNames);
+extern ObjectAddress AlterRoleOwner(const char *name, Oid newOwnerId);
+extern void AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId);
 
 #endif							/* USER_H */
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 3e9bdc781f..b9d124d38f 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2623,6 +2623,7 @@ typedef struct CreateRoleStmt
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
+	RoleSpec   *authrole;		/* the owner of the created role */
 	List	   *options;		/* List of DefElem nodes */
 } CreateRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 1ce4c5556e..42f85d0e84 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -316,6 +316,7 @@ extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
+extern bool pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
 
diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out
index eb608fdc2e..8b79a63b80 100644
--- a/src/test/modules/unsafe_tests/expected/rolenames.out
+++ b/src/test/modules/unsafe_tests/expected/rolenames.out
@@ -1086,6 +1086,10 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 \c
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
+ERROR:  role "regress_testrol2" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_haspriv
+owner of role regress_role_nopriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql
index adac36536d..95a54ce70d 100644
--- a/src/test/modules/unsafe_tests/sql/rolenames.sql
+++ b/src/test/modules/unsafe_tests/sql/rolenames.sql
@@ -499,6 +499,7 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 4e67d72760..66d4c29cf7 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_admin;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
@@ -11,14 +12,98 @@ CREATE ROLE regress_nosuch_replication REPLICATION;
 ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 ERROR:  must be superuser to create bypassrls users
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
+ERROR:  must be superuser to own superusers
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
+\du+ regress_nosuch_superuser
+                                           List of roles
+        Role name         |       Owner        |       Attributes        | Member of | Description 
+--------------------------+--------------------+-------------------------+-----------+-------------
+ regress_nosuch_superuser | regress_role_super | Superuser, Cannot login | {}        | 
+
+\du+ regress_nosuch_replication_bypassrls
+                                                        List of roles
+              Role name               |       Owner        |              Attributes               | Member of | Description 
+--------------------------------------+--------------------+---------------------------------------+-----------+-------------
+ regress_nosuch_replication_bypassrls | regress_role_admin | Cannot login, Replication, Bypass RLS | {}        | 
+
+\du+ regress_nosuch_replication
+                                             List of roles
+         Role name          |       Owner        |        Attributes         | Member of | Description 
+----------------------------+--------------------+---------------------------+-----------+-------------
+ regress_nosuch_replication | regress_role_admin | Cannot login, Replication | {}        | 
+
+\du+ regress_nosuch_bypassrls
+                                           List of roles
+        Role name         |       Owner        |        Attributes        | Member of | Description 
+--------------------------+--------------------+--------------------------+-----------+-------------
+ regress_nosuch_bypassrls | regress_role_admin | Cannot login, Bypass RLS | {}        | 
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_nosuch_bypassrls OWNER TO regress_nosuch_bypassrls;
+ERROR:  role may not own itself
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
-CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_password_null PASSWORD NULL;
+CREATE ROLE regress_encrypted_password PASSWORD NULL;
+CREATE ROLE regress_password_null
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole, regress_login;
+\du+ regress_createdb
+                                       List of roles
+    Role name     |       Owner        |       Attributes        | Member of | Description 
+------------------+--------------------+-------------------------+-----------+-------------
+ regress_createdb | regress_role_admin | Create DB, Cannot login | {}        | 
+
+\du+ regress_createrole
+                                         List of roles
+     Role name      |       Owner        |        Attributes         | Member of | Description 
+--------------------+--------------------+---------------------------+-----------+-------------
+ regress_createrole | regress_role_admin | Create role, Cannot login | {}        | 
+
+\du+ regress_login
+                               List of roles
+   Role name   |       Owner        | Attributes | Member of | Description 
+---------------+--------------------+------------+-----------+-------------
+ regress_login | regress_role_admin |            | {}        | 
+
+\du+ regress_inherit
+                                 List of roles
+    Role name    |       Owner        |  Attributes  | Member of | Description 
+-----------------+--------------------+--------------+-----------+-------------
+ regress_inherit | regress_role_admin | Cannot login | {}        | 
+
+\du+ regress_connection_limit
+                                      List of roles
+        Role name         |       Owner        |  Attributes   | Member of | Description 
+--------------------------+--------------------+---------------+-----------+-------------
+ regress_connection_limit | regress_role_admin | Cannot login +| {}        | 
+                          |                    | 5 connections |           | 
+
+\du+ regress_encrypted_password
+                                      List of roles
+         Role name          |       Owner        |  Attributes  | Member of | Description 
+----------------------------+--------------------+--------------+-----------+-------------
+ regress_encrypted_password | regress_role_admin | Cannot login | {}        | 
+
+\du+ regress_password_null
+                                                              List of roles
+       Role name       |       Owner        |       Attributes       |                      Member of                      | Description 
+-----------------------+--------------------+------------------------+-----------------------------------------------------+-------------
+ regress_password_null | regress_role_admin | Create role, Create DB+| {regress_createdb,regress_createrole,regress_login} | 
+                       |                    | 2 connections          |                                                     | 
+
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
 NOTICE:  SYSID can no longer be specified
@@ -84,16 +169,24 @@ CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_createrole
 SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+ERROR:  must be owner of role regress_plainrole
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+ERROR:  permission denied to reassign objects
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_nosuch_superuser;
-ERROR:  role "regress_nosuch_superuser" does not exist
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
-ERROR:  role "regress_nosuch_replication_bypassrls" does not exist
 DROP ROLE regress_nosuch_replication;
-ERROR:  role "regress_nosuch_replication" does not exist
 DROP ROLE regress_nosuch_bypassrls;
-ERROR:  role "regress_nosuch_bypassrls" does not exist
 DROP ROLE regress_nosuch_super;
 ERROR:  role "regress_nosuch_super" does not exist
 DROP ROLE regress_nosuch_dbowner;
@@ -103,9 +196,23 @@ ERROR:  role "regress_nosuch_recursive" does not exist
 DROP ROLE regress_nosuch_admin_recursive;
 ERROR:  role "regress_nosuch_admin_recursive" does not exist
 DROP ROLE regress_plainrole;
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_createdb;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
+ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_rolecreator
+owner of role regress_tenant
+owner of role regress_read_all_data
+owner of role regress_write_all_data
+owner of role regress_monitor
+owner of role regress_read_all_settings
+owner of role regress_read_all_stats
+owner of role regress_stat_scan_tables
+owner of role regress_read_server_files
+owner of role regress_write_server_files
+owner of role regress_execute_server_program
+owner of role regress_signal_backend
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_createdb;
 DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
@@ -130,6 +237,10 @@ DROP ROLE regress_tenant;
 ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
 DETAIL:  owner of table tenant_table
 owner of view tenant_view
+-- fail, role still owns other roles
+DROP ROLE regress_createrole;
+ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_tenant
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
@@ -141,5 +252,12 @@ DROP INDEX tenant_idx;
 DROP TABLE tenant_table;
 DROP VIEW tenant_view;
 DROP ROLE regress_tenant;
+DROP ROLE regress_createrole;
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_admin;
+ERROR:  role "regress_role_admin" cannot be dropped because some objects depend on it
+DETAIL:  privileges for database regression
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_admin;
 DROP ROLE regress_role_admin;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 215eb899be..266a30a85b 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -194,6 +194,7 @@ NOTICE:  checking pg_database {dattablespace} => pg_tablespace {oid}
 NOTICE:  checking pg_db_role_setting {setdatabase} => pg_database {oid}
 NOTICE:  checking pg_db_role_setting {setrole} => pg_authid {oid}
 NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
+NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 291e21d7a6..9ce619fd5f 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -27,8 +27,10 @@ CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
 ERROR:  role "regress_priv_user5" already exists
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -2356,7 +2358,12 @@ DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
 DROP USER regress_priv_user6;
+ERROR:  role "regress_priv_user6" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_priv_user7
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 ERROR:  role "regress_priv_user8" does not exist
 -- permissions with LOCK TABLE
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index d652f7b5fb..b6e3c508ba 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1482,6 +1482,7 @@ pg_replication_slots| SELECT l.slot_name,
    FROM (pg_get_replication_slots() l(slot_name, plugin, slot_type, datoid, temporary, active, active_pid, xmin, catalog_xmin, restart_lsn, confirmed_flush_lsn, wal_status, safe_wal_size, two_phase)
      LEFT JOIN pg_database d ON ((l.datoid = d.oid)));
 pg_roles| SELECT pg_authid.rolname,
+    pg_get_userbyid(pg_authid.rolowner) AS rolowner,
     pg_authid.rolsuper,
     pg_authid.rolinherit,
     pg_authid.rolcreaterole,
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 292dc08797..091b116dd6 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -1,6 +1,7 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_admin;
 
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
@@ -9,14 +10,45 @@ CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
 CREATE ROLE regress_nosuch_replication REPLICATION;
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
+
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
+
+-- ok, superuser can create users with these privileges for normal role
+CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
+
+\du+ regress_nosuch_superuser
+\du+ regress_nosuch_replication_bypassrls
+\du+ regress_nosuch_replication
+\du+ regress_nosuch_bypassrls
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_nosuch_bypassrls OWNER TO regress_nosuch_bypassrls;
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
-CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_password_null PASSWORD NULL;
+CREATE ROLE regress_encrypted_password PASSWORD NULL;
+CREATE ROLE regress_password_null
+  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole, regress_login;
+
+\du+ regress_createdb
+\du+ regress_createrole
+\du+ regress_login
+\du+ regress_inherit
+\du+ regress_connection_limit
+\du+ regress_encrypted_password
+\du+ regress_password_null
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
@@ -86,9 +118,22 @@ CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
 
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot take ownership of these objects from regress_createrole
 SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+
+-- superuser can do it, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
 DROP ROLE regress_nosuch_superuser;
+
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
 DROP ROLE regress_nosuch_replication;
 DROP ROLE regress_nosuch_bypassrls;
@@ -98,9 +143,11 @@ DROP ROLE regress_nosuch_recursive;
 DROP ROLE regress_nosuch_admin_recursive;
 DROP ROLE regress_plainrole;
 
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_createdb;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
+
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_createdb;
 DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
@@ -124,6 +171,9 @@ DROP ROLE regress_signal_backend;
 -- fail, role still owns database objects
 DROP ROLE regress_tenant;
 
+-- fail, role still owns other roles
+DROP ROLE regress_createrole;
+
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_admin;
@@ -134,5 +184,12 @@ DROP INDEX tenant_idx;
 DROP TABLE tenant_table;
 DROP VIEW tenant_view;
 DROP ROLE regress_tenant;
+DROP ROLE regress_createrole;
+
+-- fail, cannot drop role with remaining privileges
+DROP ROLE regress_role_admin;
+
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_admin;
 DROP ROLE regress_role_admin;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c8c545b64c..dcf84f91fd 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -30,8 +30,10 @@ CREATE USER regress_priv_user3;
 CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -1426,8 +1428,14 @@ DROP USER regress_priv_user2;
 DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
+
 DROP USER regress_priv_user6;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 
 
-- 
2.21.1 (Apple Git-122.3)

From 0b670278d7bc64641e6f8b77f9506705d92ceb02 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 18 Jan 2022 10:18:12 -0800
Subject: [PATCH v6 3/5] Give role owners control over owned roles

Create a role ownership hierarchy.  The previous commit added owners
to roles.  This goes further, making role ownership transitive.  If
role A owns role B, and role B owns role C, then role A can act as
the owner of role C.  Also, roles A and B can perform any action on
objects belonging to role C that role C could itself perform.
---
 src/backend/catalog/aclchk.c                  |  49 +-------
 src/backend/catalog/objectaddress.c           |  22 +---
 src/backend/commands/schemacmds.c             |   2 +-
 src/backend/commands/user.c                   |  29 +++--
 src/backend/utils/adt/acl.c                   | 118 ++++++++++++++++++
 src/include/utils/acl.h                       |   1 +
 .../expected/dummy_seclabel.out               |  12 +-
 .../dummy_seclabel/sql/dummy_seclabel.sql     |  12 +-
 src/test/regress/expected/create_role.out     |  68 ++++------
 src/test/regress/sql/create_role.sql          |  44 +++----
 10 files changed, 205 insertions(+), 152 deletions(-)

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index e5c7324340..1e0ee503e4 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5440,61 +5440,16 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 bool
 pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid)
 {
-	HeapTuple		tuple;
-	Form_pg_authid	authform;
-	Oid				owner_oid;
-
 	/* Superusers bypass all permission checking. */
 	if (superuser_arg(owner_roleid))
 		return true;
 
-	/* Otherwise, look up the owner of the role */
-	tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(owned_role_oid));
-	if (!HeapTupleIsValid(tuple))
-		ereport(ERROR,
-				(errcode(ERRCODE_UNDEFINED_OBJECT),
-				 errmsg("role with OID %u does not exist",
-						owned_role_oid)));
-	authform = (Form_pg_authid) GETSTRUCT(tuple);
-	owner_oid = authform->rolowner;
-
-	/*
-	 * Roles must necessarily have owners.  Even the bootstrap user has an
-	 * owner.  (It owns itself).  Other roles must form a proper tree.
-	 */
-	if (!OidIsValid(owner_oid))
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u has invalid owner",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid != BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner == authform->oid)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owns itself",
-						authform->rolname.data, authform->oid)));
-	if (authform->oid == BOOTSTRAP_SUPERUSERID &&
-		authform->rolowner != BOOTSTRAP_SUPERUSERID)
-		ereport(ERROR,
-				(errcode(ERRCODE_DATA_CORRUPTED),
-				 errmsg("role \"%s\" with OID %u owned by role with OID %u",
-						authform->rolname.data, authform->oid,
-						authform->rolowner)));
-	ReleaseSysCache(tuple);
-
-	return (owner_oid == owner_roleid);
+	/* Otherwise, check the role ownership hierarchy */
+	return is_owner_of_role_nosuper(owner_roleid, owned_role_oid);
 }
 
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
- *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!	Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
  */
 bool
 has_createrole_privilege(Oid roleid)
diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c
index f30c742d48..1a47f28829 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2596,25 +2596,9 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 							   NameListToString(castNode(List, object)));
 			break;
 		case OBJECT_ROLE:
-
-			/*
-			 * We treat roles as being "owned" by those with CREATEROLE priv,
-			 * except that superusers are only owned by superusers.
-			 */
-			if (superuser_arg(address.objectId))
-			{
-				if (!superuser_arg(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must be superuser")));
-			}
-			else
-			{
-				if (!has_createrole_privilege(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must have CREATEROLE privilege")));
-			}
+			if (!pg_role_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
+							   strVal(object));
 			break;
 		case OBJECT_TSPARSER:
 		case OBJECT_TSTEMPLATE:
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 984000a5bc..e5405db658 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -363,7 +363,7 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		/*
 		 * must have create-schema rights
 		 *
-		 * NOTE: This is different from other alter-owner checks in that the
+		 * NOTE: This is different from most other alter-owner checks in that the
 		 * current user is checked for create privileges instead of the
 		 * destination owner.  This is consistent with the CREATE case for
 		 * schemas.  Because superusers will always have this right, we need
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 3903791ff0..3a24934679 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -693,7 +693,8 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 	{
 		/* check the rest */
 		if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
-			drolemembers || dvalidUntil || !dpassword || roleid != GetUserId())
+			drolemembers || dvalidUntil || !dpassword ||
+			!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied")));
@@ -898,7 +899,8 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() && roleid != GetUserId())
+			if (!have_createrole_privilege() &&
+				!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -950,11 +952,6 @@ DropRole(DropRoleStmt *stmt)
 				pg_auth_members_rel;
 	ListCell   *item;
 
-	if (!have_createrole_privilege())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied to drop role")));
-
 	/*
 	 * Scan the pg_authid relation to find the Oid of the role(s) to be
 	 * deleted.
@@ -1026,6 +1023,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
+		if (!have_createrole_privilege() &&
+			!pg_role_ownercheck(roleid, GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied to drop role")));
+
 		/* DROP hook for the role being removed */
 		InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
 
@@ -1784,6 +1787,18 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
 					 errmsg("role may not own itself")));
 
+		/*
+		 * Must not create cycles in the role ownership hierarchy.  If this
+		 * role owns (directly or indirectly) the proposed new owner, disallow
+		 * the ownership transfer.
+		 */
+		if (is_owner_of_role_nosuper(authForm->oid, newOwnerId))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role \"%s\" may not both own and be owned by role \"%s\"",
+							NameStr(authForm->rolname),
+							GetUserNameFromId(newOwnerId, false))));
+
 		authForm->rolowner = newOwnerId;
 		CatalogTupleUpdate(rel, &tup->t_self, tup);
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 0a16f8156c..97336db058 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4832,6 +4832,111 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 }
 
 
+/*
+ * Get a list of roles which own the given role, directly or indirectly.
+ *
+ * Each role has only one direct owner.  The returned list contains the given
+ * role's owner, that role's owner, etc., up to the top of the ownership
+ * hierarchy, which is always the bootstrap superuser.
+ *
+ * Raises an error if any role ownership invariant is violated.  Returns NIL if
+ * the given roleid is invalid.
+ */
+static List *
+roles_is_owned_by(Oid roleid)
+{
+	List	   *owners_list = NIL;
+	Oid			role_oid = roleid;
+
+	/*
+	 * Start with the current role and follow the ownership chain upwards until
+	 * we reach the bootstrap superuser.  To defend against getting into an
+	 * infinite loop, we must check for ownership cycles.  We choose to perform
+	 * other corruption checks on the ownership structure while iterating, too.
+	 */
+	while (OidIsValid(role_oid))
+	{
+		HeapTuple		tuple;
+		Form_pg_authid	authform;
+		Oid				owner_oid;
+
+		/* Find the owner of the current iteration's role */
+		tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+		if (!HeapTupleIsValid(tuple))
+			ereport(ERROR,
+					(errcode(ERRCODE_UNDEFINED_OBJECT),
+					 errmsg("role with OID %u does not exist", role_oid)));
+
+		authform = (Form_pg_authid) GETSTRUCT(tuple);
+		owner_oid = authform->rolowner;
+
+		/*
+		 * Roles must necessarily have owners.  Even the bootstrap user has an
+		 * owner.  (It owns itself).
+		 */
+		if (!OidIsValid(owner_oid))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u has invalid owner",
+							NameStr(authform->rolname), authform->oid)));
+
+		/* The bootstrap user must own itself */
+		if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+			owner_oid != BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+							NameStr(authform->rolname), authform->oid,
+							authform->rolowner)));
+
+		/*
+		 * Roles other than the bootstrap user must not be their own direct
+		 * owners.
+		 */
+		if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+			authform->oid == owner_oid)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owns itself",
+							NameStr(authform->rolname), authform->oid)));
+
+		ReleaseSysCache(tuple);
+
+		/* If we have reached the bootstrap user, we're done. */
+		if (role_oid == BOOTSTRAP_SUPERUSERID)
+		{
+			if (!owners_list)
+				owners_list = lappend_oid(owners_list, owner_oid);
+			break;
+		}
+
+		/*
+		 * For all other users, check they do not own themselves indirectly
+		 * through an ownership cycle.
+		 *
+		 * Scanning the list each time through this loop results in overall
+		 * quadratic work in the depth of the ownership chain, but we're
+		 * not on a critical performance path, nor do we expect ownership
+		 * hierarchies to be deep.
+		 */
+		if (owners_list && list_member_oid(owners_list,
+										   ObjectIdGetDatum(owner_oid)))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u indirectly owns itself",
+							GetUserNameFromId(owner_oid, false),
+							owner_oid)));
+
+		/* Done with sanity checks.  Add this owner to the list. */
+		owners_list = lappend_oid(owners_list, owner_oid);
+
+		/* Otherwise, iterate on this iteration's owner_oid. */
+		role_oid = owner_oid;
+	}
+
+	return owners_list;
+}
+
 /*
  * Does member have the privileges of role (directly or indirectly)?
  *
@@ -4850,6 +4955,10 @@ has_privs_of_role(Oid member, Oid role)
 	if (superuser_arg(member))
 		return true;
 
+	/* Owners of roles have every privilege the owned role has */
+	if (pg_role_ownercheck(role, member))
+		return true;
+
 	/*
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
@@ -4921,6 +5030,15 @@ is_member_of_role_nosuper(Oid member, Oid role)
 						   role);
 }
 
+/*
+ * Is owner a direct or indirect owner of the role, not considering
+ * superuserness?
+ */
+bool
+is_owner_of_role_nosuper(Oid owner, Oid role)
+{
+	return list_member_oid(roles_is_owned_by(role), owner);
+}
 
 /*
  * Is member an admin of role?	That is, is member the role itself (subject to
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 42f85d0e84..572cae0f27 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -209,6 +209,7 @@ extern bool has_privs_of_role(Oid member, Oid role);
 extern bool is_member_of_role(Oid member, Oid role);
 extern bool is_member_of_role_nosuper(Oid member, Oid role);
 extern bool is_admin_of_role(Oid member, Oid role);
+extern bool is_owner_of_role_nosuper(Oid owner, Oid role);
 extern void check_is_member_of_role(Oid member, Oid role);
 extern Oid	get_role_oid(const char *rolename, bool missing_ok);
 extern Oid	get_role_oid_or_public(const char *rolename);
diff --git a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
index b2d898a7d1..93cf82b750 100644
--- a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
+++ b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
@@ -7,8 +7,11 @@ SET client_min_messages TO 'warning';
 DROP ROLE IF EXISTS regress_dummy_seclabel_user1;
 DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 RESET client_min_messages;
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
 CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
@@ -19,7 +22,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
@@ -29,6 +32,7 @@ ERROR:  '...invalid label...' is not a valid security label
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
 ERROR:  security label provider "unknown_seclabel" is not loaded
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 ERROR:  must be owner of table dummy_seclabel_tbl2
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
@@ -42,7 +46,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
 ERROR:  '...invalid label...' is not a valid security label
@@ -55,7 +59,7 @@ SECURITY LABEL ON ROLE regress_dummy_seclabel_user3 IS 'unclassified';	-- fail (
 ERROR:  role "regress_dummy_seclabel_user3" does not exist
 SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
+ERROR:  must be owner of role regress_dummy_seclabel_user2
 RESET SESSION AUTHORIZATION;
 --
 -- Test for various types of object
diff --git a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
index 8c347b6a68..bf575343cf 100644
--- a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
+++ b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
@@ -11,8 +11,12 @@ DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 
 RESET client_min_messages;
 
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
@@ -26,7 +30,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
@@ -34,6 +38,8 @@ SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
@@ -45,7 +51,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 66d4c29cf7..2c42c8ad8d 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -58,8 +58,9 @@ CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
 CREATE ROLE regress_password_null
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_createdb, regress_createrole, regress_login;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole;
+COMMENT ON ROLE regress_password_null IS 'no login test role';
 \du+ regress_createdb
                                        List of roles
     Role name     |       Owner        |       Attributes        | Member of | Description 
@@ -98,11 +99,11 @@ CREATE ROLE regress_password_null
  regress_encrypted_password | regress_role_admin | Cannot login | {}        | 
 
 \du+ regress_password_null
-                                                              List of roles
-       Role name       |       Owner        |       Attributes       |                      Member of                      | Description 
------------------------+--------------------+------------------------+-----------------------------------------------------+-------------
- regress_password_null | regress_role_admin | Create role, Create DB+| {regress_createdb,regress_createrole,regress_login} | 
-                       |                    | 2 connections          |                                                     | 
+                                                                 List of roles
+       Role name       |       Owner        |              Attributes              |               Member of               |    Description     
+-----------------------+--------------------+--------------------------------------+---------------------------------------+--------------------
+ regress_password_null | regress_role_admin | Create role, Create DB, Cannot login+| {regress_createdb,regress_createrole} | no login test role
+                       |                    | 2 connections                        |                                       | 
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
@@ -143,21 +144,18 @@ CREATE TABLE tenant_table (i integer);
 CREATE INDEX tenant_idx ON tenant_table(i);
 CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
--- fail, these objects belonging to regress_tenant
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_createrole;
 DROP INDEX tenant_idx;
-ERROR:  must be owner of index tenant_idx
 ALTER TABLE tenant_table ADD COLUMN t text;
-ERROR:  must be owner of table tenant_table
 DROP TABLE tenant_table;
-ERROR:  must be owner of table tenant_table
+-- fail, not a member of target role
 ALTER VIEW tenant_view OWNER TO regress_role_admin;
-ERROR:  must be owner of view tenant_view
+ERROR:  must be member of role "regress_role_admin"
+-- ok
 DROP VIEW tenant_view;
-ERROR:  must be owner of view tenant_view
--- fail, cannot take ownership of these objects from regress_tenant
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
-ERROR:  permission denied to reassign objects
 -- ok, having CREATEROLE is enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
@@ -169,14 +167,14 @@ CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
--- fail, cannot take ownership of these objects from regress_createrole
-SET SESSION AUTHORIZATION regress_role_admin;
-ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
-ERROR:  must be owner of role regress_plainrole
-REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
-ERROR:  permission denied to reassign objects
--- superuser can do it, though
+-- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_admin TO regress_tenant;
+ERROR:  role "regress_createrole" may not both own and be owned by role "regress_tenant"
+ALTER ROLE regress_role_admin OWNER TO regress_tenant;
+ERROR:  role "regress_role_admin" may not both own and be owned by role "regress_tenant"
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_admin;
 ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
 REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
 -- ok, superuser roles can drop superuser roles they own
@@ -187,14 +185,6 @@ SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
 DROP ROLE regress_nosuch_replication;
 DROP ROLE regress_nosuch_bypassrls;
-DROP ROLE regress_nosuch_super;
-ERROR:  role "regress_nosuch_super" does not exist
-DROP ROLE regress_nosuch_dbowner;
-ERROR:  role "regress_nosuch_dbowner" does not exist
-DROP ROLE regress_nosuch_recursive;
-ERROR:  role "regress_nosuch_recursive" does not exist
-DROP ROLE regress_nosuch_admin_recursive;
-ERROR:  role "regress_nosuch_admin_recursive" does not exist
 DROP ROLE regress_plainrole;
 -- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
@@ -222,6 +212,7 @@ DROP ROLE regress_noiseword;
 DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
+DROP ROLE regress_tenant;
 DROP ROLE regress_read_all_data;
 DROP ROLE regress_write_all_data;
 DROP ROLE regress_monitor;
@@ -232,28 +223,15 @@ DROP ROLE regress_read_server_files;
 DROP ROLE regress_write_server_files;
 DROP ROLE regress_execute_server_program;
 DROP ROLE regress_signal_backend;
--- fail, role still owns database objects
-DROP ROLE regress_tenant;
-ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
-DETAIL:  owner of table tenant_table
-owner of view tenant_view
--- fail, role still owns other roles
-DROP ROLE regress_createrole;
-ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
-DETAIL:  owner of role regress_tenant
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
 DROP ROLE regress_role_admin;
 ERROR:  current user cannot be dropped
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX tenant_idx;
-DROP TABLE tenant_table;
-DROP VIEW tenant_view;
-DROP ROLE regress_tenant;
+-- ok, no more owned roles remain
 DROP ROLE regress_createrole;
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_admin;
 ERROR:  role "regress_role_admin" cannot be dropped because some objects depend on it
 DETAIL:  privileges for database regression
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 091b116dd6..00e63b7d93 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -39,8 +39,9 @@ CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
 CREATE ROLE regress_password_null
-  CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
-  IN ROLE regress_createdb, regress_createrole, regress_login;
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole;
+COMMENT ON ROLE regress_password_null IS 'no login test role';
 
 \du+ regress_createdb
 \du+ regress_createrole
@@ -95,15 +96,19 @@ CREATE INDEX tenant_idx ON tenant_table(i);
 CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
 
--- fail, these objects belonging to regress_tenant
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_createrole;
 DROP INDEX tenant_idx;
 ALTER TABLE tenant_table ADD COLUMN t text;
 DROP TABLE tenant_table;
+
+-- fail, not a member of target role
 ALTER VIEW tenant_view OWNER TO regress_role_admin;
+
+-- ok
 DROP VIEW tenant_view;
 
--- fail, cannot take ownership of these objects from regress_tenant
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
 -- ok, having CREATEROLE is enough to create roles in privileged roles
@@ -118,13 +123,13 @@ CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
 
--- fail, cannot take ownership of these objects from regress_createrole
-SET SESSION AUTHORIZATION regress_role_admin;
-ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
-REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
-
--- superuser can do it, though
+-- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_admin TO regress_tenant;
+ALTER ROLE regress_role_admin OWNER TO regress_tenant;
+
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_admin;
 ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
 REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
 
@@ -137,10 +142,6 @@ SET SESSION AUTHORIZATION regress_role_admin;
 DROP ROLE regress_nosuch_replication_bypassrls;
 DROP ROLE regress_nosuch_replication;
 DROP ROLE regress_nosuch_bypassrls;
-DROP ROLE regress_nosuch_super;
-DROP ROLE regress_nosuch_dbowner;
-DROP ROLE regress_nosuch_recursive;
-DROP ROLE regress_nosuch_admin_recursive;
 DROP ROLE regress_plainrole;
 
 -- fail, cannot drop roles that own other roles
@@ -157,6 +158,7 @@ DROP ROLE regress_noiseword;
 DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
+DROP ROLE regress_tenant;
 DROP ROLE regress_read_all_data;
 DROP ROLE regress_write_all_data;
 DROP ROLE regress_monitor;
@@ -168,25 +170,15 @@ DROP ROLE regress_write_server_files;
 DROP ROLE regress_execute_server_program;
 DROP ROLE regress_signal_backend;
 
--- fail, role still owns database objects
-DROP ROLE regress_tenant;
-
--- fail, role still owns other roles
-DROP ROLE regress_createrole;
-
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_admin;
 
--- ok
-RESET SESSION AUTHORIZATION;
-DROP INDEX tenant_idx;
-DROP TABLE tenant_table;
-DROP VIEW tenant_view;
-DROP ROLE regress_tenant;
+-- ok, no more owned roles remain
 DROP ROLE regress_createrole;
 
 -- fail, cannot drop role with remaining privileges
+RESET SESSION AUTHORIZATION;
 DROP ROLE regress_role_admin;
 
 -- ok, can drop role if we revoke privileges first
-- 
2.21.1 (Apple Git-122.3)

From d949f35209b8de4723b0612ef823e0385ae6a338 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 18 Jan 2022 10:24:55 -0800
Subject: [PATCH v6 4/5] Restrict power granted via CREATEROLE.

The CREATEROLE attribute no longer has anything to do with the power
to alter roles or to grant or revoke role membership, but merely the
ability to create new roles, as its name suggests.  The ability to
alter a role is based on role ownership; the ability to grant and
revoke role membership is based on having admin privilege on the
relevant role or alternatively on role ownership, as owners now
implicitly have admin privileges on roles they own.

A role must either be superuser or have the CREATEROLE attribute to
create roles.  This is unchanged from the prior behavior.  A new
principle is adopted, though, to make CREATEROLE less dangerous:  a
role may not create new roles with privileges that the creating role
lacks.  This new principle is intended to prevent privilege
escalation attacks stemming from giving CREATEROLE to a user.  This
is not backwards compatible.  The idea is to fix the CREATEROLE
privilege to not be pathway to gaining superuser, and no
non-breaking change to accomplish that is apparent.

SUPERUSER, REPLICATION, BYPASSRLS, CREATEDB, CREATEROLE and LOGIN
privilege can only be given to new roles by creators who have the
same privilege.  In the case of the CREATEROLE privilege, this is
trivially true, as the creator must necessarily have it or they
couldn't be creating the role to begin with.

The INHERIT attribute is not considered a privilege, and since a
user who belongs to a role may SET ROLE to that role and do anything
that role can do, it isn't clear that treating it as a privilege
would stop any privilege escalation attacks.

The CONNECTION LIMIT and VALID UNTIL attributes are also not
considered privileges, but this design choice is debatable.  One
could think of the ability to log in during a given window of time,
or up to a certain number of connections as a privilege, and
allowing such a restricted role to create a new role with unlimited
connections or no expiration as a privilege escalation which escapes
the intended restrictions.  However, it is just as easy to think of
these limitations as being used to guard against badly written
client programs connecting too many times, or connecting at a time
of day that is not intended.  Since it is unclear which design is
better, this commit is conservative and the handling of these
attributes is unchanged relative to prior behavior.

Since the grammar of the CREATE ROLE command allows specifying roles
into which the new role should be enrolled, and also lists of roles
which become members of the newly created role (as admin or not),
the CREATE ROLE command may now fail if the creating role has
insufficient privilege on the roles so listed.  Such failures were
not possible before, since the CREATEROLE privilege was always
sufficient.
---
 doc/src/sgml/ddl.sgml                     |  12 +--
 doc/src/sgml/ref/alter_role.sgml          |  20 ++--
 doc/src/sgml/ref/comment.sgml             |   8 +-
 doc/src/sgml/ref/create_role.sgml         |  26 +++--
 doc/src/sgml/ref/drop_role.sgml           |   3 +-
 doc/src/sgml/ref/dropuser.sgml            |   6 +-
 doc/src/sgml/ref/grant.sgml               |   4 +-
 doc/src/sgml/user-manag.sgml              |  44 +++++----
 src/backend/catalog/aclchk.c              | 111 ++++++++++++++++++++++
 src/backend/commands/user.c               |  60 +++++-------
 src/backend/utils/adt/acl.c               |  21 +---
 src/include/utils/acl.h                   |   5 +
 src/test/regress/expected/create_role.out |  63 +++++-------
 src/test/regress/sql/create_role.sql      |  36 +++----
 14 files changed, 250 insertions(+), 169 deletions(-)

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 22f6c5c7ab..5596a359e3 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -3132,9 +3132,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
            doesn't preserve that DROP.
 
            A database owner can attack the database's users via "CREATE SCHEMA
-           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
-           CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
-           database owner attack. -->
+           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". -->
       <para>
        Constrain ordinary users to user-private schemas.  To implement this,
        first issue <literal>REVOKE CREATE ON SCHEMA public FROM
@@ -3146,9 +3144,8 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        pattern in a database where untrusted users had already logged in,
        consider auditing the public schema for objects named like objects in
        schema <literal>pg_catalog</literal>.  This pattern is a secure schema
-       usage pattern unless an untrusted user is the database owner or holds
-       the <literal>CREATEROLE</literal> privilege, in which case no secure
-       schema usage pattern exists.
+       usage pattern unless an untrusted user is the database owner, in which
+       case no secure schema usage pattern exists.
       </para>
       <para>
        If the database originated in an upgrade
@@ -3170,8 +3167,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        schema <link linkend="typeconv-func">will be unsafe or
        unreliable</link>.  If you create functions or extensions in the public
        schema, use the first pattern instead.  Otherwise, like the first
-       pattern, this is secure unless an untrusted user is the database owner
-       or holds the <literal>CREATEROLE</literal> privilege.
+       pattern, this is secure unless an untrusted user is the database owner.
       </para>
      </listitem>
 
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 5aa5648ae7..fc9bea8072 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -70,18 +70,18 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
    Database superusers can change any of these settings for any role.
-   Roles having <literal>CREATEROLE</literal> privilege can change any of these
-   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
-   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
-   Ordinary roles can only change their own password.
+   Role owners can change any of these settings on roles they directly or
+   indirectly own except <literal>SUPERUSER</literal>,
+   <literal>REPLICATION</literal>, and <literal>BYPASSRLS</literal>; but only
+   for non-superuser and non-replication roles, and only if the role owner does
+   not alter the target role to have a privilege which the role owner itself
+   lacks.  Ordinary roles can only change their own password.
   </para>
 
   <para>
    The second variant changes the name of the role.
    Database superusers can rename any role.
-   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   Roles can rename non-superuser roles they directly or indirectly own.
    The current session user cannot be renamed.
    (Connect as a different user if you need to do that.)
    Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -114,9 +114,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   </para>
 
   <para>
-   Superusers can change anyone's session defaults. Roles having
-   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   Superusers can change anyone's session defaults. Roles may change
+   privilege for non-superuser roles they directly or indirectly own. Ordinary roles can only set
+   defaults for themselves.
    Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.  Only superusers can change a setting
    for all roles in all databases.
diff --git a/doc/src/sgml/ref/comment.sgml b/doc/src/sgml/ref/comment.sgml
index e07fc47fd3..1ba374f3a1 100644
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -92,12 +92,8 @@ COMMENT ON
 
   <para>
    For most kinds of object, only the object's owner can set the comment.
-   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
-   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
-   Likewise, access methods don't have owners either; you must be superuser
-   to comment on an access method.
-   Of course, a superuser can comment on anything.
+   Access methods don't have owners; you must be superuser to comment on an
+   access method.  Of course, a superuser can comment on anything.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..2e73102562 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -107,8 +107,10 @@ in sync when changing the above synopsis!
         <literal>CREATEDB</literal> is specified, the role being
         defined will be allowed to create new databases. Specifying
         <literal>NOCREATEDB</literal> will deny a role the ability to
-        create databases. If not specified,
-        <literal>NOCREATEDB</literal> is the default.
+        create databases. Only roles with the <literal>CREATEDB</literal>
+        attribute may create roles with the <literal>CREATEDB</literal>
+        attribute. If not specified, <literal>NOCREATEDB</literal> is the
+        default.
        </para>
       </listitem>
      </varlistentry>
@@ -120,8 +122,6 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role will be permitted to
         create new roles (that is, execute <command>CREATE ROLE</command>).
-        A role with <literal>CREATEROLE</literal> privilege can also alter
-        and drop other roles.
         If not specified,
         <literal>NOCREATEROLE</literal> is the default.
        </para>
@@ -163,6 +163,8 @@ in sync when changing the above synopsis!
         <literal>NOLOGIN</literal> is the default, except when
         <command>CREATE ROLE</command> is invoked through its alternative spelling
         <link linkend="sql-createuser"><command>CREATE USER</command></link>.
+        You must have the <literal>LOGIN</literal> attribute to create a new role
+        with the <literal>LOGIN</literal> attribute.
        </para>
       </listitem>
      </varlistentry>
@@ -194,8 +196,8 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role bypasses every row-level
         security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
-        You must be a superuser to create a new role having
-        the <literal>BYPASSRLS</literal> attribute.
+        You must have the <literal>BYPASSRLS</literal> attribute to create a
+        new role having the <literal>BYPASSRLS</literal> attribute.
        </para>
 
        <para>
@@ -281,6 +283,10 @@ in sync when changing the above synopsis!
         member.  (Note that there is no option to add the new role as an
         administrator; use a separate <command>GRANT</command> command to do that.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -301,6 +307,10 @@ in sync when changing the above synopsis!
         roles which are automatically added as members of the new role.
         (This in effect makes the new role a <quote>group</quote>.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -313,6 +323,10 @@ in sync when changing the above synopsis!
         OPTION</literal>, giving them the right to grant membership in this role
         to others.
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/drop_role.sgml b/doc/src/sgml/ref/drop_role.sgml
index 13dc1cc649..c3d57ee8db 100644
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -31,8 +31,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <para>
    <command>DROP ROLE</command> removes the specified role(s).
    To drop a superuser role, you must be a superuser yourself;
-   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   to drop non-superuser roles, you must own the target role.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 81580507e8..30a99eaf68 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,9 @@ PostgreSQL documentation
   <para>
    <application>dropuser</application> removes an existing
    <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   A <productname>PostgreSQL</productname> user may only be removed by its
+   owner or by a superuser.  (To remove a superuser, you must yourself be a
+   superuser.)
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a897712de2..86fc387af2 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -254,8 +254,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
    OPTION</literal> on itself, but it may grant or revoke membership in
    itself from a database session where the session user matches the
    role.  Database superusers can grant or revoke membership in any role
-   to anyone.  Roles having <literal>CREATEROLE</literal> privilege can grant
-   or revoke membership in any role that is not a superuser.
+   to anyone.  Roles can revoke membership in any role they own, and 
+   may grant membership in any role they own to any role they own.
   </para>
 
   <para>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 9067be1d9c..e65b55a004 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -198,9 +198,10 @@ CREATE USER <replaceable>name</replaceable>;
         (except for superusers, since those bypass all permission
         checks). To create such a role, use <literal>CREATE ROLE
         <replaceable>name</replaceable> CREATEROLE</literal>.
-        A role with <literal>CREATEROLE</literal> privilege can alter and drop
-        other roles, too, as well as grant or revoke membership in them.
-        However, to create, alter, drop, or change membership of a
+        A role which creates a new role becomes the new role's owner, able to
+        alter or drop that new role, and sharing ownership of any additional
+        objects (including additional roles) that new role creates.
+        To create, alter, drop, or change membership of a
         superuser role, superuser status is required;
         <literal>CREATEROLE</literal> is insufficient for that.
        </para>
@@ -246,11 +247,14 @@ CREATE USER <replaceable>name</replaceable>;
 
   <tip>
    <para>
-    It is good practice to create a role that has the <literal>CREATEDB</literal>
-    and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
+    It is good practice to create a role that has the
+    <literal>CREATEDB</literal>, <literal>LOGIN</literal> and
+    <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
     use this role for all routine management of databases and roles.  This
-    approach avoids the dangers of operating as a superuser for tasks that
-    do not really require it.
+    approach avoids the dangers of operating as a superuser for tasks that do
+    not really require it.  This role must also have
+    <literal>REPLICATION</literal> if it will create replication users, and
+    must have <literal>BYPASSRLS</literal> if it will create bypassrls users.
    </para>
   </tip>
 
@@ -387,15 +391,22 @@ RESET ROLE;
 
   <para>
    The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
-   <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
-   special privileges, but they are never inherited as ordinary privileges
-   on database objects are.  You must actually <command>SET ROLE</command> to a
-   specific role having one of these attributes in order to make use of
-   the attribute.  Continuing the above example, we might choose to
+   <literal>CREATEDB</literal>, <literal>REPLICATION</literal>,
+   <literal>BYPASSRLS</literal>, and <literal>CREATEROLE</literal> can be
+   thought of as special privileges, but they are never inherited as ordinary
+   privileges on database objects are.  You must actually <command>SET
+   ROLE</command> to a specific role having one of these attributes in order to
+   make use of the attribute.  Continuing the above example, we might choose to
    grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
-   <literal>admin</literal> role.  Then a session connecting as role <literal>joe</literal>
-   would not have these privileges immediately, only after doing
-   <command>SET ROLE admin</command>.
+   <literal>admin</literal> role.  Then a session connecting as role
+   <literal>joe</literal> would not have these privileges immediately, only
+   after doing <command>SET ROLE admin</command>.  Roles with these attributes
+   may only be created by roles which themselves have these attributes.
+   Superusers may always do so, but non-superuser roles with
+   <literal>CREATEROLE</literal> may only create new roles with
+   <literal>LOGIN</literal>, <literal>CREATEDB</literal>,
+   <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> if they
+   themselves have the same attribute.
   </para>
 
   <para>
@@ -493,8 +504,7 @@ DROP ROLE doomed_role;
   <para>
    <productname>PostgreSQL</productname> provides a set of predefined roles
    that provide access to certain, commonly needed, privileged capabilities
-   and information.  Administrators (including roles that have the
-   <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+   and information.  Administrators can <command>GRANT</command> these
    roles to users and/or other roles in their environment, providing those
    users with access to the specified capabilities and information.
   </para>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1e0ee503e4..8327005404 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5470,6 +5470,9 @@ has_createrole_privilege(Oid roleid)
 	return result;
 }
 
+/*
+ * Check whether specified role has BYPASSRLS privilege (or is a superuser)
+ */
 bool
 has_bypassrls_privilege(Oid roleid)
 {
@@ -5489,6 +5492,114 @@ has_bypassrls_privilege(Oid roleid)
 	return result;
 }
 
+/*
+ * Check whether specified role has INHERIT privilege (or is a superuser)
+ */
+bool
+has_inherit_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has CREATEDB privilege (or is a superuser)
+ */
+bool
+has_createdb_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreatedb;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has LOGIN privilege (or is a superuser)
+ */
+bool
+has_login_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcanlogin;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has REPLICATION privilege (or is a superuser)
+ */
+bool
+has_replication_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Get the connection limit for the specified role.
+ *
+ * Returns -1 if the role has no connection limit.
+ */
+int32
+role_connection_limit(Oid roleid)
+{
+	int32		result = -1;
+	HeapTuple	utup;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolconnlimit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 3a24934679..cc33277c20 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -58,15 +58,6 @@ static void DelRoleMems(const char *rolename, Oid roleid,
 static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
 									Oid newOwnerId);
 
-
-/* Check if current user has createrole privileges */
-static bool
-have_createrole_privilege(void)
-{
-	return has_createrole_privilege(GetUserId());
-}
-
-
 /*
  * CREATE ROLE
  */
@@ -276,24 +267,32 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	}
 	else if (isreplication)
 	{
-		if (!superuser())
+		if (!has_replication_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
+					 errmsg("must have replication privilege to create replication users")));
 	}
 	else if (bypassrls)
 	{
-		if (!superuser())
+		if (!has_bypassrls_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
+					 errmsg("must have bypassrls privilege to create bypassrls users")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create role")));
+		if (createdb && !has_createdb_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have createdb privilege to create createdb users")));
+		if (canlogin && !has_login_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have login privilege to create login users")));
 	}
 
 	/*
@@ -689,7 +688,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to change bypassrls attribute")));
 	}
-	else if (!have_createrole_privilege())
+	else if (!superuser())
 	{
 		/* check the rest */
 		if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
@@ -888,7 +887,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 
 		/*
 		 * To mess with a superuser you gotta be superuser; else you need
-		 * createrole, or just want to change your own settings
+		 * to own the role, or just want to change your own settings
 		 */
 		if (roleform->rolsuper)
 		{
@@ -899,8 +898,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() &&
-				!pg_role_ownercheck(roleid, GetUserId()))
+			if (!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -1013,18 +1011,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_OBJECT_IN_USE),
 					 errmsg("session user cannot be dropped")));
 
-		/*
-		 * For safety's sake, we allow createrole holders to drop ordinary
-		 * roles but not superuser roles.  This is mainly to avoid the
-		 * scenario where you accidentally drop the last superuser.
-		 */
 		if (roleform->rolsuper && !superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
-		if (!have_createrole_privilege() &&
-			!pg_role_ownercheck(roleid, GetUserId()))
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to drop role")));
@@ -1205,7 +1197,7 @@ RenameRole(const char *oldname, const char *newname)
 				 errmsg("role \"%s\" already exists", newname)));
 
 	/*
-	 * createrole is enough privilege unless you want to mess with a superuser
+	 * role ownership is enough privilege unless you want to mess with a superuser
 	 */
 	if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
 	{
@@ -1216,7 +1208,7 @@ RenameRole(const char *oldname, const char *newname)
 	}
 	else
 	{
-		if (!have_createrole_privilege())
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to rename role")));
@@ -1431,7 +1423,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 		return;
 
 	/*
-	 * Check permissions: must have createrole or admin option on the role to
+	 * Check permissions: must be owner or have admin option on the role to
 	 * be changed.  To mess with a superuser role, you gotta be superuser.
 	 */
 	if (superuser_arg(roleid))
@@ -1441,9 +1433,9 @@ AddRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, grantorId) &&
 			!is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1619,9 +1611,9 @@ DelRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, GetUserId()) &&
 			!is_admin_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1777,7 +1769,7 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		 * roles.  Because superusers will always have this right, we need no
 		 * special case for them.
 		 */
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
 						   NameStr(authForm->rolname));
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 97336db058..cdcce9c569 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4656,7 +4656,7 @@ initialize_acl(void)
 		/*
 		 * In normal mode, set a callback on any syscache invalidation of rows
 		 * of pg_auth_members (for roles_is_member_of()), pg_authid (for
-		 * has_rolinherit()), or pg_database (for roles_is_member_of())
+		 * has_inherit_privilege()), or pg_database (for roles_is_member_of())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
@@ -4690,23 +4690,6 @@ RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue)
 }
 
 
-/* Check if specified role has rolinherit set */
-static bool
-has_rolinherit(Oid roleid)
-{
-	bool		result = false;
-	HeapTuple	utup;
-
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
-		ReleaseSysCache(utup);
-	}
-	return result;
-}
-
-
 /*
  * Get a list of roles that the specified roleid is a member of
  *
@@ -4776,7 +4759,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 		CatCList   *memlist;
 		int			i;
 
-		if (type == ROLERECURSE_PRIVS && !has_rolinherit(memberid))
+		if (type == ROLERECURSE_PRIVS && !has_inherit_privilege(memberid))
 			continue;			/* ignore non-inheriting roles */
 
 		/* Find roles that memberid is directly a member of */
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 572cae0f27..7a6640dfc9 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -320,5 +320,10 @@ extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool has_inherit_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_login_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
+extern int32 role_connection_limit(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 2c42c8ad8d..26d2ef43d9 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -6,22 +6,16 @@ GRANT CREATE ON DATABASE regression TO regress_role_admin;
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
 ERROR:  must be superuser to create superusers
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_replication REPLICATION;
-ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
 ERROR:  must be superuser to own superusers
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
-CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
-CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
 \du+ regress_nosuch_superuser
                                            List of roles
         Role name         |       Owner        |       Attributes        | Member of | Description 
@@ -53,7 +47,10 @@ ERROR:  role may not own itself
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_login LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
@@ -73,12 +70,6 @@ COMMENT ON ROLE regress_password_null IS 'no login test role';
 --------------------+--------------------+---------------------------+-----------+-------------
  regress_createrole | regress_role_admin | Create role, Cannot login | {}        | 
 
-\du+ regress_login
-                               List of roles
-   Role name   |       Owner        | Attributes | Member of | Description 
----------------+--------------------+------------+-----------+-------------
- regress_login | regress_role_admin |            | {}        | 
-
 \du+ regress_inherit
                                  List of roles
     Role name    |       Owner        |  Attributes  | Member of | Description 
@@ -111,19 +102,19 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
-ERROR:  role "pg_database_owner" cannot have explicit members
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 -- fail, cannot grant a role into itself
 CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
 ERROR:  role "regress_nosuch_recursive" is a member of role "regress_nosuch_recursive"
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_adminroles ADMIN
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 -- fail, cannot grant a role into itself with admin option
 CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
@@ -136,8 +127,11 @@ ERROR:  permission denied to create database
 CREATE ROLE regress_plainrole;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_rolecreator CREATEROLE;
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+ERROR:  must have createdb privilege to create createdb users
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_tenant CREATEROLE INHERIT CONNECTION LIMIT 5;
 -- ok, regress_tenant can create objects within the database
 SET SESSION AUTHORIZATION regress_tenant;
 CREATE TABLE tenant_table (i integer);
@@ -156,17 +150,27 @@ ERROR:  must be member of role "regress_role_admin"
 DROP VIEW tenant_view;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
 CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
 CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
 CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
 CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
 -- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
 REASSIGN OWNED BY regress_role_admin TO regress_tenant;
@@ -191,19 +195,8 @@ DROP ROLE regress_createrole;
 ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
 DETAIL:  owner of role regress_rolecreator
 owner of role regress_tenant
-owner of role regress_read_all_data
-owner of role regress_write_all_data
-owner of role regress_monitor
-owner of role regress_read_all_settings
-owner of role regress_read_all_stats
-owner of role regress_stat_scan_tables
-owner of role regress_read_server_files
-owner of role regress_write_server_files
-owner of role regress_execute_server_program
-owner of role regress_signal_backend
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_createdb;
-DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
 DROP ROLE regress_encrypted_password;
@@ -213,16 +206,6 @@ DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
 DROP ROLE regress_tenant;
-DROP ROLE regress_read_all_data;
-DROP ROLE regress_write_all_data;
-DROP ROLE regress_monitor;
-DROP ROLE regress_read_all_settings;
-DROP ROLE regress_read_all_stats;
-DROP ROLE regress_stat_scan_tables;
-DROP ROLE regress_read_server_files;
-DROP ROLE regress_write_server_files;
-DROP ROLE regress_execute_server_program;
-DROP ROLE regress_signal_backend;
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 00e63b7d93..c484d77aa7 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -6,6 +6,8 @@ GRANT CREATE ON DATABASE regression TO regress_role_admin;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
+
+-- ok, can assign privileges the creator has
 CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
 CREATE ROLE regress_nosuch_replication REPLICATION;
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
@@ -17,11 +19,6 @@ CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
 -- ok, superuser can create superusers belonging to other superusers
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_super SUPERUSER;
 
--- ok, superuser can create users with these privileges for normal role
-CREATE ROLE regress_nosuch_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
-CREATE ROLE regress_nosuch_replication AUTHORIZATION regress_role_admin REPLICATION;
-CREATE ROLE regress_nosuch_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
-
 \du+ regress_nosuch_superuser
 \du+ regress_nosuch_replication_bypassrls
 \du+ regress_nosuch_replication
@@ -34,7 +31,11 @@ ALTER ROLE regress_nosuch_bypassrls OWNER TO regress_nosuch_bypassrls;
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
+
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_login LOGIN;
+
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
@@ -45,7 +46,6 @@ COMMENT ON ROLE regress_password_null IS 'no login test role';
 
 \du+ regress_createdb
 \du+ regress_createrole
-\du+ regress_login
 \du+ regress_inherit
 \du+ regress_connection_limit
 \du+ regress_encrypted_password
@@ -57,12 +57,12 @@ CREATE ROLE regress_noiseword SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 
 -- fail, cannot grant a role into itself
@@ -70,7 +70,7 @@ CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
 
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_adminroles ADMIN
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 
 -- fail, cannot grant a role into itself with admin option
@@ -86,9 +86,12 @@ CREATE ROLE regress_plainrole;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_rolecreator CREATEROLE;
 
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
 
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_tenant CREATEROLE INHERIT CONNECTION LIMIT 5;
+
 -- ok, regress_tenant can create objects within the database
 SET SESSION AUTHORIZATION regress_tenant;
 CREATE TABLE tenant_table (i integer);
@@ -111,7 +114,7 @@ DROP VIEW tenant_view;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
@@ -149,7 +152,6 @@ DROP ROLE regress_createrole;
 
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_createdb;
-DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
 DROP ROLE regress_encrypted_password;
@@ -159,16 +161,6 @@ DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
 DROP ROLE regress_tenant;
-DROP ROLE regress_read_all_data;
-DROP ROLE regress_write_all_data;
-DROP ROLE regress_monitor;
-DROP ROLE regress_read_all_settings;
-DROP ROLE regress_read_all_stats;
-DROP ROLE regress_stat_scan_tables;
-DROP ROLE regress_read_server_files;
-DROP ROLE regress_write_server_files;
-DROP ROLE regress_execute_server_program;
-DROP ROLE regress_signal_backend;
 
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 13000e50d611071eafc0b5bebfa33c2cedec1f90 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 11 Jan 2022 10:26:05 -0800
Subject: [PATCH v6 5/5] Remove grantor field from pg_auth_members

The "grantor" field of pg_auth_members is unused and, more to the
point, unreliable.  The system does not avoid dangling references
from the grantor field to dropped roles in pg_authid.  This creates
the risk that, if an oid is reused for a new role, the grantor field
may point to a role other than the one that performed the grant.

We could fix the bug, but there is no clear solution to the problem
that existing installations may have broken data.  Since the field
is not used for any purpose, removing it seems the best option.
---
 src/backend/commands/user.c            | 17 -----------------
 src/bin/pg_dump/pg_dumpall.c           | 17 ++---------------
 src/include/catalog/pg_auth_members.h  |  1 -
 src/test/regress/expected/oidjoins.out |  1 -
 4 files changed, 2 insertions(+), 34 deletions(-)

diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index cc33277c20..b36b00d46c 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -1455,21 +1455,6 @@ AddRoleMems(const char *rolename, Oid roleid,
 		ereport(ERROR,
 				errmsg("role \"%s\" cannot have explicit members", rolename));
 
-	/*
-	 * The role membership grantor of record has little significance at
-	 * present.  Nonetheless, inasmuch as users might look to it for a crude
-	 * audit trail, let only superusers impute the grant to a third party.
-	 *
-	 * Before lifting this restriction, give the member == role case of
-	 * is_admin_of_role() a fresh look.  Ensure that the current role cannot
-	 * use an explicit grantor specification to take advantage of the session
-	 * user's self-admin right.
-	 */
-	if (grantorId != GetUserId() && !superuser())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("must be superuser to set grantor")));
-
 	pg_authmem_rel = table_open(AuthMemRelationId, RowExclusiveLock);
 	pg_authmem_dsc = RelationGetDescr(pg_authmem_rel);
 
@@ -1545,12 +1530,10 @@ AddRoleMems(const char *rolename, Oid roleid,
 
 		new_record[Anum_pg_auth_members_roleid - 1] = ObjectIdGetDatum(roleid);
 		new_record[Anum_pg_auth_members_member - 1] = ObjectIdGetDatum(memberid);
-		new_record[Anum_pg_auth_members_grantor - 1] = ObjectIdGetDatum(grantorId);
 		new_record[Anum_pg_auth_members_admin_option - 1] = BoolGetDatum(admin_opt);
 
 		if (HeapTupleIsValid(authmem_tuple))
 		{
-			new_record_repl[Anum_pg_auth_members_grantor - 1] = true;
 			new_record_repl[Anum_pg_auth_members_admin_option - 1] = true;
 			tuple = heap_modify_tuple(authmem_tuple, pg_authmem_dsc,
 									  new_record,
diff --git a/src/bin/pg_dump/pg_dumpall.c b/src/bin/pg_dump/pg_dumpall.c
index 10383c713f..cfc997bb73 100644
--- a/src/bin/pg_dump/pg_dumpall.c
+++ b/src/bin/pg_dump/pg_dumpall.c
@@ -945,14 +945,12 @@ dumpRoleMembership(PGconn *conn)
 
 	printfPQExpBuffer(buf, "SELECT ur.rolname AS roleid, "
 					  "um.rolname AS member, "
-					  "a.admin_option, "
-					  "ug.rolname AS grantor "
+					  "a.admin_option "
 					  "FROM pg_auth_members a "
 					  "LEFT JOIN %s ur on ur.oid = a.roleid "
 					  "LEFT JOIN %s um on um.oid = a.member "
-					  "LEFT JOIN %s ug on ug.oid = a.grantor "
 					  "WHERE NOT (ur.rolname ~ '^pg_' AND um.rolname ~ '^pg_')"
-					  "ORDER BY 1,2,3", role_catalog, role_catalog, role_catalog);
+					  "ORDER BY 1,2,3", role_catalog, role_catalog);
 	res = executeQuery(conn, buf->data);
 
 	if (PQntuples(res) > 0)
@@ -968,17 +966,6 @@ dumpRoleMembership(PGconn *conn)
 		fprintf(OPF, " TO %s", fmtId(member));
 		if (*option == 't')
 			fprintf(OPF, " WITH ADMIN OPTION");
-
-		/*
-		 * We don't track the grantor very carefully in the backend, so cope
-		 * with the possibility that it has been dropped.
-		 */
-		if (!PQgetisnull(res, i, 3))
-		{
-			char	   *grantor = PQgetvalue(res, i, 3);
-
-			fprintf(OPF, " GRANTED BY %s", fmtId(grantor));
-		}
 		fprintf(OPF, ";\n");
 	}
 
diff --git a/src/include/catalog/pg_auth_members.h b/src/include/catalog/pg_auth_members.h
index 1bc027f133..c873201688 100644
--- a/src/include/catalog/pg_auth_members.h
+++ b/src/include/catalog/pg_auth_members.h
@@ -31,7 +31,6 @@ CATALOG(pg_auth_members,1261,AuthMemRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_
 {
 	Oid			roleid BKI_LOOKUP(pg_authid);	/* ID of a role */
 	Oid			member BKI_LOOKUP(pg_authid);	/* ID of a member of that role */
-	Oid			grantor BKI_LOOKUP(pg_authid);	/* who granted the membership */
 	bool		admin_option;	/* granted with admin option? */
 } FormData_pg_auth_members;
 
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 266a30a85b..a6a73df7ff 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -197,7 +197,6 @@ NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
 NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
-NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
 NOTICE:  checking pg_shdepend {dbid} => pg_database {oid}
 NOTICE:  checking pg_shdepend {classid} => pg_class {oid}
 NOTICE:  checking pg_shdepend {refclassid} => pg_class {oid}
-- 
2.21.1 (Apple Git-122.3)

From 08b59a68ed3a333bfb92de20f6ea74ccbc42b652 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 25 Jan 2022 11:15:19 -0800
Subject: [PATCH v7 1/2] Add owners to roles

All roles now have owners.  By default, created roles belong to the
role that created them, and initdb-time roles are owned by the
bootstrap superuser.  Role ownership is transitive; if role A owns
role B, and role B owns role C, then role A can act as the owner of
role C.  Roles may drop or alter roles that they own, and have all
privileges that any role they own has.
---
 doc/src/sgml/ref/create_role.sgml             |  23 ++-
 src/backend/catalog/aclchk.c                  |  30 ++-
 src/backend/catalog/objectaddress.c           |  22 +--
 src/backend/catalog/pg_shdepend.c             |   5 +
 src/backend/catalog/system_views.sql          |   1 +
 src/backend/commands/alter.c                  |   3 +
 src/backend/commands/schemacmds.c             |  10 +-
 src/backend/commands/user.c                   | 180 +++++++++++++++++-
 src/backend/nodes/copyfuncs.c                 |   1 +
 src/backend/nodes/equalfuncs.c                |   1 +
 src/backend/parser/gram.y                     |  19 ++
 src/backend/utils/adt/acl.c                   | 118 ++++++++++++
 src/bin/psql/describe.c                       |  12 ++
 src/include/catalog/pg_authid.h               |   1 +
 src/include/commands/user.h                   |   2 +
 src/include/nodes/parsenodes.h                |   1 +
 src/include/utils/acl.h                       |   2 +
 .../expected/dummy_seclabel.out               |  12 +-
 .../dummy_seclabel/sql/dummy_seclabel.sql     |  12 +-
 .../unsafe_tests/expected/rolenames.out       |   6 +-
 .../modules/unsafe_tests/sql/rolenames.sql    |   3 +-
 src/test/regress/expected/create_role.out     | 177 ++++++++++++++---
 src/test/regress/expected/oidjoins.out        |   1 +
 src/test/regress/expected/privileges.out      |   9 +-
 src/test/regress/expected/rules.out           |   1 +
 src/test/regress/sql/create_role.sql          | 100 ++++++++--
 src/test/regress/sql/privileges.sql           |  10 +-
 27 files changed, 657 insertions(+), 105 deletions(-)

diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..1e9347b2ce 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -21,9 +21,16 @@ PostgreSQL documentation
 
  <refsynopsisdiv>
 <synopsis>
-CREATE ROLE <replaceable class="parameter">name</replaceable> [ [ WITH ] <replaceable class="parameter">option</replaceable> [ ... ] ]
+CREATE ROLE <replaceable class="parameter">name</replaceable> [ AUTHORIZATION <replaceable class="parameter">role_specification</replaceable> ] [ [ WITH ] <replaceable class="parameter">option</replaceable> [ ... ] ]
 
-<phrase>where <replaceable class="parameter">option</replaceable> can be:</phrase>
+<phrase>where <replaceable class="parameter">role_specification</replaceable> can be:</phrase>
+
+    <replaceable class="parameter">user_name</replaceable>
+    | CURRENT_ROLE
+    | CURRENT_USER
+    | SESSION_USER
+
+<phrase>and <replaceable class="parameter">option</replaceable> can be:</phrase>
 
       SUPERUSER | NOSUPERUSER
     | CREATEDB | NOCREATEDB
@@ -83,6 +90,18 @@ in sync when changing the above synopsis!
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term><replaceable class="parameter">user_name</replaceable></term>
+      <listitem>
+       <para>
+        The role name of the user who will own the new role.  If omitted,
+        defaults to the user executing the command.  To create a role
+        owned by another role, you must be a direct or indirect member of
+        that role, directly or indirectly own that role, or be a superuser.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry>
       <term><literal>SUPERUSER</literal></term>
       <term><literal>NOSUPERUSER</literal></term>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1dd03a8e51..1e0ee503e4 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -3385,6 +3385,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("permission denied for publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("permission denied for role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("permission denied for routine %s");
 						break;
@@ -3429,7 +3432,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_RULE:
 					case OBJECT_TABCONSTRAINT:
 					case OBJECT_TRANSFORM:
@@ -3511,6 +3513,9 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_PUBLICATION:
 						msg = gettext_noop("must be owner of publication %s");
 						break;
+					case OBJECT_ROLE:
+						msg = gettext_noop("must be owner of role %s");
+						break;
 					case OBJECT_ROUTINE:
 						msg = gettext_noop("must be owner of routine %s");
 						break;
@@ -3569,7 +3574,6 @@ aclcheck_error(AclResult aclerr, ObjectType objtype,
 					case OBJECT_DOMCONSTRAINT:
 					case OBJECT_PUBLICATION_NAMESPACE:
 					case OBJECT_PUBLICATION_REL:
-					case OBJECT_ROLE:
 					case OBJECT_TRANSFORM:
 					case OBJECT_TSPARSER:
 					case OBJECT_TSTEMPLATE:
@@ -5430,16 +5434,22 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+/*
+ * Ownership check for a role (specified by OID)
+ */
+bool
+pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid)
+{
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(owner_roleid))
+		return true;
+
+	/* Otherwise, check the role ownership hierarchy */
+	return is_owner_of_role_nosuper(owner_roleid, owned_role_oid);
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
- *
- * Note: roles do not have owners per se; instead we use this test in
- * places where an ownership-like permissions test is needed for a role.
- * Be sure to apply it to the role trying to do the operation, not the
- * role being operated on!	Also note that this generally should not be
- * considered enough privilege if the target role is a superuser.
- * (We don't handle that consideration here because we want to give a
- * separate error message for such cases, so the caller has to deal with it.)
  */
 bool
 has_createrole_privilege(Oid roleid)
diff --git a/src/backend/catalog/objectaddress.c b/src/backend/catalog/objectaddress.c
index f30c742d48..1a47f28829 100644
--- a/src/backend/catalog/objectaddress.c
+++ b/src/backend/catalog/objectaddress.c
@@ -2596,25 +2596,9 @@ check_object_ownership(Oid roleid, ObjectType objtype, ObjectAddress address,
 							   NameListToString(castNode(List, object)));
 			break;
 		case OBJECT_ROLE:
-
-			/*
-			 * We treat roles as being "owned" by those with CREATEROLE priv,
-			 * except that superusers are only owned by superusers.
-			 */
-			if (superuser_arg(address.objectId))
-			{
-				if (!superuser_arg(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must be superuser")));
-			}
-			else
-			{
-				if (!has_createrole_privilege(roleid))
-					ereport(ERROR,
-							(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-							 errmsg("must have CREATEROLE privilege")));
-			}
+			if (!pg_role_ownercheck(address.objectId, roleid))
+				aclcheck_error(ACLCHECK_NOT_OWNER, objtype,
+							   strVal(object));
 			break;
 		case OBJECT_TSPARSER:
 		case OBJECT_TSTEMPLATE:
diff --git a/src/backend/catalog/pg_shdepend.c b/src/backend/catalog/pg_shdepend.c
index 3e8fa008b9..52f69ad76e 100644
--- a/src/backend/catalog/pg_shdepend.c
+++ b/src/backend/catalog/pg_shdepend.c
@@ -61,6 +61,7 @@
 #include "commands/tablecmds.h"
 #include "commands/tablespace.h"
 #include "commands/typecmds.h"
+#include "commands/user.h"
 #include "miscadmin.h"
 #include "storage/lmgr.h"
 #include "utils/acl.h"
@@ -1578,6 +1579,10 @@ shdepReassignOwned(List *roleids, Oid newrole)
 					AlterSubscriptionOwner_oid(sdepForm->objid, newrole);
 					break;
 
+				case AuthIdRelationId:
+					AlterRoleOwner_oid(sdepForm->objid, newrole);
+					break;
+
 					/* Generic alter owner cases */
 				case CollationRelationId:
 				case ConversionRelationId:
diff --git a/src/backend/catalog/system_views.sql b/src/backend/catalog/system_views.sql
index 3cb69b1f87..057d17460b 100644
--- a/src/backend/catalog/system_views.sql
+++ b/src/backend/catalog/system_views.sql
@@ -17,6 +17,7 @@
 CREATE VIEW pg_roles AS
     SELECT
         rolname,
+        pg_get_userbyid(rolowner) AS rolowner,
         rolsuper,
         rolinherit,
         rolcreaterole,
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 1f64c8aa51..e6c7c84c87 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -840,6 +840,9 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 		case OBJECT_DATABASE:
 			return AlterDatabaseOwner(strVal(stmt->object), newowner);
 
+		case OBJECT_ROLE:
+			return AlterRoleOwner(strVal(stmt->object), newowner);
+
 		case OBJECT_SCHEMA:
 			return AlterSchemaOwner(strVal(stmt->object), newowner);
 
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index 984000a5bc..320e8378c4 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -363,11 +363,11 @@ AlterSchemaOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		/*
 		 * must have create-schema rights
 		 *
-		 * NOTE: This is different from other alter-owner checks in that the
-		 * current user is checked for create privileges instead of the
-		 * destination owner.  This is consistent with the CREATE case for
-		 * schemas.  Because superusers will always have this right, we need
-		 * no special case for them.
+		 * NOTE: alter-schema and alter-role are different from other
+		 * alter-owner checks in that the current user is checked for create
+		 * privileges instead of the destination owner.  Alter-schema is
+		 * consistent with the CREATE case for schemas.  Because superusers
+		 * will always have this right, we need no special case for them.
 		 */
 		aclresult = pg_database_aclcheck(MyDatabaseId, GetUserId(),
 										 ACL_CREATE);
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index f9d3c1246b..3726e40f36 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -55,6 +55,8 @@ static void AddRoleMems(const char *rolename, Oid roleid,
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
+static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
+									Oid newOwnerId);
 
 
 /* Check if current user has createrole privileges */
@@ -77,6 +79,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	Datum		new_record[Natts_pg_authid];
 	bool		new_record_nulls[Natts_pg_authid];
 	Oid			roleid;
+	Oid			owner_uid;
+	Oid			saved_uid;
+	int			save_sec_context;
 	ListCell   *item;
 	ListCell   *option;
 	char	   *password = NULL;	/* user password */
@@ -108,6 +113,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
 
+	GetUserIdAndSecContext(&saved_uid, &save_sec_context);
+
+	/*
+	 * Who is supposed to own the new role?
+	 */
+	if (stmt->authrole)
+	{
+		owner_uid = get_rolespec_oid(stmt->authrole, false);
+		check_is_member_of_role(saved_uid, owner_uid);
+	}
+	else
+		owner_uid = saved_uid;
+
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
 	{
@@ -254,6 +272,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
+		if (!superuser_arg(owner_uid))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must be superuser to own superusers")));
 	}
 	else if (isreplication)
 	{
@@ -310,6 +332,19 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 				 errmsg("role \"%s\" already exists",
 						stmt->role)));
 
+	/*
+	 * If the requested authorization is different from the current user,
+	 * temporarily set the current user so that the object(s) will be created
+	 * with the correct ownership.
+	 *
+	 * (The setting will be restored at the end of this routine, or in case of
+	 * error, transaction abort will clean things up.)
+	 */
+	if (saved_uid != owner_uid)
+		SetUserIdAndSecContext(owner_uid,
+							   save_sec_context | SECURITY_LOCAL_USERID_CHANGE);
+
+
 	/* Convert validuntil to internal form */
 	if (validUntil)
 	{
@@ -345,6 +380,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 		DirectFunctionCall1(namein, CStringGetDatum(stmt->role));
 
 	new_record[Anum_pg_authid_rolsuper - 1] = BoolGetDatum(issuper);
+	new_record[Anum_pg_authid_rolowner - 1] = ObjectIdGetDatum(owner_uid);
 	new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(inherit);
 	new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(createrole);
 	new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(createdb);
@@ -422,6 +458,8 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	CatalogTupleInsert(pg_authid_rel, tuple);
 
+	recordDependencyOnOwner(AuthIdRelationId, roleid, owner_uid);
+
 	/*
 	 * Advance command counter so we can see new record; else tests in
 	 * AddRoleMems may fail.
@@ -478,6 +516,9 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	table_close(pg_authid_rel, NoLock);
 
+	/* Reset current user and security context */
+	SetUserIdAndSecContext(saved_uid, save_sec_context);
+
 	return roleid;
 }
 
@@ -655,7 +696,8 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 	{
 		/* check the rest */
 		if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
-			drolemembers || dvalidUntil || !dpassword || roleid != GetUserId())
+			drolemembers || dvalidUntil || !dpassword ||
+			!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied")));
@@ -860,7 +902,8 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() && roleid != GetUserId())
+			if (!have_createrole_privilege() &&
+				!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -912,11 +955,6 @@ DropRole(DropRoleStmt *stmt)
 				pg_auth_members_rel;
 	ListCell   *item;
 
-	if (!have_createrole_privilege())
-		ereport(ERROR,
-				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-				 errmsg("permission denied to drop role")));
-
 	/*
 	 * Scan the pg_authid relation to find the Oid of the role(s) to be
 	 * deleted.
@@ -988,6 +1026,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
+		if (!have_createrole_privilege() &&
+			!pg_role_ownercheck(roleid, GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("permission denied to drop role")));
+
 		/* DROP hook for the role being removed */
 		InvokeObjectDropHook(AuthIdRelationId, roleid, 0);
 
@@ -1051,8 +1095,9 @@ DropRole(DropRoleStmt *stmt)
 		systable_endscan(sscan);
 
 		/*
-		 * Remove any comments or security labels on this role.
+		 * Remove any dependencies, comments or security labels on this role.
 		 */
+		deleteSharedDependencyRecordsFor(AuthIdRelationId, roleid, 0);
 		DeleteSharedComments(roleid, AuthIdRelationId);
 		DeleteSharedSecurityLabel(roleid, AuthIdRelationId);
 
@@ -1648,3 +1693,122 @@ DelRoleMems(const char *rolename, Oid roleid,
 	 */
 	table_close(pg_authmem_rel, NoLock);
 }
+
+/*
+ * Change role owner
+ */
+ObjectAddress
+AlterRoleOwner(const char *name, Oid newOwnerId)
+{
+	Oid                     roleid;
+	HeapTuple       tup;
+	Relation        rel;
+	ObjectAddress address;
+	Form_pg_authid authform;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHNAME, CStringGetDatum(name));
+	if (!HeapTupleIsValid(tup))
+		ereport(ERROR,
+				(errcode(ERRCODE_UNDEFINED_OBJECT),
+				 errmsg("role \"%s\" does not exist", name)));
+
+	authform = (Form_pg_authid) GETSTRUCT(tup);
+	roleid = authform->oid;
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ObjectAddressSet(address, AuthIdRelationId, roleid);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+
+	return address;
+}
+
+void
+AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId)
+{
+	HeapTuple	tup;
+	Relation	rel;
+
+	rel = table_open(AuthIdRelationId, RowExclusiveLock);
+
+	tup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleOid));
+	if (!HeapTupleIsValid(tup))
+		elog(ERROR, "cache lookup failed for role %u", roleOid);
+
+	AlterRoleOwner_internal(tup, rel, newOwnerId);
+
+	ReleaseSysCache(tup);
+
+	table_close(rel, RowExclusiveLock);
+}
+
+static void
+AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
+{
+	Form_pg_authid authForm;
+
+	Assert(tup->t_tableOid == AuthIdRelationId);
+	Assert(RelationGetRelid(rel) == AuthIdRelationId);
+
+	authForm = (Form_pg_authid) GETSTRUCT(tup);
+
+	/*
+	 * If the new owner is the same as the existing owner, consider the
+	 * command to have succeeded.  This is for dump restoration purposes.
+	 */
+	if (authForm->rolowner != newOwnerId)
+	{
+		/* Otherwise, must be owner of the existing object */
+		if (!pg_role_ownercheck(authForm->oid, GetUserId()))
+			aclcheck_error(ACLCHECK_NOT_OWNER, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Must be able to become new owner */
+		check_is_member_of_role(GetUserId(), newOwnerId);
+
+		/*
+		 * must have CREATEROLE rights
+		 *
+		 * NOTE: Alter-role and alter-schema are different from other
+		 * alter-owner checks in that the current user is checked for create
+		 * privileges instead of the destination owner.  Alter-role is
+		 * consistent with the CREATE case for roles.  Because superusers will
+		 * always have this right, we need no special case for them.
+		 */
+		if (!have_createrole_privilege())
+			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
+						   NameStr(authForm->rolname));
+
+		/* Only the bootstrap superuser is allowed to own itself. */
+		if (newOwnerId != BOOTSTRAP_SUPERUSERID && authForm->oid == newOwnerId)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role may not own itself")));
+
+		/*
+		 * Must not create cycles in the role ownership hierarchy.  If this
+		 * role owns (directly or indirectly) the proposed new owner, disallow
+		 * the ownership transfer.
+		 */
+		if (is_owner_of_role_nosuper(authForm->oid, newOwnerId))
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_PARAMETER_VALUE),
+					 errmsg("role \"%s\" may not both own and be owned by role \"%s\"",
+							NameStr(authForm->rolname),
+							GetUserNameFromId(newOwnerId, false))));
+
+		authForm->rolowner = newOwnerId;
+		CatalogTupleUpdate(rel, &tup->t_self, tup);
+
+		/* Update owner dependency reference */
+		changeDependencyOnOwner(AuthIdRelationId, authForm->oid, newOwnerId);
+	}
+
+	InvokeObjectPostAlterHook(AuthIdRelationId,
+							  authForm->oid, 0);
+}
diff --git a/src/backend/nodes/copyfuncs.c b/src/backend/nodes/copyfuncs.c
index 90b5da51c9..f43c92a70f 100644
--- a/src/backend/nodes/copyfuncs.c
+++ b/src/backend/nodes/copyfuncs.c
@@ -4522,6 +4522,7 @@ _copyCreateRoleStmt(const CreateRoleStmt *from)
 
 	COPY_SCALAR_FIELD(stmt_type);
 	COPY_STRING_FIELD(role);
+	COPY_NODE_FIELD(authrole);
 	COPY_NODE_FIELD(options);
 
 	return newnode;
diff --git a/src/backend/nodes/equalfuncs.c b/src/backend/nodes/equalfuncs.c
index 06345da3ba..328f155208 100644
--- a/src/backend/nodes/equalfuncs.c
+++ b/src/backend/nodes/equalfuncs.c
@@ -2128,6 +2128,7 @@ _equalCreateRoleStmt(const CreateRoleStmt *a, const CreateRoleStmt *b)
 {
 	COMPARE_SCALAR_FIELD(stmt_type);
 	COMPARE_STRING_FIELD(role);
+	COMPARE_NODE_FIELD(authrole);
 	COMPARE_NODE_FIELD(options);
 
 	return true;
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index b5966712ce..024d96470f 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -1077,9 +1077,20 @@ CreateRoleStmt:
 					CreateRoleStmt *n = makeNode(CreateRoleStmt);
 					n->stmt_type = ROLESTMT_ROLE;
 					n->role = $3;
+					n->authrole = NULL;
 					n->options = $5;
 					$$ = (Node *)n;
 				}
+			|
+			CREATE ROLE RoleId AUTHORIZATION RoleSpec opt_with OptRoleList
+				{
+					CreateRoleStmt *n = makeNode(CreateRoleStmt);
+					n->stmt_type = ROLESTMT_ROLE;
+					n->role = $3;
+					n->authrole = $5;
+					n->options = $7;
+					$$ = (Node *)n;
+				}
 		;
 
 
@@ -9585,6 +9596,14 @@ AlterOwnerStmt: ALTER AGGREGATE aggregate_with_argtypes OWNER TO RoleSpec
 					n->newowner = $6;
 					$$ = (Node *)n;
 				}
+			| ALTER ROLE name OWNER TO RoleSpec
+				{
+					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
+					n->objectType = OBJECT_ROLE;
+					n->object = (Node *) makeString($3);
+					n->newowner = $6;
+					$$ = (Node *)n;
+				}
 			| ALTER ROUTINE function_with_argtypes OWNER TO RoleSpec
 				{
 					AlterOwnerStmt *n = makeNode(AlterOwnerStmt);
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 0a16f8156c..97336db058 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4832,6 +4832,111 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 }
 
 
+/*
+ * Get a list of roles which own the given role, directly or indirectly.
+ *
+ * Each role has only one direct owner.  The returned list contains the given
+ * role's owner, that role's owner, etc., up to the top of the ownership
+ * hierarchy, which is always the bootstrap superuser.
+ *
+ * Raises an error if any role ownership invariant is violated.  Returns NIL if
+ * the given roleid is invalid.
+ */
+static List *
+roles_is_owned_by(Oid roleid)
+{
+	List	   *owners_list = NIL;
+	Oid			role_oid = roleid;
+
+	/*
+	 * Start with the current role and follow the ownership chain upwards until
+	 * we reach the bootstrap superuser.  To defend against getting into an
+	 * infinite loop, we must check for ownership cycles.  We choose to perform
+	 * other corruption checks on the ownership structure while iterating, too.
+	 */
+	while (OidIsValid(role_oid))
+	{
+		HeapTuple		tuple;
+		Form_pg_authid	authform;
+		Oid				owner_oid;
+
+		/* Find the owner of the current iteration's role */
+		tuple = SearchSysCache1(AUTHOID, ObjectIdGetDatum(role_oid));
+		if (!HeapTupleIsValid(tuple))
+			ereport(ERROR,
+					(errcode(ERRCODE_UNDEFINED_OBJECT),
+					 errmsg("role with OID %u does not exist", role_oid)));
+
+		authform = (Form_pg_authid) GETSTRUCT(tuple);
+		owner_oid = authform->rolowner;
+
+		/*
+		 * Roles must necessarily have owners.  Even the bootstrap user has an
+		 * owner.  (It owns itself).
+		 */
+		if (!OidIsValid(owner_oid))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u has invalid owner",
+							NameStr(authform->rolname), authform->oid)));
+
+		/* The bootstrap user must own itself */
+		if (authform->oid == BOOTSTRAP_SUPERUSERID &&
+			owner_oid != BOOTSTRAP_SUPERUSERID)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owned by role with OID %u",
+							NameStr(authform->rolname), authform->oid,
+							authform->rolowner)));
+
+		/*
+		 * Roles other than the bootstrap user must not be their own direct
+		 * owners.
+		 */
+		if (authform->oid != BOOTSTRAP_SUPERUSERID &&
+			authform->oid == owner_oid)
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u owns itself",
+							NameStr(authform->rolname), authform->oid)));
+
+		ReleaseSysCache(tuple);
+
+		/* If we have reached the bootstrap user, we're done. */
+		if (role_oid == BOOTSTRAP_SUPERUSERID)
+		{
+			if (!owners_list)
+				owners_list = lappend_oid(owners_list, owner_oid);
+			break;
+		}
+
+		/*
+		 * For all other users, check they do not own themselves indirectly
+		 * through an ownership cycle.
+		 *
+		 * Scanning the list each time through this loop results in overall
+		 * quadratic work in the depth of the ownership chain, but we're
+		 * not on a critical performance path, nor do we expect ownership
+		 * hierarchies to be deep.
+		 */
+		if (owners_list && list_member_oid(owners_list,
+										   ObjectIdGetDatum(owner_oid)))
+			ereport(ERROR,
+					(errcode(ERRCODE_DATA_CORRUPTED),
+					 errmsg("role \"%s\" with OID %u indirectly owns itself",
+							GetUserNameFromId(owner_oid, false),
+							owner_oid)));
+
+		/* Done with sanity checks.  Add this owner to the list. */
+		owners_list = lappend_oid(owners_list, owner_oid);
+
+		/* Otherwise, iterate on this iteration's owner_oid. */
+		role_oid = owner_oid;
+	}
+
+	return owners_list;
+}
+
 /*
  * Does member have the privileges of role (directly or indirectly)?
  *
@@ -4850,6 +4955,10 @@ has_privs_of_role(Oid member, Oid role)
 	if (superuser_arg(member))
 		return true;
 
+	/* Owners of roles have every privilege the owned role has */
+	if (pg_role_ownercheck(role, member))
+		return true;
+
 	/*
 	 * Find all the roles that member has the privileges of, including
 	 * multi-level recursion, then see if target role is any one of them.
@@ -4921,6 +5030,15 @@ is_member_of_role_nosuper(Oid member, Oid role)
 						   role);
 }
 
+/*
+ * Is owner a direct or indirect owner of the role, not considering
+ * superuserness?
+ */
+bool
+is_owner_of_role_nosuper(Oid owner, Oid role)
+{
+	return list_member_oid(roles_is_owned_by(role), owner);
+}
 
 /*
  * Is member an admin of role?	That is, is member the role itself (subject to
diff --git a/src/bin/psql/describe.c b/src/bin/psql/describe.c
index 346cd92793..406138609d 100644
--- a/src/bin/psql/describe.c
+++ b/src/bin/psql/describe.c
@@ -3518,6 +3518,12 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 		appendPQExpBufferStr(&buf, "\n, r.rolbypassrls");
 	}
 
+	if (pset.sversion >= 150000)
+	{
+		appendPQExpBufferStr(&buf, "\n, r.rolowner");
+		ncols++;
+	}
+
 	appendPQExpBufferStr(&buf, "\nFROM pg_catalog.pg_roles r\n");
 
 	if (!showSystem && !pattern)
@@ -3538,6 +3544,8 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	printTableInit(&cont, &myopt, _("List of roles"), ncols, nrows);
 
 	printTableAddHeader(&cont, gettext_noop("Role name"), true, align);
+	if (pset.sversion >= 150000)
+		printTableAddHeader(&cont, gettext_noop("Owner"), true, align);
 	printTableAddHeader(&cont, gettext_noop("Attributes"), true, align);
 	/* ignores implicit memberships from superuser & pg_database_owner */
 	printTableAddHeader(&cont, gettext_noop("Member of"), true, align);
@@ -3549,6 +3557,10 @@ describeRoles(const char *pattern, bool verbose, bool showSystem)
 	{
 		printTableAddCell(&cont, PQgetvalue(res, i, 0), false, false);
 
+		if (pset.sversion >= 150000)
+			printTableAddCell(&cont, PQgetvalue(res, i, (verbose ? 12 : 11)),
+							  false, false);
+
 		resetPQExpBuffer(&buf);
 		if (strcmp(PQgetvalue(res, i, 1), "t") == 0)
 			add_role_attribute(&buf, _("Superuser"));
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 4b65e39a1f..3af0f3908c 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -32,6 +32,7 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 {
 	Oid			oid;			/* oid */
 	NameData	rolname;		/* name of role */
+	Oid			rolowner BKI_DEFAULT(POSTGRES) BKI_LOOKUP(pg_authid); /* owner of this role */
 	bool		rolsuper;		/* read this field via superuser() only! */
 	bool		rolinherit;		/* inherit privileges from other roles? */
 	bool		rolcreaterole;	/* allowed to create more roles? */
diff --git a/src/include/commands/user.h b/src/include/commands/user.h
index 0b7a3cd65f..c32127e41e 100644
--- a/src/include/commands/user.h
+++ b/src/include/commands/user.h
@@ -33,5 +33,7 @@ extern ObjectAddress RenameRole(const char *oldname, const char *newname);
 extern void DropOwnedObjects(DropOwnedStmt *stmt);
 extern void ReassignOwnedObjects(ReassignOwnedStmt *stmt);
 extern List *roleSpecsToIds(List *memberNames);
+extern ObjectAddress AlterRoleOwner(const char *name, Oid newOwnerId);
+extern void AlterRoleOwner_oid(Oid roleOid, Oid newOwnerId);
 
 #endif							/* USER_H */
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 3e9bdc781f..b9d124d38f 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2623,6 +2623,7 @@ typedef struct CreateRoleStmt
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
+	RoleSpec   *authrole;		/* the owner of the created role */
 	List	   *options;		/* List of DefElem nodes */
 } CreateRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 1ce4c5556e..572cae0f27 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -209,6 +209,7 @@ extern bool has_privs_of_role(Oid member, Oid role);
 extern bool is_member_of_role(Oid member, Oid role);
 extern bool is_member_of_role_nosuper(Oid member, Oid role);
 extern bool is_admin_of_role(Oid member, Oid role);
+extern bool is_owner_of_role_nosuper(Oid owner, Oid role);
 extern void check_is_member_of_role(Oid member, Oid role);
 extern Oid	get_role_oid(const char *rolename, bool missing_ok);
 extern Oid	get_role_oid_or_public(const char *rolename);
@@ -316,6 +317,7 @@ extern bool pg_extension_ownercheck(Oid ext_oid, Oid roleid);
 extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
+extern bool pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
 
diff --git a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
index b2d898a7d1..93cf82b750 100644
--- a/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
+++ b/src/test/modules/dummy_seclabel/expected/dummy_seclabel.out
@@ -7,8 +7,11 @@ SET client_min_messages TO 'warning';
 DROP ROLE IF EXISTS regress_dummy_seclabel_user1;
 DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 RESET client_min_messages;
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
 CREATE VIEW dummy_seclabel_view1 AS SELECT * FROM dummy_seclabel_tbl2;
@@ -19,7 +22,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
@@ -29,6 +32,7 @@ ERROR:  '...invalid label...' is not a valid security label
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
 ERROR:  security label provider "unknown_seclabel" is not loaded
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 ERROR:  must be owner of table dummy_seclabel_tbl2
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
@@ -42,7 +46,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
 ERROR:  '...invalid label...' is not a valid security label
@@ -55,7 +59,7 @@ SECURITY LABEL ON ROLE regress_dummy_seclabel_user3 IS 'unclassified';	-- fail (
 ERROR:  role "regress_dummy_seclabel_user3" does not exist
 SET SESSION AUTHORIZATION regress_dummy_seclabel_user2;
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user2 IS 'unclassified';	-- fail (not privileged)
-ERROR:  must have CREATEROLE privilege
+ERROR:  must be owner of role regress_dummy_seclabel_user2
 RESET SESSION AUTHORIZATION;
 --
 -- Test for various types of object
diff --git a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
index 8c347b6a68..bf575343cf 100644
--- a/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
+++ b/src/test/modules/dummy_seclabel/sql/dummy_seclabel.sql
@@ -11,8 +11,12 @@ DROP ROLE IF EXISTS regress_dummy_seclabel_user2;
 
 RESET client_min_messages;
 
-CREATE USER regress_dummy_seclabel_user1 WITH CREATEROLE;
+CREATE USER regress_dummy_seclabel_user0 WITH CREATEROLE;
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
+CREATE USER regress_dummy_seclabel_user1;
 CREATE USER regress_dummy_seclabel_user2;
+RESET SESSION AUTHORIZATION;
 
 CREATE TABLE dummy_seclabel_tbl1 (a int, b text);
 CREATE TABLE dummy_seclabel_tbl2 (x int, y text);
@@ -26,7 +30,7 @@ ALTER TABLE dummy_seclabel_tbl2 OWNER TO regress_dummy_seclabel_user2;
 --
 -- Test of SECURITY LABEL statement with a plugin
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'classified';			-- OK
 SECURITY LABEL ON COLUMN dummy_seclabel_tbl1.a IS 'unclassified';		-- OK
@@ -34,6 +38,8 @@ SECURITY LABEL ON COLUMN dummy_seclabel_tbl1 IS 'unclassified';	-- fail
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS '...invalid label...';	-- fail
 SECURITY LABEL FOR 'dummy' ON TABLE dummy_seclabel_tbl1 IS 'unclassified';	-- OK
 SECURITY LABEL FOR 'unknown_seclabel' ON TABLE dummy_seclabel_tbl1 IS 'classified';	-- fail
+
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
 SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'unclassified';	-- fail (not owner)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl1 IS 'secret';		-- fail (not superuser)
 SECURITY LABEL ON TABLE dummy_seclabel_tbl3 IS 'unclassified';	-- fail (not found)
@@ -45,7 +51,7 @@ SECURITY LABEL ON TABLE dummy_seclabel_tbl2 IS 'classified';			-- OK
 --
 -- Test for shared database object
 --
-SET SESSION AUTHORIZATION regress_dummy_seclabel_user1;
+SET SESSION AUTHORIZATION regress_dummy_seclabel_user0;
 
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS 'classified';			-- OK
 SECURITY LABEL ON ROLE regress_dummy_seclabel_user1 IS '...invalid label...';	-- fail
diff --git a/src/test/modules/unsafe_tests/expected/rolenames.out b/src/test/modules/unsafe_tests/expected/rolenames.out
index eb608fdc2e..8b79a63b80 100644
--- a/src/test/modules/unsafe_tests/expected/rolenames.out
+++ b/src/test/modules/unsafe_tests/expected/rolenames.out
@@ -1086,6 +1086,10 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 \c
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
+ERROR:  role "regress_testrol2" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_role_haspriv
+owner of role regress_role_nopriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/modules/unsafe_tests/sql/rolenames.sql b/src/test/modules/unsafe_tests/sql/rolenames.sql
index adac36536d..95a54ce70d 100644
--- a/src/test/modules/unsafe_tests/sql/rolenames.sql
+++ b/src/test/modules/unsafe_tests/sql/rolenames.sql
@@ -499,6 +499,7 @@ REVOKE pg_read_all_settings FROM regress_role_haspriv;
 
 DROP SCHEMA test_roles_schema;
 DROP OWNED BY regress_testrol0, "Public", "current_role", "current_user", regress_testrol1, regress_testrol2, regress_testrolx CASCADE;
-DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx; -- fails with owner of role regress_role_haspriv
 DROP ROLE "Public", "None", "current_role", "current_user", "session_user", "user";
 DROP ROLE regress_role_haspriv, regress_role_nopriv;
+DROP ROLE regress_testrol0, regress_testrol1, regress_testrol2, regress_testrolx;  -- ok now
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 4e67d72760..4ad6fd4161 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,6 +1,8 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_bystander;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_admin;
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
@@ -11,14 +13,108 @@ CREATE ROLE regress_nosuch_replication REPLICATION;
 ERROR:  must be superuser to create replication users
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 ERROR:  must be superuser to create bypassrls users
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
+ERROR:  must be superuser to own superusers
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_superuser AUTHORIZATION regress_role_super SUPERUSER;
+-- fail, can only create roles belonging to other roles that we belong to
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_alice AUTHORIZATION regress_role_super;
+ERROR:  must be member of role "regress_role_super"
+CREATE ROLE regress_nosuch_bob AUTHORIZATION regress_superuser;
+ERROR:  must be member of role "regress_superuser"
+CREATE ROLE regress_nosuch_charlie AUTHORIZATION regress_role_bystander;
+ERROR:  must be member of role "regress_role_bystander"
+-- ok, superuser can create users with these privileges for normal role
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
+CREATE ROLE regress_replication AUTHORIZATION regress_role_admin REPLICATION;
+CREATE ROLE regress_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
+\du+ regress_superuser
+                                       List of roles
+     Role name     |       Owner        |       Attributes        | Member of | Description 
+-------------------+--------------------+-------------------------+-----------+-------------
+ regress_superuser | regress_role_super | Superuser, Cannot login | {}        | 
+
+\du+ regress_replication_bypassrls
+                                                    List of roles
+           Role name           |       Owner        |              Attributes               | Member of | Description 
+-------------------------------+--------------------+---------------------------------------+-----------+-------------
+ regress_replication_bypassrls | regress_role_admin | Cannot login, Replication, Bypass RLS | {}        | 
+
+\du+ regress_replication
+                                         List of roles
+      Role name      |       Owner        |        Attributes         | Member of | Description 
+---------------------+--------------------+---------------------------+-----------+-------------
+ regress_replication | regress_role_admin | Cannot login, Replication | {}        | 
+
+\du+ regress_bypassrls
+                                        List of roles
+     Role name     |       Owner        |        Attributes        | Member of | Description 
+-------------------+--------------------+--------------------------+-----------+-------------
+ regress_bypassrls | regress_role_admin | Cannot login, Bypass RLS | {}        | 
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_bypassrls OWNER TO regress_bypassrls;
+ERROR:  role may not own itself
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
-CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_password_null PASSWORD NULL;
+CREATE ROLE regress_encrypted_password PASSWORD NULL;
+CREATE ROLE regress_password_null
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole;
+COMMENT ON ROLE regress_password_null IS 'no login test role';
+\du+ regress_createdb
+                                       List of roles
+    Role name     |       Owner        |       Attributes        | Member of | Description 
+------------------+--------------------+-------------------------+-----------+-------------
+ regress_createdb | regress_role_admin | Create DB, Cannot login | {}        | 
+
+\du+ regress_createrole
+                                         List of roles
+     Role name      |       Owner        |        Attributes         | Member of | Description 
+--------------------+--------------------+---------------------------+-----------+-------------
+ regress_createrole | regress_role_admin | Create role, Cannot login | {}        | 
+
+\du+ regress_login
+                               List of roles
+   Role name   |       Owner        | Attributes | Member of | Description 
+---------------+--------------------+------------+-----------+-------------
+ regress_login | regress_role_admin |            | {}        | 
+
+\du+ regress_inherit
+                                 List of roles
+    Role name    |       Owner        |  Attributes  | Member of | Description 
+-----------------+--------------------+--------------+-----------+-------------
+ regress_inherit | regress_role_admin | Cannot login | {}        | 
+
+\du+ regress_connection_limit
+                                      List of roles
+        Role name         |       Owner        |  Attributes   | Member of | Description 
+--------------------------+--------------------+---------------+-----------+-------------
+ regress_connection_limit | regress_role_admin | Cannot login +| {}        | 
+                          |                    | 5 connections |           | 
+
+\du+ regress_encrypted_password
+                                      List of roles
+         Role name          |       Owner        |  Attributes  | Member of | Description 
+----------------------------+--------------------+--------------+-----------+-------------
+ regress_encrypted_password | regress_role_admin | Cannot login | {}        | 
+
+\du+ regress_password_null
+                                                                 List of roles
+       Role name       |       Owner        |              Attributes              |               Member of               |    Description     
+-----------------------+--------------------+--------------------------------------+---------------------------------------+--------------------
+ regress_password_null | regress_role_admin | Create role, Create DB, Cannot login+| {regress_createdb,regress_createrole} | no login test role
+                       |                    | 2 connections                        |                                       | 
+
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
 NOTICE:  SYSID can no longer be specified
@@ -58,21 +154,18 @@ CREATE TABLE tenant_table (i integer);
 CREATE INDEX tenant_idx ON tenant_table(i);
 CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
--- fail, these objects belonging to regress_tenant
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_createrole;
 DROP INDEX tenant_idx;
-ERROR:  must be owner of index tenant_idx
 ALTER TABLE tenant_table ADD COLUMN t text;
-ERROR:  must be owner of table tenant_table
 DROP TABLE tenant_table;
-ERROR:  must be owner of table tenant_table
+-- fail, not a member of target role
 ALTER VIEW tenant_view OWNER TO regress_role_admin;
-ERROR:  must be owner of view tenant_view
+ERROR:  must be member of role "regress_role_admin"
+-- ok
 DROP VIEW tenant_view;
-ERROR:  must be owner of view tenant_view
--- fail, cannot take ownership of these objects from regress_tenant
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
-ERROR:  permission denied to reassign objects
 -- ok, having CREATEROLE is enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
@@ -84,16 +177,24 @@ CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot create ownership cycles
+RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_admin TO regress_tenant;
+ERROR:  role "regress_createrole" may not both own and be owned by role "regress_tenant"
+ALTER ROLE regress_role_admin OWNER TO regress_tenant;
+ERROR:  role "regress_role_admin" may not both own and be owned by role "regress_tenant"
+-- ok, can take ownership from owned roles
+SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
+DROP ROLE regress_superuser;
+-- ok, non-superuser roles can drop non-superuser roles they own
 SET SESSION AUTHORIZATION regress_role_admin;
-DROP ROLE regress_nosuch_superuser;
-ERROR:  role "regress_nosuch_superuser" does not exist
-DROP ROLE regress_nosuch_replication_bypassrls;
-ERROR:  role "regress_nosuch_replication_bypassrls" does not exist
-DROP ROLE regress_nosuch_replication;
-ERROR:  role "regress_nosuch_replication" does not exist
-DROP ROLE regress_nosuch_bypassrls;
-ERROR:  role "regress_nosuch_bypassrls" does not exist
+DROP ROLE regress_replication_bypassrls;
+DROP ROLE regress_replication;
+DROP ROLE regress_bypassrls;
 DROP ROLE regress_nosuch_super;
 ERROR:  role "regress_nosuch_super" does not exist
 DROP ROLE regress_nosuch_dbowner;
@@ -103,9 +204,23 @@ ERROR:  role "regress_nosuch_recursive" does not exist
 DROP ROLE regress_nosuch_admin_recursive;
 ERROR:  role "regress_nosuch_admin_recursive" does not exist
 DROP ROLE regress_plainrole;
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_createdb;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
+ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_rolecreator
+owner of role regress_tenant
+owner of role regress_read_all_data
+owner of role regress_write_all_data
+owner of role regress_monitor
+owner of role regress_read_all_settings
+owner of role regress_read_all_stats
+owner of role regress_stat_scan_tables
+owner of role regress_read_server_files
+owner of role regress_write_server_files
+owner of role regress_execute_server_program
+owner of role regress_signal_backend
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_createdb;
 DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
@@ -115,6 +230,7 @@ DROP ROLE regress_noiseword;
 DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
+DROP ROLE regress_tenant;
 DROP ROLE regress_read_all_data;
 DROP ROLE regress_write_all_data;
 DROP ROLE regress_monitor;
@@ -125,21 +241,20 @@ DROP ROLE regress_read_server_files;
 DROP ROLE regress_write_server_files;
 DROP ROLE regress_execute_server_program;
 DROP ROLE regress_signal_backend;
--- fail, role still owns database objects
-DROP ROLE regress_tenant;
-ERROR:  role "regress_tenant" cannot be dropped because some objects depend on it
-DETAIL:  owner of table tenant_table
-owner of view tenant_view
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
 DROP ROLE regress_role_admin;
 ERROR:  current user cannot be dropped
--- ok
+-- ok, no more owned roles remain
+DROP ROLE regress_createrole;
+-- fail, cannot drop role with remaining privileges
 RESET SESSION AUTHORIZATION;
-DROP INDEX tenant_idx;
-DROP TABLE tenant_table;
-DROP VIEW tenant_view;
-DROP ROLE regress_tenant;
 DROP ROLE regress_role_admin;
+ERROR:  role "regress_role_admin" cannot be dropped because some objects depend on it
+DETAIL:  privileges for database regression
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_admin;
+DROP ROLE regress_role_admin;
+DROP ROLE regress_role_bystander;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/oidjoins.out b/src/test/regress/expected/oidjoins.out
index 215eb899be..266a30a85b 100644
--- a/src/test/regress/expected/oidjoins.out
+++ b/src/test/regress/expected/oidjoins.out
@@ -194,6 +194,7 @@ NOTICE:  checking pg_database {dattablespace} => pg_tablespace {oid}
 NOTICE:  checking pg_db_role_setting {setdatabase} => pg_database {oid}
 NOTICE:  checking pg_db_role_setting {setrole} => pg_authid {oid}
 NOTICE:  checking pg_tablespace {spcowner} => pg_authid {oid}
+NOTICE:  checking pg_authid {rolowner} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {roleid} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {member} => pg_authid {oid}
 NOTICE:  checking pg_auth_members {grantor} => pg_authid {oid}
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 291e21d7a6..9ce619fd5f 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -27,8 +27,10 @@ CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
 ERROR:  role "regress_priv_user5" already exists
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -2356,7 +2358,12 @@ DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
 DROP USER regress_priv_user6;
+ERROR:  role "regress_priv_user6" cannot be dropped because some objects depend on it
+DETAIL:  owner of role regress_priv_user7
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 ERROR:  role "regress_priv_user8" does not exist
 -- permissions with LOCK TABLE
diff --git a/src/test/regress/expected/rules.out b/src/test/regress/expected/rules.out
index d652f7b5fb..b6e3c508ba 100644
--- a/src/test/regress/expected/rules.out
+++ b/src/test/regress/expected/rules.out
@@ -1482,6 +1482,7 @@ pg_replication_slots| SELECT l.slot_name,
    FROM (pg_get_replication_slots() l(slot_name, plugin, slot_type, datoid, temporary, active, active_pid, xmin, catalog_xmin, restart_lsn, confirmed_flush_lsn, wal_status, safe_wal_size, two_phase)
      LEFT JOIN pg_database d ON ((l.datoid = d.oid)));
 pg_roles| SELECT pg_authid.rolname,
+    pg_get_userbyid(pg_authid.rolowner) AS rolowner,
     pg_authid.rolsuper,
     pg_authid.rolinherit,
     pg_authid.rolcreaterole,
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 292dc08797..6266586b8b 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -1,6 +1,8 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
+CREATE ROLE regress_role_bystander;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
+GRANT CREATE ON DATABASE regression TO regress_role_admin;
 
 -- fail, only superusers can create users with these privileges
 SET SESSION AUTHORIZATION regress_role_admin;
@@ -9,14 +11,53 @@ CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
 CREATE ROLE regress_nosuch_replication REPLICATION;
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 
+-- fail, only superusers can own superusers
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
+
+-- ok, superuser can create superusers belonging to other superusers
+CREATE ROLE regress_superuser AUTHORIZATION regress_role_super SUPERUSER;
+
+-- fail, can only create roles belonging to other roles that we belong to
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_alice AUTHORIZATION regress_role_super;
+CREATE ROLE regress_nosuch_bob AUTHORIZATION regress_superuser;
+CREATE ROLE regress_nosuch_charlie AUTHORIZATION regress_role_bystander;
+
+-- ok, superuser can create users with these privileges for normal role
+RESET SESSION AUTHORIZATION;
+CREATE ROLE regress_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
+CREATE ROLE regress_replication AUTHORIZATION regress_role_admin REPLICATION;
+CREATE ROLE regress_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
+
+\du+ regress_superuser
+\du+ regress_replication_bypassrls
+\du+ regress_replication
+\du+ regress_bypassrls
+
+-- fail, roles are not allowed to own themselves
+ALTER ROLE regress_bypassrls OWNER TO regress_bypassrls;
+
 -- ok, having CREATEROLE is enough to create users with these privileges
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
-CREATE ROLE regress_encrypted_password ENCRYPTED PASSWORD 'foo';
-CREATE ROLE regress_password_null PASSWORD NULL;
+CREATE ROLE regress_encrypted_password PASSWORD NULL;
+CREATE ROLE regress_password_null
+  CREATEDB CREATEROLE INHERIT CONNECTION LIMIT 2 ENCRYPTED PASSWORD 'foo'
+  IN ROLE regress_createdb, regress_createrole;
+COMMENT ON ROLE regress_password_null IS 'no login test role';
+
+\du+ regress_createdb
+\du+ regress_createrole
+\du+ regress_login
+\du+ regress_inherit
+\du+ regress_connection_limit
+\du+ regress_encrypted_password
+\du+ regress_password_null
 
 -- ok, backwards compatible noise words should be ignored
 CREATE ROLE regress_noiseword SYSID 12345;
@@ -63,15 +104,19 @@ CREATE INDEX tenant_idx ON tenant_table(i);
 CREATE VIEW tenant_view AS SELECT * FROM pg_catalog.pg_class;
 REVOKE ALL PRIVILEGES ON tenant_table FROM PUBLIC;
 
--- fail, these objects belonging to regress_tenant
+-- ok, owning role can manage owned role's objects
 SET SESSION AUTHORIZATION regress_createrole;
 DROP INDEX tenant_idx;
 ALTER TABLE tenant_table ADD COLUMN t text;
 DROP TABLE tenant_table;
+
+-- fail, not a member of target role
 ALTER VIEW tenant_view OWNER TO regress_role_admin;
+
+-- ok
 DROP VIEW tenant_view;
 
--- fail, cannot take ownership of these objects from regress_tenant
+-- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
 -- ok, having CREATEROLE is enough to create roles in privileged roles
@@ -86,21 +131,36 @@ CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
 
--- fail, creation of these roles failed above so they do not now exist
+-- fail, cannot create ownership cycles
+RESET SESSION AUTHORIZATION;
+REASSIGN OWNED BY regress_role_admin TO regress_tenant;
+ALTER ROLE regress_role_admin OWNER TO regress_tenant;
+
+-- ok, can take ownership from owned roles
 SET SESSION AUTHORIZATION regress_role_admin;
-DROP ROLE regress_nosuch_superuser;
-DROP ROLE regress_nosuch_replication_bypassrls;
-DROP ROLE regress_nosuch_replication;
-DROP ROLE regress_nosuch_bypassrls;
+ALTER ROLE regress_plainrole OWNER TO regress_role_admin;
+REASSIGN OWNED BY regress_plainrole TO regress_role_admin;
+
+-- ok, superuser roles can drop superuser roles they own
+SET SESSION AUTHORIZATION regress_role_super;
+DROP ROLE regress_superuser;
+
+-- ok, non-superuser roles can drop non-superuser roles they own
+SET SESSION AUTHORIZATION regress_role_admin;
+DROP ROLE regress_replication_bypassrls;
+DROP ROLE regress_replication;
+DROP ROLE regress_bypassrls;
 DROP ROLE regress_nosuch_super;
 DROP ROLE regress_nosuch_dbowner;
 DROP ROLE regress_nosuch_recursive;
 DROP ROLE regress_nosuch_admin_recursive;
 DROP ROLE regress_plainrole;
 
--- ok, should be able to drop non-superuser roles we created
-DROP ROLE regress_createdb;
+-- fail, cannot drop roles that own other roles
 DROP ROLE regress_createrole;
+
+-- ok, should be able to drop these non-superuser roles
+DROP ROLE regress_createdb;
 DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
@@ -110,6 +170,7 @@ DROP ROLE regress_noiseword;
 DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
+DROP ROLE regress_tenant;
 DROP ROLE regress_read_all_data;
 DROP ROLE regress_write_all_data;
 DROP ROLE regress_monitor;
@@ -121,18 +182,19 @@ DROP ROLE regress_write_server_files;
 DROP ROLE regress_execute_server_program;
 DROP ROLE regress_signal_backend;
 
--- fail, role still owns database objects
-DROP ROLE regress_tenant;
-
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 DROP ROLE regress_role_admin;
 
--- ok
+-- ok, no more owned roles remain
+DROP ROLE regress_createrole;
+
+-- fail, cannot drop role with remaining privileges
 RESET SESSION AUTHORIZATION;
-DROP INDEX tenant_idx;
-DROP TABLE tenant_table;
-DROP VIEW tenant_view;
-DROP ROLE regress_tenant;
 DROP ROLE regress_role_admin;
+
+-- ok, can drop role if we revoke privileges first
+REVOKE CREATE ON DATABASE regression FROM regress_role_admin;
+DROP ROLE regress_role_admin;
+DROP ROLE regress_role_bystander;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c8c545b64c..dcf84f91fd 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -30,8 +30,10 @@ CREATE USER regress_priv_user3;
 CREATE USER regress_priv_user4;
 CREATE USER regress_priv_user5;
 CREATE USER regress_priv_user5;	-- duplicate
-CREATE USER regress_priv_user6;
+CREATE USER regress_priv_user6 CREATEROLE;
+SET SESSION AUTHORIZATION regress_priv_user6;
 CREATE USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
 CREATE USER regress_priv_user8;
 CREATE USER regress_priv_user9;
 CREATE USER regress_priv_user10;
@@ -1426,8 +1428,14 @@ DROP USER regress_priv_user2;
 DROP USER regress_priv_user3;
 DROP USER regress_priv_user4;
 DROP USER regress_priv_user5;
+
 DROP USER regress_priv_user6;
+
+SET SESSION AUTHORIZATION regress_priv_user6;
 DROP USER regress_priv_user7;
+RESET SESSION AUTHORIZATION;
+
+DROP USER regress_priv_user6;
 DROP USER regress_priv_user8; -- does not exist
 
 
-- 
2.21.1 (Apple Git-122.3)

From e6faa2a27cf01fd85c8d95101d89eb78416d4df6 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Tue, 25 Jan 2022 14:54:06 -0800
Subject: [PATCH v7 2/2] Restrict power granted via CREATEROLE.

The CREATEROLE attribute no longer has anything to do with the power
to alter roles or to grant or revoke role membership, but merely the
ability to create new roles, as its name suggests.  The ability to
alter a role is based on role ownership; the ability to grant and
revoke role membership is based on having admin privilege on the
relevant role or alternatively on role ownership, as owners now
implicitly have admin privileges on roles they own.

A role must either be superuser or have the CREATEROLE attribute to
create roles.  This is unchanged from the prior behavior.  A new
principle is adopted, though, to make CREATEROLE less dangerous:  a
role may not create new roles with privileges that the creating role
lacks.  This new principle is intended to prevent privilege
escalation attacks stemming from giving CREATEROLE to a user.  This
is not backwards compatible.  The idea is to fix the CREATEROLE
privilege to not be pathway to gaining superuser, and no
non-breaking change to accomplish that is apparent.

SUPERUSER, REPLICATION, BYPASSRLS, CREATEDB, CREATEROLE and LOGIN
privilege can only be given to new roles by creators who have the
same privilege.  In the case of the CREATEROLE privilege, this is
trivially true, as the creator must necessarily have it or they
couldn't be creating the role to begin with.

The INHERIT attribute is not considered a privilege, and since a
user who belongs to a role may SET ROLE to that role and do anything
that role can do, it isn't clear that treating it as a privilege
would stop any privilege escalation attacks.

The CONNECTION LIMIT and VALID UNTIL attributes are also not
considered privileges, but this design choice is debatable.  One
could think of the ability to log in during a given window of time,
or up to a certain number of connections as a privilege, and
allowing such a restricted role to create a new role with unlimited
connections or no expiration as a privilege escalation which escapes
the intended restrictions.  However, it is just as easy to think of
these limitations as being used to guard against badly written
client programs connecting too many times, or connecting at a time
of day that is not intended.  Since it is unclear which design is
better, this commit is conservative and the handling of these
attributes is unchanged relative to prior behavior.

Since the grammar of the CREATE ROLE command allows specifying roles
into which the new role should be enrolled, and also lists of roles
which become members of the newly created role (as admin or not),
the CREATE ROLE command may now fail if the creating role has
insufficient privilege on the roles so listed.  Such failures were
not possible before, since the CREATEROLE privilege was always
sufficient.
---
 doc/src/sgml/ddl.sgml                     |  12 +--
 doc/src/sgml/ref/alter_role.sgml          |  20 ++--
 doc/src/sgml/ref/comment.sgml             |   8 +-
 doc/src/sgml/ref/create_role.sgml         |  26 +++--
 doc/src/sgml/ref/drop_role.sgml           |   3 +-
 doc/src/sgml/ref/dropuser.sgml            |   6 +-
 doc/src/sgml/ref/grant.sgml               |   4 +-
 doc/src/sgml/user-manag.sgml              |  44 +++++----
 src/backend/catalog/aclchk.c              | 111 ++++++++++++++++++++++
 src/backend/commands/user.c               |  60 +++++-------
 src/backend/utils/adt/acl.c               |  21 +---
 src/include/utils/acl.h                   |   5 +
 src/test/regress/expected/create_role.out |  73 ++++++--------
 src/test/regress/sql/create_role.sql      |  45 ++++-----
 14 files changed, 264 insertions(+), 174 deletions(-)

diff --git a/doc/src/sgml/ddl.sgml b/doc/src/sgml/ddl.sgml
index 7cf0f0da3b..85c133d00d 100644
--- a/doc/src/sgml/ddl.sgml
+++ b/doc/src/sgml/ddl.sgml
@@ -3132,9 +3132,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
            doesn't preserve that DROP.
 
            A database owner can attack the database's users via "CREATE SCHEMA
-           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;".  A
-           CREATEROLE user can issue "GRANT $dbowner TO $me" and then use the
-           database owner attack. -->
+           trojan; ALTER DATABASE $mydb SET search_path = trojan, public;". -->
       <para>
        Constrain ordinary users to user-private schemas.  To implement this,
        first issue <literal>REVOKE CREATE ON SCHEMA public FROM
@@ -3146,9 +3144,8 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        pattern in a database where untrusted users had already logged in,
        consider auditing the public schema for objects named like objects in
        schema <literal>pg_catalog</literal>.  This pattern is a secure schema
-       usage pattern unless an untrusted user is the database owner or holds
-       the <literal>CREATEROLE</literal> privilege, in which case no secure
-       schema usage pattern exists.
+       usage pattern unless an untrusted user is the database owner, in which
+       case no secure schema usage pattern exists.
       </para>
       <para>
        If the database originated in an upgrade
@@ -3170,8 +3167,7 @@ REVOKE CREATE ON SCHEMA public FROM PUBLIC;
        schema <link linkend="typeconv-func">will be unsafe or
        unreliable</link>.  If you create functions or extensions in the public
        schema, use the first pattern instead.  Otherwise, like the first
-       pattern, this is secure unless an untrusted user is the database owner
-       or holds the <literal>CREATEROLE</literal> privilege.
+       pattern, this is secure unless an untrusted user is the database owner.
       </para>
      </listitem>
 
diff --git a/doc/src/sgml/ref/alter_role.sgml b/doc/src/sgml/ref/alter_role.sgml
index 5aa5648ae7..fc9bea8072 100644
--- a/doc/src/sgml/ref/alter_role.sgml
+++ b/doc/src/sgml/ref/alter_role.sgml
@@ -70,18 +70,18 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
    <link linkend="sql-revoke"><command>REVOKE</command></link> for that.)
    Attributes not mentioned in the command retain their previous settings.
    Database superusers can change any of these settings for any role.
-   Roles having <literal>CREATEROLE</literal> privilege can change any of these
-   settings except <literal>SUPERUSER</literal>, <literal>REPLICATION</literal>,
-   and <literal>BYPASSRLS</literal>; but only for non-superuser and
-   non-replication roles.
-   Ordinary roles can only change their own password.
+   Role owners can change any of these settings on roles they directly or
+   indirectly own except <literal>SUPERUSER</literal>,
+   <literal>REPLICATION</literal>, and <literal>BYPASSRLS</literal>; but only
+   for non-superuser and non-replication roles, and only if the role owner does
+   not alter the target role to have a privilege which the role owner itself
+   lacks.  Ordinary roles can only change their own password.
   </para>
 
   <para>
    The second variant changes the name of the role.
    Database superusers can rename any role.
-   Roles having <literal>CREATEROLE</literal> privilege can rename non-superuser
-   roles.
+   Roles can rename non-superuser roles they directly or indirectly own.
    The current session user cannot be renamed.
    (Connect as a different user if you need to do that.)
    Because <literal>MD5</literal>-encrypted passwords use the role name as
@@ -114,9 +114,9 @@ ALTER ROLE { <replaceable class="parameter">role_specification</replaceable> | A
   </para>
 
   <para>
-   Superusers can change anyone's session defaults. Roles having
-   <literal>CREATEROLE</literal> privilege can change defaults for non-superuser
-   roles. Ordinary roles can only set defaults for themselves.
+   Superusers can change anyone's session defaults. Roles may change
+   privilege for non-superuser roles they directly or indirectly own. Ordinary roles can only set
+   defaults for themselves.
    Certain configuration variables cannot be set this way, or can only be
    set if a superuser issues the command.  Only superusers can change a setting
    for all roles in all databases.
diff --git a/doc/src/sgml/ref/comment.sgml b/doc/src/sgml/ref/comment.sgml
index b12796095f..38c78c9971 100644
--- a/doc/src/sgml/ref/comment.sgml
+++ b/doc/src/sgml/ref/comment.sgml
@@ -97,12 +97,8 @@ COMMENT ON
 
   <para>
    For most kinds of object, only the object's owner can set the comment.
-   Roles don't have owners, so the rule for <literal>COMMENT ON ROLE</literal> is
-   that you must be superuser to comment on a superuser role, or have the
-   <literal>CREATEROLE</literal> privilege to comment on non-superuser roles.
-   Likewise, access methods don't have owners either; you must be superuser
-   to comment on an access method.
-   Of course, a superuser can comment on anything.
+   Access methods don't have owners; you must be superuser to comment on an
+   access method.  Of course, a superuser can comment on anything.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index 1e9347b2ce..59bbd418f4 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -126,8 +126,10 @@ in sync when changing the above synopsis!
         <literal>CREATEDB</literal> is specified, the role being
         defined will be allowed to create new databases. Specifying
         <literal>NOCREATEDB</literal> will deny a role the ability to
-        create databases. If not specified,
-        <literal>NOCREATEDB</literal> is the default.
+        create databases. Only roles with the <literal>CREATEDB</literal>
+        attribute may create roles with the <literal>CREATEDB</literal>
+        attribute. If not specified, <literal>NOCREATEDB</literal> is the
+        default.
        </para>
       </listitem>
      </varlistentry>
@@ -139,8 +141,6 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role will be permitted to
         create new roles (that is, execute <command>CREATE ROLE</command>).
-        A role with <literal>CREATEROLE</literal> privilege can also alter
-        and drop other roles.
         If not specified,
         <literal>NOCREATEROLE</literal> is the default.
        </para>
@@ -182,6 +182,8 @@ in sync when changing the above synopsis!
         <literal>NOLOGIN</literal> is the default, except when
         <command>CREATE ROLE</command> is invoked through its alternative spelling
         <link linkend="sql-createuser"><command>CREATE USER</command></link>.
+        You must have the <literal>LOGIN</literal> attribute to create a new role
+        with the <literal>LOGIN</literal> attribute.
        </para>
       </listitem>
      </varlistentry>
@@ -213,8 +215,8 @@ in sync when changing the above synopsis!
        <para>
         These clauses determine whether a role bypasses every row-level
         security (RLS) policy.  <literal>NOBYPASSRLS</literal> is the default.
-        You must be a superuser to create a new role having
-        the <literal>BYPASSRLS</literal> attribute.
+        You must have the <literal>BYPASSRLS</literal> attribute to create a
+        new role having the <literal>BYPASSRLS</literal> attribute.
        </para>
 
        <para>
@@ -300,6 +302,10 @@ in sync when changing the above synopsis!
         member.  (Note that there is no option to add the new role as an
         administrator; use a separate <command>GRANT</command> command to do that.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -320,6 +326,10 @@ in sync when changing the above synopsis!
         roles which are automatically added as members of the new role.
         (This in effect makes the new role a <quote>group</quote>.)
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
@@ -332,6 +342,10 @@ in sync when changing the above synopsis!
         OPTION</literal>, giving them the right to grant membership in this role
         to others.
        </para>
+       <para>
+        If not a superuser, the creating role must either own or have admin
+        privilege on each listed role.
+       </para>
       </listitem>
      </varlistentry>
 
diff --git a/doc/src/sgml/ref/drop_role.sgml b/doc/src/sgml/ref/drop_role.sgml
index 13dc1cc649..c3d57ee8db 100644
--- a/doc/src/sgml/ref/drop_role.sgml
+++ b/doc/src/sgml/ref/drop_role.sgml
@@ -31,8 +31,7 @@ DROP ROLE [ IF EXISTS ] <replaceable class="parameter">name</replaceable> [, ...
   <para>
    <command>DROP ROLE</command> removes the specified role(s).
    To drop a superuser role, you must be a superuser yourself;
-   to drop non-superuser roles, you must have <literal>CREATEROLE</literal>
-   privilege.
+   to drop non-superuser roles, you must own the target role.
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/dropuser.sgml b/doc/src/sgml/ref/dropuser.sgml
index 81580507e8..30a99eaf68 100644
--- a/doc/src/sgml/ref/dropuser.sgml
+++ b/doc/src/sgml/ref/dropuser.sgml
@@ -35,9 +35,9 @@ PostgreSQL documentation
   <para>
    <application>dropuser</application> removes an existing
    <productname>PostgreSQL</productname> user.
-   Only superusers and users with the <literal>CREATEROLE</literal> privilege can
-   remove <productname>PostgreSQL</productname> users.  (To remove a
-   superuser, you must yourself be a superuser.)
+   A <productname>PostgreSQL</productname> user may only be removed by its
+   owner or by a superuser.  (To remove a superuser, you must yourself be a
+   superuser.)
   </para>
 
   <para>
diff --git a/doc/src/sgml/ref/grant.sgml b/doc/src/sgml/ref/grant.sgml
index a897712de2..86fc387af2 100644
--- a/doc/src/sgml/ref/grant.sgml
+++ b/doc/src/sgml/ref/grant.sgml
@@ -254,8 +254,8 @@ GRANT <replaceable class="parameter">role_name</replaceable> [, ...] TO <replace
    OPTION</literal> on itself, but it may grant or revoke membership in
    itself from a database session where the session user matches the
    role.  Database superusers can grant or revoke membership in any role
-   to anyone.  Roles having <literal>CREATEROLE</literal> privilege can grant
-   or revoke membership in any role that is not a superuser.
+   to anyone.  Roles can revoke membership in any role they own, and 
+   may grant membership in any role they own to any role they own.
   </para>
 
   <para>
diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index 9067be1d9c..e65b55a004 100644
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -198,9 +198,10 @@ CREATE USER <replaceable>name</replaceable>;
         (except for superusers, since those bypass all permission
         checks). To create such a role, use <literal>CREATE ROLE
         <replaceable>name</replaceable> CREATEROLE</literal>.
-        A role with <literal>CREATEROLE</literal> privilege can alter and drop
-        other roles, too, as well as grant or revoke membership in them.
-        However, to create, alter, drop, or change membership of a
+        A role which creates a new role becomes the new role's owner, able to
+        alter or drop that new role, and sharing ownership of any additional
+        objects (including additional roles) that new role creates.
+        To create, alter, drop, or change membership of a
         superuser role, superuser status is required;
         <literal>CREATEROLE</literal> is insufficient for that.
        </para>
@@ -246,11 +247,14 @@ CREATE USER <replaceable>name</replaceable>;
 
   <tip>
    <para>
-    It is good practice to create a role that has the <literal>CREATEDB</literal>
-    and <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
+    It is good practice to create a role that has the
+    <literal>CREATEDB</literal>, <literal>LOGIN</literal> and
+    <literal>CREATEROLE</literal> privileges, but is not a superuser, and then
     use this role for all routine management of databases and roles.  This
-    approach avoids the dangers of operating as a superuser for tasks that
-    do not really require it.
+    approach avoids the dangers of operating as a superuser for tasks that do
+    not really require it.  This role must also have
+    <literal>REPLICATION</literal> if it will create replication users, and
+    must have <literal>BYPASSRLS</literal> if it will create bypassrls users.
    </para>
   </tip>
 
@@ -387,15 +391,22 @@ RESET ROLE;
 
   <para>
    The role attributes <literal>LOGIN</literal>, <literal>SUPERUSER</literal>,
-   <literal>CREATEDB</literal>, and <literal>CREATEROLE</literal> can be thought of as
-   special privileges, but they are never inherited as ordinary privileges
-   on database objects are.  You must actually <command>SET ROLE</command> to a
-   specific role having one of these attributes in order to make use of
-   the attribute.  Continuing the above example, we might choose to
+   <literal>CREATEDB</literal>, <literal>REPLICATION</literal>,
+   <literal>BYPASSRLS</literal>, and <literal>CREATEROLE</literal> can be
+   thought of as special privileges, but they are never inherited as ordinary
+   privileges on database objects are.  You must actually <command>SET
+   ROLE</command> to a specific role having one of these attributes in order to
+   make use of the attribute.  Continuing the above example, we might choose to
    grant <literal>CREATEDB</literal> and <literal>CREATEROLE</literal> to the
-   <literal>admin</literal> role.  Then a session connecting as role <literal>joe</literal>
-   would not have these privileges immediately, only after doing
-   <command>SET ROLE admin</command>.
+   <literal>admin</literal> role.  Then a session connecting as role
+   <literal>joe</literal> would not have these privileges immediately, only
+   after doing <command>SET ROLE admin</command>.  Roles with these attributes
+   may only be created by roles which themselves have these attributes.
+   Superusers may always do so, but non-superuser roles with
+   <literal>CREATEROLE</literal> may only create new roles with
+   <literal>LOGIN</literal>, <literal>CREATEDB</literal>,
+   <literal>REPLICATION</literal>, or <literal>BYPASSRLS</literal> if they
+   themselves have the same attribute.
   </para>
 
   <para>
@@ -493,8 +504,7 @@ DROP ROLE doomed_role;
   <para>
    <productname>PostgreSQL</productname> provides a set of predefined roles
    that provide access to certain, commonly needed, privileged capabilities
-   and information.  Administrators (including roles that have the
-   <literal>CREATEROLE</literal> privilege) can <command>GRANT</command> these
+   and information.  Administrators can <command>GRANT</command> these
    roles to users and/or other roles in their environment, providing those
    users with access to the specified capabilities and information.
   </para>
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1e0ee503e4..8327005404 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5470,6 +5470,9 @@ has_createrole_privilege(Oid roleid)
 	return result;
 }
 
+/*
+ * Check whether specified role has BYPASSRLS privilege (or is a superuser)
+ */
 bool
 has_bypassrls_privilege(Oid roleid)
 {
@@ -5489,6 +5492,114 @@ has_bypassrls_privilege(Oid roleid)
 	return result;
 }
 
+/*
+ * Check whether specified role has INHERIT privilege (or is a superuser)
+ */
+bool
+has_inherit_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has CREATEDB privilege (or is a superuser)
+ */
+bool
+has_createdb_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreatedb;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has LOGIN privilege (or is a superuser)
+ */
+bool
+has_login_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcanlogin;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Check whether specified role has REPLICATION privilege (or is a superuser)
+ */
+bool
+has_replication_privilege(Oid roleid)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolreplication;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
+/*
+ * Get the connection limit for the specified role.
+ *
+ * Returns -1 if the role has no connection limit.
+ */
+int32
+role_connection_limit(Oid roleid)
+{
+	int32		result = -1;
+	HeapTuple	utup;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		result = ((Form_pg_authid) GETSTRUCT(utup))->rolconnlimit;
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Fetch pg_default_acl entry for given role, namespace and object type
  * (object type must be given in pg_default_acl's encoding).
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index 3726e40f36..13265a0ed2 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -58,15 +58,6 @@ static void DelRoleMems(const char *rolename, Oid roleid,
 static void AlterRoleOwner_internal(HeapTuple tup, Relation rel,
 									Oid newOwnerId);
 
-
-/* Check if current user has createrole privileges */
-static bool
-have_createrole_privilege(void)
-{
-	return has_createrole_privilege(GetUserId());
-}
-
-
 /*
  * CREATE ROLE
  */
@@ -279,24 +270,32 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	}
 	else if (isreplication)
 	{
-		if (!superuser())
+		if (!has_replication_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
+					 errmsg("must have replication privilege to create replication users")));
 	}
 	else if (bypassrls)
 	{
-		if (!superuser())
+		if (!has_bypassrls_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
+					 errmsg("must have bypassrls privilege to create bypassrls users")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to create role")));
+		if (createdb && !has_createdb_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have createdb privilege to create createdb users")));
+		if (canlogin && !has_login_privilege(GetUserId()))
+			ereport(ERROR,
+					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+					 errmsg("must have login privilege to create login users")));
 	}
 
 	/*
@@ -692,7 +691,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to change bypassrls attribute")));
 	}
-	else if (!have_createrole_privilege())
+	else if (!superuser())
 	{
 		/* check the rest */
 		if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
@@ -891,7 +890,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 
 		/*
 		 * To mess with a superuser you gotta be superuser; else you need
-		 * createrole, or just want to change your own settings
+		 * to own the role, or just want to change your own settings
 		 */
 		if (roleform->rolsuper)
 		{
@@ -902,8 +901,7 @@ AlterRoleSet(AlterRoleSetStmt *stmt)
 		}
 		else
 		{
-			if (!have_createrole_privilege() &&
-				!pg_role_ownercheck(roleid, GetUserId()))
+			if (!pg_role_ownercheck(roleid, GetUserId()))
 				ereport(ERROR,
 						(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 						 errmsg("permission denied")));
@@ -1016,18 +1014,12 @@ DropRole(DropRoleStmt *stmt)
 					(errcode(ERRCODE_OBJECT_IN_USE),
 					 errmsg("session user cannot be dropped")));
 
-		/*
-		 * For safety's sake, we allow createrole holders to drop ordinary
-		 * roles but not superuser roles.  This is mainly to avoid the
-		 * scenario where you accidentally drop the last superuser.
-		 */
 		if (roleform->rolsuper && !superuser())
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to drop superusers")));
 
-		if (!have_createrole_privilege() &&
-			!pg_role_ownercheck(roleid, GetUserId()))
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to drop role")));
@@ -1208,7 +1200,7 @@ RenameRole(const char *oldname, const char *newname)
 				 errmsg("role \"%s\" already exists", newname)));
 
 	/*
-	 * createrole is enough privilege unless you want to mess with a superuser
+	 * role ownership is enough privilege unless you want to mess with a superuser
 	 */
 	if (((Form_pg_authid) GETSTRUCT(oldtuple))->rolsuper)
 	{
@@ -1219,7 +1211,7 @@ RenameRole(const char *oldname, const char *newname)
 	}
 	else
 	{
-		if (!have_createrole_privilege())
+		if (!pg_role_ownercheck(roleid, GetUserId()))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("permission denied to rename role")));
@@ -1434,7 +1426,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 		return;
 
 	/*
-	 * Check permissions: must have createrole or admin option on the role to
+	 * Check permissions: must be owner or have admin option on the role to
 	 * be changed.  To mess with a superuser role, you gotta be superuser.
 	 */
 	if (superuser_arg(roleid))
@@ -1444,9 +1436,9 @@ AddRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, grantorId) &&
 			!is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1622,9 +1614,9 @@ DelRoleMems(const char *rolename, Oid roleid,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superusers")));
 	}
-	else
+	else if (!superuser())
 	{
-		if (!have_createrole_privilege() &&
+		if (!pg_role_ownercheck(roleid, GetUserId()) &&
 			!is_admin_of_role(GetUserId(), roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
@@ -1780,7 +1772,7 @@ AlterRoleOwner_internal(HeapTuple tup, Relation rel, Oid newOwnerId)
 		 * consistent with the CREATE case for roles.  Because superusers will
 		 * always have this right, we need no special case for them.
 		 */
-		if (!have_createrole_privilege())
+		if (!has_createrole_privilege(GetUserId()))
 			aclcheck_error(ACLCHECK_NO_PRIV, OBJECT_ROLE,
 						   NameStr(authForm->rolname));
 
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
index 97336db058..cdcce9c569 100644
--- a/src/backend/utils/adt/acl.c
+++ b/src/backend/utils/adt/acl.c
@@ -4656,7 +4656,7 @@ initialize_acl(void)
 		/*
 		 * In normal mode, set a callback on any syscache invalidation of rows
 		 * of pg_auth_members (for roles_is_member_of()), pg_authid (for
-		 * has_rolinherit()), or pg_database (for roles_is_member_of())
+		 * has_inherit_privilege()), or pg_database (for roles_is_member_of())
 		 */
 		CacheRegisterSyscacheCallback(AUTHMEMROLEMEM,
 									  RoleMembershipCacheCallback,
@@ -4690,23 +4690,6 @@ RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue)
 }
 
 
-/* Check if specified role has rolinherit set */
-static bool
-has_rolinherit(Oid roleid)
-{
-	bool		result = false;
-	HeapTuple	utup;
-
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolinherit;
-		ReleaseSysCache(utup);
-	}
-	return result;
-}
-
-
 /*
  * Get a list of roles that the specified roleid is a member of
  *
@@ -4776,7 +4759,7 @@ roles_is_member_of(Oid roleid, enum RoleRecurseType type,
 		CatCList   *memlist;
 		int			i;
 
-		if (type == ROLERECURSE_PRIVS && !has_rolinherit(memberid))
+		if (type == ROLERECURSE_PRIVS && !has_inherit_privilege(memberid))
 			continue;			/* ignore non-inheriting roles */
 
 		/* Find roles that memberid is directly a member of */
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 572cae0f27..7a6640dfc9 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -320,5 +320,10 @@ extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool pg_role_ownercheck(Oid owned_role_oid, Oid owner_roleid);
 extern bool has_createrole_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool has_inherit_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_login_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
+extern int32 role_connection_limit(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 4ad6fd4161..61f143a191 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -3,16 +3,17 @@ CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_bystander;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
 GRANT CREATE ON DATABASE regression TO regress_role_admin;
--- fail, only superusers can create users with these privileges
+-- fail, only superusers can create users with superuser
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
 ERROR:  must be superuser to create superusers
-CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
-CREATE ROLE regress_nosuch_replication REPLICATION;
-ERROR:  must be superuser to create replication users
-CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
+-- fail, only login users can create other login users
+CREATE ROLE regress_nosuch_login LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, can assign privileges the creator has
+CREATE ROLE regress_replication_bypassrls REPLICATION BYPASSRLS;
+CREATE ROLE regress_replication REPLICATION;
+CREATE ROLE regress_bypassrls BYPASSRLS;
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
 CREATE ROLE regress_nosuch_superuser AUTHORIZATION regress_role_admin SUPERUSER;
@@ -29,9 +30,6 @@ CREATE ROLE regress_nosuch_charlie AUTHORIZATION regress_role_bystander;
 ERROR:  must be member of role "regress_role_bystander"
 -- ok, superuser can create users with these privileges for normal role
 RESET SESSION AUTHORIZATION;
-CREATE ROLE regress_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
-CREATE ROLE regress_replication AUTHORIZATION regress_role_admin REPLICATION;
-CREATE ROLE regress_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
 \du+ regress_superuser
                                        List of roles
      Role name     |       Owner        |       Attributes        | Member of | Description 
@@ -63,7 +61,10 @@ ERROR:  role may not own itself
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_login LOGIN;
+ERROR:  must have login privilege to create login users
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
@@ -83,12 +84,6 @@ COMMENT ON ROLE regress_password_null IS 'no login test role';
 --------------------+--------------------+---------------------------+-----------+-------------
  regress_createrole | regress_role_admin | Create role, Cannot login | {}        | 
 
-\du+ regress_login
-                               List of roles
-   Role name   |       Owner        | Attributes | Member of | Description 
----------------+--------------------+------------+-----------+-------------
- regress_login | regress_role_admin |            | {}        | 
-
 \du+ regress_inherit
                                  List of roles
     Role name    |       Owner        |  Attributes  | Member of | Description 
@@ -121,19 +116,19 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
-ERROR:  role "pg_database_owner" cannot have explicit members
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 -- fail, cannot grant a role into itself
 CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
 ERROR:  role "regress_nosuch_recursive" is a member of role "regress_nosuch_recursive"
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_adminroles ADMIN
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 -- fail, cannot grant a role into itself with admin option
 CREATE ROLE regress_nosuch_admin_recursive ADMIN regress_nosuch_admin_recursive;
@@ -146,8 +141,11 @@ ERROR:  permission denied to create database
 CREATE ROLE regress_plainrole;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_rolecreator CREATEROLE;
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
+ERROR:  must have createdb privilege to create createdb users
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_tenant CREATEROLE INHERIT CONNECTION LIMIT 5;
 -- ok, regress_tenant can create objects within the database
 SET SESSION AUTHORIZATION regress_tenant;
 CREATE TABLE tenant_table (i integer);
@@ -166,17 +164,27 @@ ERROR:  must be member of role "regress_role_admin"
 DROP VIEW tenant_view;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
 CREATE ROLE regress_read_all_settings IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
 CREATE ROLE regress_read_all_stats IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
 CREATE ROLE regress_stat_scan_tables IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
 CREATE ROLE regress_read_server_files IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
 CREATE ROLE regress_write_server_files IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
 CREATE ROLE regress_execute_server_program IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
 CREATE ROLE regress_signal_backend IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
 -- fail, cannot create ownership cycles
 RESET SESSION AUTHORIZATION;
 REASSIGN OWNED BY regress_role_admin TO regress_tenant;
@@ -209,19 +217,8 @@ DROP ROLE regress_createrole;
 ERROR:  role "regress_createrole" cannot be dropped because some objects depend on it
 DETAIL:  owner of role regress_rolecreator
 owner of role regress_tenant
-owner of role regress_read_all_data
-owner of role regress_write_all_data
-owner of role regress_monitor
-owner of role regress_read_all_settings
-owner of role regress_read_all_stats
-owner of role regress_stat_scan_tables
-owner of role regress_read_server_files
-owner of role regress_write_server_files
-owner of role regress_execute_server_program
-owner of role regress_signal_backend
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_createdb;
-DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
 DROP ROLE regress_encrypted_password;
@@ -231,16 +228,6 @@ DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
 DROP ROLE regress_tenant;
-DROP ROLE regress_read_all_data;
-DROP ROLE regress_write_all_data;
-DROP ROLE regress_monitor;
-DROP ROLE regress_read_all_settings;
-DROP ROLE regress_read_all_stats;
-DROP ROLE regress_stat_scan_tables;
-DROP ROLE regress_read_server_files;
-DROP ROLE regress_write_server_files;
-DROP ROLE regress_execute_server_program;
-DROP ROLE regress_signal_backend;
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
 ERROR:  must be superuser to drop superusers
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 6266586b8b..36b9b04322 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -4,12 +4,17 @@ CREATE ROLE regress_role_bystander;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
 GRANT CREATE ON DATABASE regression TO regress_role_admin;
 
--- fail, only superusers can create users with these privileges
+-- fail, only superusers can create users with superuser
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
-CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
-CREATE ROLE regress_nosuch_replication REPLICATION;
-CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+
+-- fail, only login users can create other login users
+CREATE ROLE regress_nosuch_login LOGIN;
+
+-- ok, can assign privileges the creator has
+CREATE ROLE regress_replication_bypassrls REPLICATION BYPASSRLS;
+CREATE ROLE regress_replication REPLICATION;
+CREATE ROLE regress_bypassrls BYPASSRLS;
 
 -- fail, only superusers can own superusers
 RESET SESSION AUTHORIZATION;
@@ -26,9 +31,6 @@ CREATE ROLE regress_nosuch_charlie AUTHORIZATION regress_role_bystander;
 
 -- ok, superuser can create users with these privileges for normal role
 RESET SESSION AUTHORIZATION;
-CREATE ROLE regress_replication_bypassrls AUTHORIZATION regress_role_admin REPLICATION BYPASSRLS;
-CREATE ROLE regress_replication AUTHORIZATION regress_role_admin REPLICATION;
-CREATE ROLE regress_bypassrls AUTHORIZATION regress_role_admin BYPASSRLS;
 
 \du+ regress_superuser
 \du+ regress_replication_bypassrls
@@ -42,7 +44,11 @@ ALTER ROLE regress_bypassrls OWNER TO regress_bypassrls;
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
+
+-- fail, cannot assign LOGIN privilege that creator lacks
 CREATE ROLE regress_login LOGIN;
+
+-- ok, having CREATEROLE is enough for these
 CREATE ROLE regress_inherit INHERIT;
 CREATE ROLE regress_connection_limit CONNECTION LIMIT 5;
 CREATE ROLE regress_encrypted_password PASSWORD NULL;
@@ -53,7 +59,6 @@ COMMENT ON ROLE regress_password_null IS 'no login test role';
 
 \du+ regress_createdb
 \du+ regress_createrole
-\du+ regress_login
 \du+ regress_inherit
 \du+ regress_connection_limit
 \du+ regress_encrypted_password
@@ -65,12 +70,12 @@ CREATE ROLE regress_noiseword SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 
--- fail, database owner cannot have members
+-- fail, do not have ADMIN privilege on database owner
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 
 -- fail, cannot grant a role into itself
@@ -78,7 +83,7 @@ CREATE ROLE regress_nosuch_recursive ROLE regress_nosuch_recursive;
 
 -- ok, can grant other users into a role with admin option
 CREATE ROLE regress_adminroles ADMIN
-	regress_role_super, regress_createdb, regress_createrole, regress_login,
+	regress_role_super, regress_createdb, regress_createrole,
 	regress_inherit, regress_connection_limit, regress_encrypted_password, regress_password_null;
 
 -- fail, cannot grant a role into itself with admin option
@@ -94,9 +99,12 @@ CREATE ROLE regress_plainrole;
 -- ok, roles with CREATEROLE can create new roles with it
 CREATE ROLE regress_rolecreator CREATEROLE;
 
--- ok, roles with CREATEROLE can create new roles with privilege they lack
+-- fail, roles with CREATEROLE cannot create new roles with privilege they lack
 CREATE ROLE regress_tenant CREATEDB CREATEROLE LOGIN INHERIT CONNECTION LIMIT 5;
 
+-- ok, roles with CREATEROLE can create new roles with privilege they have
+CREATE ROLE regress_tenant CREATEROLE INHERIT CONNECTION LIMIT 5;
+
 -- ok, regress_tenant can create objects within the database
 SET SESSION AUTHORIZATION regress_tenant;
 CREATE TABLE tenant_table (i integer);
@@ -119,7 +127,7 @@ DROP VIEW tenant_view;
 -- ok, can take ownership objects from owned roles
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
@@ -161,7 +169,6 @@ DROP ROLE regress_createrole;
 
 -- ok, should be able to drop these non-superuser roles
 DROP ROLE regress_createdb;
-DROP ROLE regress_login;
 DROP ROLE regress_inherit;
 DROP ROLE regress_connection_limit;
 DROP ROLE regress_encrypted_password;
@@ -171,16 +178,6 @@ DROP ROLE regress_inroles;
 DROP ROLE regress_adminroles;
 DROP ROLE regress_rolecreator;
 DROP ROLE regress_tenant;
-DROP ROLE regress_read_all_data;
-DROP ROLE regress_write_all_data;
-DROP ROLE regress_monitor;
-DROP ROLE regress_read_all_settings;
-DROP ROLE regress_read_all_stats;
-DROP ROLE regress_stat_scan_tables;
-DROP ROLE regress_read_server_files;
-DROP ROLE regress_write_server_files;
-DROP ROLE regress_execute_server_program;
-DROP ROLE regress_signal_backend;
 
 -- fail, cannot drop ourself nor superusers
 DROP ROLE regress_role_super;
-- 
2.21.1 (Apple Git-122.3)

From 82d235b39b32ca0cd0b94d47a54ee6806645a365 Mon Sep 17 00:00:00 2001
From: Mark Dilger <mark.dilger@enterprisedb.com>
Date: Fri, 28 Jan 2022 07:57:57 -0800
Subject: [PATCH v8] Adding admin options for role attributes

When creating roles, attributes such as BYPASSRLS can be optionally
specified WITH ADMIN OPTION or WITHOUT ADMIN OPTION.  If these
optional clauses are unspecified, they all default to WITHOUT
unless the role being created is given CREATEROLE, in which case
they default to WITHOUT for SUPERUSER, REPLICATION, and BYPASSRLS
and true for all others.  This preserves backwards compatible
behavior.

The CREATEROLE attribute no longer makes up for lacking the ADMIN
option on a role.  The creator of a role only has the ADMIN-like
right to grant other roles into the new role during the creation
statement itself.  After that, the creator may only do so if the
creator has ADMIN on the role.  Note that creators may add
themselves to the list of ADMINs on the new role during creation
time.

SUPERUSER can still only be granted by superusers.
---
 doc/src/sgml/ref/create_role.sgml         |  50 ++--
 src/backend/catalog/aclchk.c              | 179 ++++++++++++--
 src/backend/commands/user.c               | 278 +++++++++++++++++-----
 src/backend/parser/gram.y                 | 161 ++++++++++---
 src/include/catalog/pg_authid.dat         |  52 +++-
 src/include/catalog/pg_authid.h           |  10 +
 src/include/nodes/nodes.h                 |   1 +
 src/include/nodes/parsenodes.h            |  11 +-
 src/include/utils/acl.h                   |  12 +
 src/test/regress/expected/create_role.out | 188 ++++++++++++++-
 src/test/regress/expected/privileges.out  |   4 +
 src/test/regress/sql/create_role.sql      | 153 +++++++++++-
 src/test/regress/sql/privileges.sql       |   3 +
 src/tools/pgindent/typedefs.list          |   1 +
 14 files changed, 936 insertions(+), 167 deletions(-)

diff --git a/doc/src/sgml/ref/create_role.sgml b/doc/src/sgml/ref/create_role.sgml
index b6a4ea1f72..7163779e0a 100644
--- a/doc/src/sgml/ref/create_role.sgml
+++ b/doc/src/sgml/ref/create_role.sgml
@@ -26,15 +26,22 @@ CREATE ROLE <replaceable class="parameter">name</replaceable> [ [ WITH ] <replac
 <phrase>where <replaceable class="parameter">option</replaceable> can be:</phrase>
 
       SUPERUSER | NOSUPERUSER
-    | CREATEDB | NOCREATEDB
-    | CREATEROLE | NOCREATEROLE
-    | INHERIT | NOINHERIT
-    | LOGIN | NOLOGIN
-    | REPLICATION | NOREPLICATION
-    | BYPASSRLS | NOBYPASSRLS
-    | CONNECTION LIMIT <replaceable class="parameter">connlimit</replaceable>
-    | [ ENCRYPTED ] PASSWORD '<replaceable class="parameter">password</replaceable>' | PASSWORD NULL
-    | VALID UNTIL '<replaceable class="parameter">timestamp</replaceable>'
+    | INHERIT [ { WITH | WITHOUT } GRANT OPTION ]
+	| NOINHERIT [ { WITH | WITHOUT } GRANT OPTION ]
+    | CREATEDB [ { WITH | WITHOUT } GRANT OPTION ]
+    | NOCREATEDB [ { WITH | WITHOUT } GRANT OPTION ]
+    | CREATEROLE [ { WITH | WITHOUT } GRANT OPTION ]
+    | NOCREATEROLE [ { WITH | WITHOUT } GRANT OPTION ]
+    | LOGIN [ { WITH | WITHOUT } GRANT OPTION ]
+    | NOLOGIN [ { WITH | WITHOUT } GRANT OPTION ]
+    | REPLICATION [ { WITH | WITHOUT } GRANT OPTION ]
+    | NOREPLICATION [ { WITH | WITHOUT } GRANT OPTION ]
+    | BYPASSRLS [ { WITH | WITHOUT } GRANT OPTION ]
+    | NOBYPASSRLS [ { WITH | WITHOUT } GRANT OPTION ]
+    | CONNECTION LIMIT [ <replaceable class="parameter">connlimit</replaceable> | NONE ] [ { WITH | WITHOUT } GRANT OPTION ]
+    | [ ENCRYPTED ] PASSWORD '<replaceable class="parameter">password</replaceable>' [ { WITH | WITHOUT } GRANT OPTION ]
+	| PASSWORD NULL [ { WITH | WITHOUT } GRANT OPTION ]
+    | VALID [ UNTIL '<replaceable class="parameter">timestamp</replaceable>' | ALWAYS ] [ { WITH | WITHOUT } GRANT OPTION ]
     | IN ROLE <replaceable class="parameter">role_name</replaceable> [, ...]
     | IN GROUP <replaceable class="parameter">role_name</replaceable> [, ...]
     | ROLE <replaceable class="parameter">role_name</replaceable> [, ...]
@@ -356,6 +363,18 @@ in sync when changing the above synopsis!
    <link linkend="sql-revoke"><command>REVOKE</command></link>.
   </para>
 
+  <para>
+   Some parameters allow the <literal>WITH ADMIN OPTION</literal> or
+   <literal>WITHOUT ADMIN OPTION</literal> clause to be specified.  For roles
+   with the <literal>CREATEROLE</literal> attribute, these clauses govern
+   whether new roles may be created with the attribute.  If not given, for
+   reasons of backwards compatibility, <literal>WITHOUT ADMIN OPTION</literal>
+   is the default for <literal>REPLICATION</literal> and
+   <literal>BYPASSRLS</literal>, but <literal>WITH ADMIN OPTION</literal> is
+   the default for <literal>CREATEDB</literal>, <literal>CREATEROLE</literal>,
+   and <literal>LOGIN</literal>.
+  </para>
+
   <para>
    The <literal>VALID UNTIL</literal> clause defines an expiration time for a
    password only, not for the role per se.  In
@@ -383,19 +402,6 @@ in sync when changing the above synopsis!
    specified in the SQL standard.
   </para>
 
-  <para>
-   Be careful with the <literal>CREATEROLE</literal> privilege. There is no concept of
-   inheritance for the privileges of a <literal>CREATEROLE</literal>-role. That
-   means that even if a role does not have a certain privilege but is allowed
-   to create other roles, it can easily create another role with different
-   privileges than its own (except for creating roles with superuser
-   privileges). For example, if the role <quote>user</quote> has the
-   <literal>CREATEROLE</literal> privilege but not the <literal>CREATEDB</literal> privilege,
-   nonetheless it can create a new role with the <literal>CREATEDB</literal>
-   privilege. Therefore, regard roles that have the <literal>CREATEROLE</literal>
-   privilege as almost-superuser-roles.
-  </para>
-
   <para>
    <productname>PostgreSQL</productname> includes a program <xref
    linkend="app-createuser"/> that has
diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 1dd03a8e51..c66f545f36 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -5430,6 +5430,91 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 	return has_privs_of_role(roleid, ownerId);
 }
 
+typedef enum ROLPRIV
+{
+	CREATEROLE,
+	CREATEDB,
+	CANLOGIN,
+	REPLICATION,
+	BYPASSRLS,
+	INHERIT,
+	CONNLIMIT,
+	VALIDUNTIL,
+	PASSWORD
+} ROLPRIV;
+
+static bool
+has_privilege(Oid roleid, ROLPRIV priv, bool self, bool grant)
+{
+	bool		result = false;
+	HeapTuple	utup;
+
+	/* Superusers bypass all permission checking. */
+	if (superuser_arg(roleid))
+		return true;
+
+	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
+	if (HeapTupleIsValid(utup))
+	{
+		Form_pg_authid uform = (Form_pg_authid) GETSTRUCT(utup);
+
+		result = true;
+		switch (priv)
+		{
+			case CREATEROLE:
+				if (self && !uform->rolcreaterole)
+					result = false;
+				if (grant && !uform->admcreaterole)
+					result = false;
+				break;
+			case CREATEDB:
+				if (self && !uform->rolcreatedb)
+					result = false;
+				if (grant && !uform->admcreatedb)
+					result = false;
+				break;
+			case CANLOGIN:
+				if (self && !uform->rolcanlogin)
+					result = false;
+				if (grant && !uform->admcanlogin)
+					result = false;
+				break;
+			case REPLICATION:
+				if (self && !uform->rolreplication)
+					result = false;
+				if (grant && !uform->admreplication)
+					result = false;
+				break;
+			case BYPASSRLS:
+				if (self && !uform->rolbypassrls)
+					result = false;
+				if (grant && !uform->admbypassrls)
+					result = false;
+				break;
+			case INHERIT:
+				if (grant && !uform->adminherit)
+					result = false;
+				break;
+			case CONNLIMIT:
+				if (grant && !uform->admconnlimit)
+					result = false;
+				break;
+			case VALIDUNTIL:
+				if (grant && !uform->admvaliduntil)
+					result = false;
+				break;
+			case PASSWORD:
+				if (grant && !uform->admpassword)
+					result = false;
+				break;
+
+			/* Intentionally no default here */
+		}
+		ReleaseSysCache(utup);
+	}
+	return result;
+}
+
 /*
  * Check whether specified role has CREATEROLE privilege (or is a superuser)
  *
@@ -5444,39 +5529,85 @@ pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid)
 bool
 has_createrole_privilege(Oid roleid)
 {
-	bool		result = false;
-	HeapTuple	utup;
+	return has_privilege(roleid, CREATEROLE, true, false);
+}
 
-	/* Superusers bypass all permission checking. */
-	if (superuser_arg(roleid))
-		return true;
+bool
+has_createdb_privilege(Oid roleid)
+{
+	return has_privilege(roleid, CREATEDB, true, false);
+}
 
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
-		ReleaseSysCache(utup);
-	}
-	return result;
+bool
+has_canlogin_privilege(Oid roleid)
+{
+	return has_privilege(roleid, CANLOGIN, true, false);
+}
+
+bool
+has_replication_privilege(Oid roleid)
+{
+	return has_privilege(roleid, REPLICATION, true, false);
 }
 
 bool
 has_bypassrls_privilege(Oid roleid)
 {
-	bool		result = false;
-	HeapTuple	utup;
+	return has_privilege(roleid, BYPASSRLS, true, false);
+}
 
-	/* Superusers bypass all permission checking. */
-	if (superuser_arg(roleid))
-		return true;
+bool
+may_admin_createrole_privilege(Oid roleid)
+{
+	return has_privilege(roleid, CREATEROLE, false, true);
+}
 
-	utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
-	if (HeapTupleIsValid(utup))
-	{
-		result = ((Form_pg_authid) GETSTRUCT(utup))->rolbypassrls;
-		ReleaseSysCache(utup);
-	}
-	return result;
+bool
+may_admin_createdb_privilege(Oid roleid)
+{
+	return has_privilege(roleid, CREATEDB, false, true);
+}
+
+bool
+may_admin_canlogin_privilege(Oid roleid)
+{
+	return has_privilege(roleid, CANLOGIN, false, true);
+}
+
+bool
+may_admin_replication_privilege(Oid roleid)
+{
+	return has_privilege(roleid, REPLICATION, false, true);
+}
+
+bool
+may_admin_bypassrls_privilege(Oid roleid)
+{
+	return has_privilege(roleid, BYPASSRLS, false, true);
+}
+
+bool
+may_admin_inherit_privilege(Oid roleid)
+{
+	return has_privilege(roleid, INHERIT, false, true);
+}
+
+bool
+may_admin_connlimit_privilege(Oid roleid)
+{
+	return has_privilege(roleid, CONNLIMIT, false, true);
+}
+
+bool
+may_admin_validuntil_privilege(Oid roleid)
+{
+	return has_privilege(roleid, VALIDUNTIL, false, true);
+}
+
+bool
+may_admin_password_privilege(Oid roleid)
+{
+	return has_privilege(roleid, PASSWORD, false, true);
 }
 
 /*
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index f9d3c1246b..501613a840 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -51,7 +51,7 @@ check_password_hook_type check_password_hook = NULL;
 
 static void AddRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
-						Oid grantorId, bool admin_opt);
+						Oid grantorId, bool admin_opt, bool creating);
 static void DelRoleMems(const char *rolename, Oid roleid,
 						List *memberSpecs, List *memberIds,
 						bool admin_opt);
@@ -107,6 +107,24 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	DefElem    *dadminmembers = NULL;
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
+	int			inherit_spec = 0;
+	int			createrole_spec = 0;
+	int			createdb_spec = 0;
+	int			canlogin_spec = 0;
+	int			replication_spec = 0;
+	int			bypassrls_spec = 0;
+	int			connlimit_spec = 0;
+	int			password_spec = 0;
+	int			validuntil_spec = 0;
+	bool		admin_inherit = false;
+	bool		admin_createrole = false;
+	bool		admin_createdb = false;
+	bool		admin_canlogin = false;
+	bool		admin_replication = false;
+	bool		admin_bypassrls = false;
+	bool		admin_connlimit = false;
+	bool		admin_password = false;
+	bool		admin_validuntil = false;
 
 	/* The defaults can vary depending on the original statement type */
 	switch (stmt->stmt_type)
@@ -124,13 +142,15 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	/* Extract options from the statement node tree */
 	foreach(option, stmt->options)
 	{
-		DefElem    *defel = (DefElem *) lfirst(option);
+		RoleElem   *relem = (RoleElem *) lfirst(option);
+		DefElem    *defel = relem->elem;
 
 		if (strcmp(defel->defname, "password") == 0)
 		{
 			if (dpassword)
 				errorConflictingDefElem(defel, pstate);
 			dpassword = defel;
+			password_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "sysid") == 0)
 		{
@@ -148,36 +168,42 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			if (dinherit)
 				errorConflictingDefElem(defel, pstate);
 			dinherit = defel;
+			inherit_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "createrole") == 0)
 		{
 			if (dcreaterole)
 				errorConflictingDefElem(defel, pstate);
 			dcreaterole = defel;
+			createrole_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "createdb") == 0)
 		{
 			if (dcreatedb)
 				errorConflictingDefElem(defel, pstate);
 			dcreatedb = defel;
+			createdb_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "canlogin") == 0)
 		{
 			if (dcanlogin)
 				errorConflictingDefElem(defel, pstate);
 			dcanlogin = defel;
+			canlogin_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "isreplication") == 0)
 		{
 			if (disreplication)
 				errorConflictingDefElem(defel, pstate);
 			disreplication = defel;
+			replication_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "connectionlimit") == 0)
 		{
 			if (dconnlimit)
 				errorConflictingDefElem(defel, pstate);
 			dconnlimit = defel;
+			connlimit_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "addroleto") == 0)
 		{
@@ -202,12 +228,14 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			if (dvalidUntil)
 				errorConflictingDefElem(defel, pstate);
 			dvalidUntil = defel;
+			validuntil_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "bypassrls") == 0)
 		{
 			if (dbypassRLS)
 				errorConflictingDefElem(defel, pstate);
 			dbypassRLS = defel;
+			bypassrls_spec = relem->admin_spec;
 		}
 		else
 			elog(ERROR, "option \"%s\" not recognized",
@@ -247,6 +275,28 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	if (dbypassRLS)
 		bypassrls = boolVal(dbypassRLS->arg);
 
+	/*
+	 * For backward-compatibility, we allow CREATEROLE to imply the ability to
+	 * grant all privileges except SUPERUSER, REPLICATION, and BYPASSRLS when
+	 * neither WITH ADMIN OPTION nor WITHOUT ADMIN OPTION is specified.
+	 */
+	admin_inherit = ((inherit_spec == 1) ||
+					 (createrole && inherit_spec != -1));
+	admin_createrole = ((createrole_spec == 1) ||
+						(createrole && createrole_spec != -1));
+	admin_createdb = ((createdb_spec == 1) ||
+					  (createrole && createdb_spec != -1));
+	admin_canlogin = ((canlogin_spec == 1) ||
+					  (createrole && canlogin_spec != -1));
+	admin_replication = (replication_spec == 1);
+	admin_bypassrls = (bypassrls_spec == 1);
+	admin_connlimit = ((connlimit_spec == 1) ||
+					   (createrole && connlimit_spec != -1));
+	admin_password = ((password_spec == 1) ||
+					  (createrole && password_spec != -1));
+	admin_validuntil = ((validuntil_spec == 1) ||
+					  (createrole && validuntil_spec != -1));
+
 	/* Check some permissions first */
 	if (issuper)
 	{
@@ -255,27 +305,36 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to create superusers")));
 	}
-	else if (isreplication)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create replication users")));
-	}
-	else if (bypassrls)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to create bypassrls users")));
-	}
-	else
-	{
-		if (!have_createrole_privilege())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission denied to create role")));
-	}
+
+	if (createrole && !may_admin_createrole_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have grant option on CREATEROLE privilege to create createrole users")));
+
+	if (createdb && !may_admin_createdb_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have grant option on CREATEDB privilege to create createdb users")));
+
+	if (canlogin && !may_admin_canlogin_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have grant option on LOGIN privilege to create login users")));
+
+	if (isreplication && !may_admin_replication_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have grant option on REPLICATION privilege to create replication users")));
+
+	if (bypassrls && !may_admin_bypassrls_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have grant option on BYPASSRLS privilege to create bypassrls users")));
+
+	if (!have_createrole_privilege())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("permission denied to create role")));
 
 	/*
 	 * Check that the user is not trying to create a role in the reserved
@@ -311,7 +370,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 						stmt->role)));
 
 	/* Convert validuntil to internal form */
-	if (validUntil)
+	if (validUntil && strcmp(validUntil, "always") != 0)
 	{
 		validUntil_datum = DirectFunctionCall3(timestamptz_in,
 											   CStringGetDatum(validUntil),
@@ -393,6 +452,16 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 
 	new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(bypassrls);
 
+	new_record[Anum_pg_authid_adminherit - 1] = BoolGetDatum(admin_inherit);
+	new_record[Anum_pg_authid_admcreaterole - 1] = BoolGetDatum(admin_createrole);
+	new_record[Anum_pg_authid_admcreatedb - 1] = BoolGetDatum(admin_createdb);
+	new_record[Anum_pg_authid_admcanlogin - 1] = BoolGetDatum(admin_canlogin);
+	new_record[Anum_pg_authid_admreplication - 1] = BoolGetDatum(admin_replication);
+	new_record[Anum_pg_authid_admbypassrls - 1] = BoolGetDatum(admin_bypassrls);
+	new_record[Anum_pg_authid_admconnlimit - 1] = BoolGetDatum(admin_connlimit);
+	new_record[Anum_pg_authid_admpassword - 1] = BoolGetDatum(admin_password);
+	new_record[Anum_pg_authid_admvaliduntil - 1] = BoolGetDatum(admin_validuntil);
+
 	/*
 	 * pg_largeobject_metadata contains pg_authid.oid's, so we use the
 	 * binary-upgrade override.
@@ -453,7 +522,7 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 			AddRoleMems(oldrolename, oldroleid,
 						thisrole_list,
 						thisrole_oidlist,
-						GetUserId(), false);
+						GetUserId(), false, false);
 
 			ReleaseSysCache(oldroletup);
 		}
@@ -465,10 +534,10 @@ CreateRole(ParseState *pstate, CreateRoleStmt *stmt)
 	 */
 	AddRoleMems(stmt->role, roleid,
 				adminmembers, roleSpecsToIds(adminmembers),
-				GetUserId(), true);
+				GetUserId(), true, true);
 	AddRoleMems(stmt->role, roleid,
 				rolemembers, roleSpecsToIds(rolemembers),
-				GetUserId(), false);
+				GetUserId(), false, true);
 
 	/* Post creation hook for new role */
 	InvokeObjectPostCreateHook(AuthIdRelationId, roleid, 0);
@@ -518,6 +587,15 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 	DefElem    *drolemembers = NULL;
 	DefElem    *dvalidUntil = NULL;
 	DefElem    *dbypassRLS = NULL;
+	int			inherit_spec = 0;
+	int			createrole_spec = 0;
+	int			createdb_spec = 0;
+	int			canlogin_spec = 0;
+	int			replication_spec = 0;
+	int			bypassrls_spec = 0;
+	int			connlimit_spec = 0;
+	int			password_spec = 0;
+	int			validuntil_spec = 0;
 	Oid			roleid;
 
 	check_rolespec_name(stmt->role,
@@ -526,13 +604,15 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 	/* Extract options from the statement node tree */
 	foreach(option, stmt->options)
 	{
-		DefElem    *defel = (DefElem *) lfirst(option);
+		RoleElem   *relem = (RoleElem *) lfirst(option);
+		DefElem    *defel = relem->elem;
 
 		if (strcmp(defel->defname, "password") == 0)
 		{
 			if (dpassword)
 				errorConflictingDefElem(defel, pstate);
 			dpassword = defel;
+			password_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "superuser") == 0)
 		{
@@ -545,36 +625,42 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			if (dinherit)
 				errorConflictingDefElem(defel, pstate);
 			dinherit = defel;
+			inherit_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "createrole") == 0)
 		{
 			if (dcreaterole)
 				errorConflictingDefElem(defel, pstate);
 			dcreaterole = defel;
+			createrole_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "createdb") == 0)
 		{
 			if (dcreatedb)
 				errorConflictingDefElem(defel, pstate);
 			dcreatedb = defel;
+			createdb_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "canlogin") == 0)
 		{
 			if (dcanlogin)
 				errorConflictingDefElem(defel, pstate);
 			dcanlogin = defel;
+			canlogin_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "isreplication") == 0)
 		{
 			if (disreplication)
 				errorConflictingDefElem(defel, pstate);
 			disreplication = defel;
+			replication_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "connectionlimit") == 0)
 		{
 			if (dconnlimit)
 				errorConflictingDefElem(defel, pstate);
 			dconnlimit = defel;
+			connlimit_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "rolemembers") == 0 &&
 				 stmt->action != 0)
@@ -588,12 +674,14 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 			if (dvalidUntil)
 				errorConflictingDefElem(defel, pstate);
 			dvalidUntil = defel;
+			validuntil_spec = relem->admin_spec;
 		}
 		else if (strcmp(defel->defname, "bypassrls") == 0)
 		{
 			if (dbypassRLS)
 				errorConflictingDefElem(defel, pstate);
 			dbypassRLS = defel;
+			bypassrls_spec = relem->admin_spec;
 		}
 		else
 			elog(ERROR, "option \"%s\" not recognized",
@@ -630,6 +718,8 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 	 * property.  Otherwise, if you don't have createrole, you're only allowed
 	 * to change your own password.
 	 */
+
+	/* To mess with a superuser in any way you gotta be superuser. */
 	if (authform->rolsuper || dissuper)
 	{
 		if (!superuser())
@@ -637,32 +727,57 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must be superuser to alter superuser roles or change superuser attribute")));
 	}
-	else if (authform->rolreplication || disreplication)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to alter replication roles or change replication attribute")));
-	}
-	else if (dbypassRLS)
-	{
-		if (!superuser())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("must be superuser to change bypassrls attribute")));
-	}
-	else if (!have_createrole_privilege())
-	{
-		/* check the rest */
-		if (dinherit || dcreaterole || dcreatedb || dcanlogin || dconnlimit ||
-			drolemembers || dvalidUntil || !dpassword || roleid != GetUserId())
-			ereport(ERROR,
-					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-					 errmsg("permission denied")));
-	}
+
+	/* To mess with replication roles, must have admin on REPLICATION */
+	if ((authform->rolreplication || disreplication) &&
+		!may_admin_replication_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on replication to alter replication roles or change replication attribute")));
+
+	/* For other privileges, must have admin on the privilege being altered */
+	if (dbypassRLS && !may_admin_bypassrls_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on bypassrls to change bypassrls attribute")));
+
+	if (dinherit && !may_admin_inherit_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on inherit to change inherit attribute")));
+
+	if (dcreaterole && !may_admin_createrole_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on createrole to change createrole attribute")));
+
+	if (dcreatedb && !may_admin_createdb_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on createdb to change createdb attribute")));
+
+	if (dcanlogin && !may_admin_canlogin_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on login to change login attribute")));
+
+	if (dconnlimit && !may_admin_connlimit_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on connection limit to change connection limit attribute")));
+
+	if (dvalidUntil && !may_admin_validuntil_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on valid until to change valid until attribute")));
+	
+	if (dpassword && roleid != GetUserId() && !may_admin_password_privilege(GetUserId()))
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+				 errmsg("must have admin on password to change password attribute")));
 
 	/* Convert validuntil to internal form */
-	if (dvalidUntil)
+	if (validUntil && strcmp(validUntil, "always") != 0)
 	{
 		validUntil_datum = DirectFunctionCall3(timestamptz_in,
 											   CStringGetDatum(validUntil),
@@ -670,6 +785,10 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 											   Int32GetDatum(-1));
 		validUntil_null = false;
 	}
+	else if (validUntil && strcmp(validUntil, "always") == 0)
+	{
+		validUntil_null = true;
+	}
 	else
 	{
 		/* fetch existing setting in case hook needs it */
@@ -709,36 +828,66 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 		new_record[Anum_pg_authid_rolinherit - 1] = BoolGetDatum(boolVal(dinherit->arg));
 		new_record_repl[Anum_pg_authid_rolinherit - 1] = true;
 	}
+	if (inherit_spec != 0)
+	{
+		new_record[Anum_pg_authid_adminherit - 1] = BoolGetDatum(inherit_spec == 1);
+		new_record_repl[Anum_pg_authid_adminherit - 1] = true;
+	}
 
 	if (dcreaterole)
 	{
 		new_record[Anum_pg_authid_rolcreaterole - 1] = BoolGetDatum(boolVal(dcreaterole->arg));
 		new_record_repl[Anum_pg_authid_rolcreaterole - 1] = true;
 	}
+	if (createrole_spec != 0)
+	{
+		new_record[Anum_pg_authid_admcreaterole - 1] = BoolGetDatum(createrole_spec == 1);
+		new_record_repl[Anum_pg_authid_admcreaterole - 1] = true;
+	}
 
 	if (dcreatedb)
 	{
 		new_record[Anum_pg_authid_rolcreatedb - 1] = BoolGetDatum(boolVal(dcreatedb->arg));
 		new_record_repl[Anum_pg_authid_rolcreatedb - 1] = true;
 	}
+	if (createdb_spec != 0)
+	{
+		new_record[Anum_pg_authid_admcreatedb - 1] = BoolGetDatum(createdb_spec == 1);
+		new_record_repl[Anum_pg_authid_admcreatedb - 1] = true;
+	}
 
 	if (dcanlogin)
 	{
 		new_record[Anum_pg_authid_rolcanlogin - 1] = BoolGetDatum(boolVal(dcanlogin->arg));
 		new_record_repl[Anum_pg_authid_rolcanlogin - 1] = true;
 	}
+	if (canlogin_spec != 0)
+	{
+		new_record[Anum_pg_authid_admcanlogin - 1] = BoolGetDatum(canlogin_spec == 1);
+		new_record_repl[Anum_pg_authid_admcanlogin - 1] = true;
+	}
 
 	if (disreplication)
 	{
 		new_record[Anum_pg_authid_rolreplication - 1] = BoolGetDatum(boolVal(disreplication->arg));
 		new_record_repl[Anum_pg_authid_rolreplication - 1] = true;
 	}
+	if (replication_spec != 0)
+	{
+		new_record[Anum_pg_authid_admreplication - 1] = BoolGetDatum(replication_spec == 1);
+		new_record_repl[Anum_pg_authid_admreplication - 1] = true;
+	}
 
 	if (dconnlimit)
 	{
 		new_record[Anum_pg_authid_rolconnlimit - 1] = Int32GetDatum(connlimit);
 		new_record_repl[Anum_pg_authid_rolconnlimit - 1] = true;
 	}
+	if (connlimit_spec != 0)
+	{
+		new_record[Anum_pg_authid_admconnlimit - 1] = BoolGetDatum(connlimit_spec == 1);
+		new_record_repl[Anum_pg_authid_admconnlimit - 1] = true;
+	}
 
 	/* password */
 	if (password)
@@ -771,17 +920,32 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 		new_record_repl[Anum_pg_authid_rolpassword - 1] = true;
 		new_record_nulls[Anum_pg_authid_rolpassword - 1] = true;
 	}
+	if (password_spec != 0)
+	{
+		new_record[Anum_pg_authid_admpassword - 1] = BoolGetDatum(password_spec == 1);
+		new_record_repl[Anum_pg_authid_admpassword - 1] = true;
+	}
 
 	/* valid until */
 	new_record[Anum_pg_authid_rolvaliduntil - 1] = validUntil_datum;
 	new_record_nulls[Anum_pg_authid_rolvaliduntil - 1] = validUntil_null;
 	new_record_repl[Anum_pg_authid_rolvaliduntil - 1] = true;
+	if (validuntil_spec != 0)
+	{
+		new_record[Anum_pg_authid_admvaliduntil - 1] = BoolGetDatum(validuntil_spec == 1);
+		new_record_repl[Anum_pg_authid_admvaliduntil - 1] = true;
+	}
 
 	if (dbypassRLS)
 	{
 		new_record[Anum_pg_authid_rolbypassrls - 1] = BoolGetDatum(boolVal(dbypassRLS->arg));
 		new_record_repl[Anum_pg_authid_rolbypassrls - 1] = true;
 	}
+	if (bypassrls_spec != 0)
+	{
+		new_record[Anum_pg_authid_admbypassrls - 1] = BoolGetDatum(bypassrls_spec == 1);
+		new_record_repl[Anum_pg_authid_admbypassrls - 1] = true;
+	}
 
 	new_tuple = heap_modify_tuple(tuple, pg_authid_dsc, new_record,
 								  new_record_nulls, new_record_repl);
@@ -805,7 +969,7 @@ AlterRole(ParseState *pstate, AlterRoleStmt *stmt)
 		if (stmt->action == +1)		/* add members to role */
 			AddRoleMems(rolename, roleid,
 						rolemembers, roleSpecsToIds(rolemembers),
-						GetUserId(), false);
+						GetUserId(), false, false);
 		else if (stmt->action == -1)	/* drop members from role */
 			DelRoleMems(rolename, roleid,
 						rolemembers, roleSpecsToIds(rolemembers),
@@ -1264,7 +1428,7 @@ GrantRole(GrantRoleStmt *stmt)
 		if (stmt->is_grant)
 			AddRoleMems(rolename, roleid,
 						stmt->grantee_roles, grantee_ids,
-						grantor, stmt->admin_opt);
+						grantor, stmt->admin_opt, false);
 		else
 			DelRoleMems(rolename, roleid,
 						stmt->grantee_roles, grantee_ids,
@@ -1371,11 +1535,12 @@ roleSpecsToIds(List *memberNames)
  * memberIds: OIDs of roles to add
  * grantorId: who is granting the membership
  * admin_opt: granting admin option?
+ * creating: is roleid presently being created?
  */
 static void
 AddRoleMems(const char *rolename, Oid roleid,
 			List *memberSpecs, List *memberIds,
-			Oid grantorId, bool admin_opt)
+			Oid grantorId, bool admin_opt, bool creating)
 {
 	Relation	pg_authmem_rel;
 	TupleDesc	pg_authmem_dsc;
@@ -1401,8 +1566,7 @@ AddRoleMems(const char *rolename, Oid roleid,
 	}
 	else
 	{
-		if (!have_createrole_privilege() &&
-			!is_admin_of_role(grantorId, roleid))
+		if (!creating && !is_admin_of_role(grantorId, roleid))
 			ereport(ERROR,
 					(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					 errmsg("must have admin option on role \"%s\"",
diff --git a/src/backend/parser/gram.y b/src/backend/parser/gram.y
index b5966712ce..7503d3ead6 100644
--- a/src/backend/parser/gram.y
+++ b/src/backend/parser/gram.y
@@ -327,7 +327,7 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
 				PLpgSQL_Expr PLAssignStmt
 
 %type <node>	alter_column_default opclass_item opclass_drop alter_using
-%type <ival>	add_drop opt_asc_desc opt_nulls_order
+%type <ival>	add_drop opt_asc_desc opt_nulls_order opt_admin_spec
 
 %type <node>	alter_table_cmd alter_type_cmd opt_collate_clause
 	   replica_identity partition_cmd index_partition_cmd
@@ -356,8 +356,8 @@ static Node *makeRecursiveViewSelect(char *relname, List *aliases, Node *query);
 				opt_transaction_chain
 %type <ival>	opt_nowait_or_skip
 
-%type <list>	OptRoleList AlterOptRoleList
-%type <defelt>	CreateOptRoleElem AlterOptRoleElem
+%type <list>	OptRoleList AlterOptRoleList user_role_list
+%type <node>	CreateOptRoleElem AlterOptRoleElem
 
 %type <str>		opt_type
 %type <str>		foreign_server_version opt_foreign_server_version
@@ -1104,24 +1104,33 @@ AlterOptRoleList:
 		;
 
 AlterOptRoleElem:
-			PASSWORD Sconst
+			PASSWORD Sconst opt_admin_spec
 				{
-					$$ = makeDefElem("password",
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("password",
 									 (Node *)makeString($2), @1);
+					n->admin_spec = $3;
+					$$ = (Node *)n;
 				}
-			| PASSWORD NULL_P
+			| PASSWORD NULL_P opt_admin_spec
 				{
-					$$ = makeDefElem("password", NULL, @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("password", NULL, @1);
+					n->admin_spec = $3;
+					$$ = (Node *)n;
 				}
-			| ENCRYPTED PASSWORD Sconst
+			| ENCRYPTED PASSWORD Sconst opt_admin_spec
 				{
 					/*
 					 * These days, passwords are always stored in encrypted
 					 * form, so there is no difference between PASSWORD and
 					 * ENCRYPTED PASSWORD.
 					 */
-					$$ = makeDefElem("password",
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("password",
 									 (Node *)makeString($3), @1);
+					n->admin_spec = $4;
+					$$ = (Node *)n;
 				}
 			| UNENCRYPTED PASSWORD Sconst
 				{
@@ -1131,67 +1140,111 @@ AlterOptRoleElem:
 							 errhint("Remove UNENCRYPTED to store the password in encrypted form instead."),
 							 parser_errposition(@1)));
 				}
-			| INHERIT
+			| INHERIT opt_admin_spec
+				{
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("inherit", (Node *)makeBoolean(true), @1);
+					n->admin_spec = $2;
+					$$ = (Node *)n;
+				}
+			| CONNECTION LIMIT SignedIconst opt_admin_spec
 				{
-					$$ = makeDefElem("inherit", (Node *)makeBoolean(true), @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("connectionlimit", (Node *)makeInteger($3), @1);
+					n->admin_spec = $4;
+					$$ = (Node *)n;
 				}
-			| CONNECTION LIMIT SignedIconst
+			| CONNECTION LIMIT NONE opt_admin_spec
 				{
-					$$ = makeDefElem("connectionlimit", (Node *)makeInteger($3), @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("connectionlimit", (Node *)makeInteger(-1), @1);
+					n->admin_spec = $4;
+					$$ = (Node *)n;
 				}
-			| VALID UNTIL Sconst
+			| VALID UNTIL Sconst opt_admin_spec
 				{
-					$$ = makeDefElem("validUntil", (Node *)makeString($3), @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("validUntil", (Node *)makeString($3), @1);
+					n->admin_spec = $4;
+					$$ = (Node *)n;
+				}
+			| VALID ALWAYS opt_admin_spec
+				{
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("validUntil", (Node *)makeString("always"), @1);
+					n->admin_spec = $3;
+					$$ = (Node *)n;
 				}
 		/*	Supported but not documented for roles, for use by ALTER GROUP. */
-			| USER role_list
+			| USER role_list opt_admin_spec
 				{
-					$$ = makeDefElem("rolemembers", (Node *)$2, @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("rolemembers", (Node *)$2, @1);
+					n->admin_spec = $3;
+					$$ = (Node *)n;
 				}
-			| IDENT
+			| IDENT opt_admin_spec
 				{
 					/*
 					 * We handle identifiers that aren't parser keywords with
 					 * the following special-case codes, to avoid bloating the
 					 * size of the main parser.
 					 */
+					RoleElem *n = makeNode(RoleElem);
+
+					/*
+					 * Record whether the user specified WITH GRANT OPTION.
+					 * Note that for some privileges this is always implied,
+					 * such as SUPERUSER, but we don't reflect that here.
+					 */
+					n->admin_spec = $2;
+
 					if (strcmp($1, "superuser") == 0)
-						$$ = makeDefElem("superuser", (Node *)makeBoolean(true), @1);
+						n->elem = makeDefElem("superuser", (Node *)makeBoolean(true), @1);
 					else if (strcmp($1, "nosuperuser") == 0)
-						$$ = makeDefElem("superuser", (Node *)makeBoolean(false), @1);
+					{
+						n->elem = makeDefElem("superuser", (Node *)makeBoolean(false), @1);
+						if (n->admin_spec == 1)
+							ereport(ERROR,
+									errcode(ERRCODE_SYNTAX_ERROR),
+									errmsg("only superusers may create new superusers"),
+									parser_errposition(@2));
+					}
 					else if (strcmp($1, "createrole") == 0)
-						$$ = makeDefElem("createrole", (Node *)makeBoolean(true), @1);
+						n->elem = makeDefElem("createrole", (Node *)makeBoolean(true), @1);
 					else if (strcmp($1, "nocreaterole") == 0)
-						$$ = makeDefElem("createrole", (Node *)makeBoolean(false), @1);
+						n->elem = makeDefElem("createrole", (Node *)makeBoolean(false), @1);
 					else if (strcmp($1, "replication") == 0)
-						$$ = makeDefElem("isreplication", (Node *)makeBoolean(true), @1);
+						n->elem = makeDefElem("isreplication", (Node *)makeBoolean(true), @1);
 					else if (strcmp($1, "noreplication") == 0)
-						$$ = makeDefElem("isreplication", (Node *)makeBoolean(false), @1);
+						n->elem = makeDefElem("isreplication", (Node *)makeBoolean(false), @1);
 					else if (strcmp($1, "createdb") == 0)
-						$$ = makeDefElem("createdb", (Node *)makeBoolean(true), @1);
+						n->elem = makeDefElem("createdb", (Node *)makeBoolean(true), @1);
 					else if (strcmp($1, "nocreatedb") == 0)
-						$$ = makeDefElem("createdb", (Node *)makeBoolean(false), @1);
+						n->elem = makeDefElem("createdb", (Node *)makeBoolean(false), @1);
 					else if (strcmp($1, "login") == 0)
-						$$ = makeDefElem("canlogin", (Node *)makeBoolean(true), @1);
+						n->elem = makeDefElem("canlogin", (Node *)makeBoolean(true), @1);
 					else if (strcmp($1, "nologin") == 0)
-						$$ = makeDefElem("canlogin", (Node *)makeBoolean(false), @1);
+						n->elem = makeDefElem("canlogin", (Node *)makeBoolean(false), @1);
 					else if (strcmp($1, "bypassrls") == 0)
-						$$ = makeDefElem("bypassrls", (Node *)makeBoolean(true), @1);
+						n->elem = makeDefElem("bypassrls", (Node *)makeBoolean(true), @1);
 					else if (strcmp($1, "nobypassrls") == 0)
-						$$ = makeDefElem("bypassrls", (Node *)makeBoolean(false), @1);
+						n->elem = makeDefElem("bypassrls", (Node *)makeBoolean(false), @1);
 					else if (strcmp($1, "noinherit") == 0)
 					{
 						/*
 						 * Note that INHERIT is a keyword, so it's handled by main parser, but
 						 * NOINHERIT is handled here.
 						 */
-						$$ = makeDefElem("inherit", (Node *)makeBoolean(false), @1);
+						n->elem = makeDefElem("inherit", (Node *)makeBoolean(false), @1);
 					}
 					else
 						ereport(ERROR,
 								(errcode(ERRCODE_SYNTAX_ERROR),
 								 errmsg("unrecognized role option \"%s\"", $1),
 									 parser_errposition(@1)));
+
+					$$ = (Node *)n;
 				}
 		;
 
@@ -1200,23 +1253,38 @@ CreateOptRoleElem:
 			/* The following are not supported by ALTER ROLE/USER/GROUP */
 			| SYSID Iconst
 				{
-					$$ = makeDefElem("sysid", (Node *)makeInteger($2), @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("sysid", (Node *)makeInteger($2), @1);
+					n->admin_spec = 0;
+					$$ = (Node *)n;
 				}
 			| ADMIN role_list
 				{
-					$$ = makeDefElem("adminmembers", (Node *)$2, @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("adminmembers", (Node *)$2, @1);
+					n->admin_spec = 0;
+					$$ = (Node *)n;
 				}
 			| ROLE role_list
 				{
-					$$ = makeDefElem("rolemembers", (Node *)$2, @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("rolemembers", (Node *)$2, @1);
+					n->admin_spec = 0;
+					$$ = (Node *)n;
 				}
 			| IN_P ROLE role_list
 				{
-					$$ = makeDefElem("addroleto", (Node *)$3, @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("addroleto", (Node *)$3, @1);
+					n->admin_spec = 0;
+					$$ = (Node *)n;
 				}
 			| IN_P GROUP_P role_list
 				{
-					$$ = makeDefElem("addroleto", (Node *)$3, @1);
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("addroleto", (Node *)$3, @1);
+					n->admin_spec = 0;
+					$$ = (Node *)n;
 				}
 		;
 
@@ -1385,13 +1453,12 @@ CreateGroupStmt:
  *****************************************************************************/
 
 AlterGroupStmt:
-			ALTER GROUP_P RoleSpec add_drop USER role_list
+			ALTER GROUP_P RoleSpec add_drop user_role_list
 				{
 					AlterRoleStmt *n = makeNode(AlterRoleStmt);
 					n->role = $3;
 					n->action = $4;
-					n->options = list_make1(makeDefElem("rolemembers",
-														(Node *)$6, @6));
+					n->options = $5;
 					$$ = (Node *)n;
 				}
 		;
@@ -1400,6 +1467,16 @@ add_drop:	ADD_P									{ $$ = +1; }
 			| DROP									{ $$ = -1; }
 		;
 
+user_role_list:
+			USER role_list
+				{
+					RoleElem *n = makeNode(RoleElem);
+					n->elem = makeDefElem("rolemembers", (Node *)$2, @2);
+					n->admin_spec = 0;
+					$$ = list_make1(n);
+				}
+		;
+
 
 /*****************************************************************************
  *
@@ -7257,6 +7334,12 @@ opt_grant_grant_option:
 			| /*EMPTY*/ { $$ = false; }
 		;
 
+opt_admin_spec:
+			WITH ADMIN OPTION { $$ = 1; }
+			| WITHOUT ADMIN OPTION { $$ = -1; }
+			| /* EMPTY */ { $$ = 0; }
+		;
+
 /*****************************************************************************
  *
  * GRANT and REVOKE ROLE statements
diff --git a/src/include/catalog/pg_authid.dat b/src/include/catalog/pg_authid.dat
index 6c28119fa1..4829a6dbd2 100644
--- a/src/include/catalog/pg_authid.dat
+++ b/src/include/catalog/pg_authid.dat
@@ -22,67 +22,93 @@
 { oid => '10', oid_symbol => 'BOOTSTRAP_SUPERUSERID',
   rolname => 'POSTGRES', rolsuper => 't', rolinherit => 't',
   rolcreaterole => 't', rolcreatedb => 't', rolcanlogin => 't',
-  rolreplication => 't', rolbypassrls => 't', rolconnlimit => '-1',
+  rolreplication => 't', rolbypassrls => 't', adminherit => 't', admcreaterole => 't',
+  admcreatedb => 't', admcanlogin => 't', admreplication => 't', admbypassrls => 't',
+  admconnlimit => 't', admpassword => 't', admvaliduntil => 't', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '6171', oid_symbol => 'ROLE_PG_DATABASE_OWNER',
   rolname => 'pg_database_owner', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '6181', oid_symbol => 'ROLE_PG_READ_ALL_DATA',
   rolname => 'pg_read_all_data', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '6182', oid_symbol => 'ROLE_PG_WRITE_ALL_DATA',
   rolname => 'pg_write_all_data', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '3373', oid_symbol => 'ROLE_PG_MONITOR',
   rolname => 'pg_monitor', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '3374', oid_symbol => 'ROLE_PG_READ_ALL_SETTINGS',
   rolname => 'pg_read_all_settings', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '3375', oid_symbol => 'ROLE_PG_READ_ALL_STATS',
   rolname => 'pg_read_all_stats', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '3377', oid_symbol => 'ROLE_PG_STAT_SCAN_TABLES',
   rolname => 'pg_stat_scan_tables', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '4569', oid_symbol => 'ROLE_PG_READ_SERVER_FILES',
   rolname => 'pg_read_server_files', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '4570', oid_symbol => 'ROLE_PG_WRITE_SERVER_FILES',
   rolname => 'pg_write_server_files', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '4571', oid_symbol => 'ROLE_PG_EXECUTE_SERVER_PROGRAM',
   rolname => 'pg_execute_server_program', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '4200', oid_symbol => 'ROLE_PG_SIGNAL_BACKEND',
   rolname => 'pg_signal_backend', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 { oid => '4544', oid_symbol => 'ROLE_PG_CHECKPOINTER',
   rolname => 'pg_checkpointer', rolsuper => 'f', rolinherit => 't',
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
-  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolreplication => 'f', rolbypassrls => 'f', adminherit => 'f', admcreaterole => 'f',
+  admcreatedb => 'f', admcanlogin => 'f', admreplication => 'f', admbypassrls => 'f',
+  admconnlimit => 'f', admpassword => 'f', admvaliduntil => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
 
 ]
diff --git a/src/include/catalog/pg_authid.h b/src/include/catalog/pg_authid.h
index 4b65e39a1f..4acdcaa685 100644
--- a/src/include/catalog/pg_authid.h
+++ b/src/include/catalog/pg_authid.h
@@ -39,6 +39,16 @@ CATALOG(pg_authid,1260,AuthIdRelationId) BKI_SHARED_RELATION BKI_ROWTYPE_OID(284
 	bool		rolcanlogin;	/* allowed to log in as session user? */
 	bool		rolreplication; /* role used for streaming replication */
 	bool		rolbypassrls;	/* bypasses row-level security? */
+
+	bool		adminherit;		/* allowed to administer inherit? */
+	bool		admcreaterole;	/* allowed to administer createrole? */
+	bool		admcreatedb;	/* allowed to administer createdb?? */
+	bool		admcanlogin;	/* allowed to administer login? */
+	bool		admreplication; /* allowed to administer replication? */
+	bool		admbypassrls;	/* allowed to administer bypassesrls? */
+	bool		admconnlimit;	/* allowed to administer connlimit? */
+	bool		admpassword;	/* allowed to administer password? */
+	bool		admvaliduntil;	/* allowed to administer validuntil? */
 	int32		rolconnlimit;	/* max connections allowed (-1=no limit) */
 
 	/* remaining fields may be null; use heap_getattr to read them! */
diff --git a/src/include/nodes/nodes.h b/src/include/nodes/nodes.h
index da35f2c272..065f58c485 100644
--- a/src/include/nodes/nodes.h
+++ b/src/include/nodes/nodes.h
@@ -361,6 +361,7 @@ typedef enum NodeTag
 	T_DiscardStmt,
 	T_CreateTrigStmt,
 	T_CreatePLangStmt,
+	T_RoleElem,
 	T_CreateRoleStmt,
 	T_AlterRoleStmt,
 	T_DropRoleStmt,
diff --git a/src/include/nodes/parsenodes.h b/src/include/nodes/parsenodes.h
index 3e9bdc781f..e19980d5ff 100644
--- a/src/include/nodes/parsenodes.h
+++ b/src/include/nodes/parsenodes.h
@@ -2618,19 +2618,26 @@ typedef enum RoleStmtType
 	ROLESTMT_GROUP
 } RoleStmtType;
 
+typedef struct RoleElem
+{
+	NodeTag		type;
+	DefElem	   *elem;
+	int			admin_spec;
+} RoleElem;
+
 typedef struct CreateRoleStmt
 {
 	NodeTag		type;
 	RoleStmtType stmt_type;		/* ROLE/USER/GROUP */
 	char	   *role;			/* role name */
-	List	   *options;		/* List of DefElem nodes */
+	List	   *options;		/* List of RoleElem nodes */
 } CreateRoleStmt;
 
 typedef struct AlterRoleStmt
 {
 	NodeTag		type;
 	RoleSpec   *role;			/* role */
-	List	   *options;		/* List of DefElem nodes */
+	List	   *options;		/* List of RoleElem nodes */
 	int			action;			/* +1 = add members, -1 = drop members */
 } AlterRoleStmt;
 
diff --git a/src/include/utils/acl.h b/src/include/utils/acl.h
index 1ce4c5556e..7cdc454869 100644
--- a/src/include/utils/acl.h
+++ b/src/include/utils/acl.h
@@ -317,6 +317,18 @@ extern bool pg_publication_ownercheck(Oid pub_oid, Oid roleid);
 extern bool pg_subscription_ownercheck(Oid sub_oid, Oid roleid);
 extern bool pg_statistics_object_ownercheck(Oid stat_oid, Oid roleid);
 extern bool has_createrole_privilege(Oid roleid);
+extern bool has_createdb_privilege(Oid roleid);
+extern bool has_canlogin_privilege(Oid roleid);
+extern bool has_replication_privilege(Oid roleid);
 extern bool has_bypassrls_privilege(Oid roleid);
+extern bool may_admin_createrole_privilege(Oid roleid);
+extern bool may_admin_createdb_privilege(Oid roleid);
+extern bool may_admin_canlogin_privilege(Oid roleid);
+extern bool may_admin_replication_privilege(Oid roleid);
+extern bool may_admin_bypassrls_privilege(Oid roleid);
+extern bool may_admin_inherit_privilege(Oid roleid);
+extern bool may_admin_connlimit_privilege(Oid roleid);
+extern bool may_admin_validuntil_privilege(Oid roleid);
+extern bool may_admin_password_privilege(Oid roleid);
 
 #endif							/* ACL_H */
diff --git a/src/test/regress/expected/create_role.out b/src/test/regress/expected/create_role.out
index 4e67d72760..20da6644b7 100644
--- a/src/test/regress/expected/create_role.out
+++ b/src/test/regress/expected/create_role.out
@@ -1,17 +1,72 @@
 -- ok, superuser can create users with any set of privileges
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
--- fail, only superusers can create users with these privileges
+-- ok, superuser can create a role that can create login replication users, but
+-- cannot itself login, nor perform replication
+CREATE ROLE regress_role_repladmin
+	CREATEROLE WITHOUT ADMIN OPTION		-- can create roles, but cannot give it away
+	NOCREATEDB WITHOUT ADMIN OPTION		-- cannot create db, nor give it away
+	NOLOGIN WITH ADMIN OPTION			-- cannot log in, but can give it away
+	NOREPLICATION WITH ADMIN OPTION		-- cannot replicate, but can give it away
+	NOBYPASSRLS WITHOUT ADMIN OPTION;	-- cannot bypassrls, nor give it away
+-- ok, superuser can create a role with CREATEROLE but restrict give-aways
+CREATE ROLE regress_role_minoradmin
+	NOSUPERUSER							-- WITHOUT ADMIN OPTION is implied
+	CREATEROLE WITHOUT ADMIN OPTION
+	NOCREATEDB WITHOUT ADMIN OPTION
+	NOLOGIN WITHOUT ADMIN OPTION
+	NOREPLICATION						-- WITHOUT ADMIN OPTION is implied
+	NOBYPASSRLS							-- WITHOUT ADMIN OPTION is implied
+	NOINHERIT WITHOUT ADMIN OPTION
+	CONNECTION LIMIT NONE WITHOUT ADMIN OPTION
+	VALID ALWAYS WITHOUT ADMIN OPTION
+	PASSWORD NULL WITHOUT ADMIN OPTION;
+-- fail, not granted privilege to create these users
+SET SESSION AUTHORIZATION regress_role_repladmin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_nosuch_createrole CREATEROLE;
+ERROR:  must have grant option on CREATEROLE privilege to create createrole users
+CREATE ROLE regress_nosuch_createdb CREATEDB;
+ERROR:  must have grant option on CREATEDB privilege to create createdb users
+CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
+ERROR:  must have grant option on BYPASSRLS privilege to create bypassrls users
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+ERROR:  must have grant option on BYPASSRLS privilege to create bypassrls users
+-- ok, can create login and replication users
+CREATE ROLE regress_role_login LOGIN;
+CREATE ROLE regress_role_replication REPLICATION;
+CREATE ROLE regress_role_login_replication LOGIN REPLICATION;
+-- fail, cannot create privileged users
+SET SESSION AUTHORIZATION regress_role_minoradmin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+ERROR:  must be superuser to create superusers
+CREATE ROLE regress_nosuch_createrole CREATEROLE;
+ERROR:  must have grant option on CREATEROLE privilege to create createrole users
+CREATE ROLE regress_nosuch_createdb CREATEDB;
+ERROR:  must have grant option on CREATEDB privilege to create createdb users
+CREATE ROLE regress_nosuch_replication REPLICATION;
+ERROR:  must have grant option on REPLICATION privilege to create replication users
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+ERROR:  must have grant option on BYPASSRLS privilege to create bypassrls users
+-- ok, can create unprivileged roles
+CREATE ROLE regress_role_unprivileged;
+-- fail, CREATEROLE does not imply ADMIN on roles
+CREATE ROLE regress_nosuch_inrole IN ROLE regress_role_unprivileged;
+ERROR:  must have admin option on role "regress_role_unprivileged"
+CREATE ROLE regress_nosuch_inrole IN GROUP regress_role_unprivileged;
+ERROR:  must have admin option on role "regress_role_unprivileged"
+-- fail, having CREATEROLE does not by default give ADMIN OPTION on these
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
 ERROR:  must be superuser to create superusers
 CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
-ERROR:  must be superuser to create replication users
+ERROR:  must have grant option on REPLICATION privilege to create replication users
 CREATE ROLE regress_nosuch_replication REPLICATION;
-ERROR:  must be superuser to create replication users
+ERROR:  must have grant option on REPLICATION privilege to create replication users
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
-ERROR:  must be superuser to create bypassrls users
--- ok, having CREATEROLE is enough to create users with these privileges
+ERROR:  must have grant option on BYPASSRLS privilege to create bypassrls users
+-- ok, having CREATEROLE does by default give ADMIN OPTION on these
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
@@ -25,9 +80,16 @@ NOTICE:  SYSID can no longer be specified
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 ERROR:  must be superuser to alter superusers
--- fail, database owner cannot have members
+-- fail, lack ADMIN privilege on role pg_database_owner;
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+ERROR:  must have admin option on role "pg_database_owner"
+-- fail, database owner cannot have members
+RESET SESSION AUTHORIZATION;
+GRANT pg_database_owner TO regress_role_admin WITH ADMIN OPTION;
 ERROR:  role "pg_database_owner" cannot have explicit members
+SET SESSION AUTHORIZATION regress_role_admin;
+CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+ERROR:  must have admin option on role "pg_database_owner"
 -- ok, can grant other users into a role
 CREATE ROLE regress_inroles ROLE
 	regress_role_super, regress_createdb, regress_createrole, regress_login,
@@ -73,7 +135,35 @@ ERROR:  must be owner of view tenant_view
 -- fail, cannot take ownership of these objects from regress_tenant
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 ERROR:  permission denied to reassign objects
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
+CREATE ROLE regress_nosuch_read_all_data IN ROLE pg_read_all_data;
+ERROR:  must have admin option on role "pg_read_all_data"
+CREATE ROLE regress_nosuch_write_all_data IN ROLE pg_write_all_data;
+ERROR:  must have admin option on role "pg_write_all_data"
+CREATE ROLE regress_nosuch_monitor IN ROLE pg_monitor;
+ERROR:  must have admin option on role "pg_monitor"
+CREATE ROLE regress_nosuch_read_all_settings IN ROLE pg_read_all_settings;
+ERROR:  must have admin option on role "pg_read_all_settings"
+CREATE ROLE regress_nosuch_read_all_stats IN ROLE pg_read_all_stats;
+ERROR:  must have admin option on role "pg_read_all_stats"
+CREATE ROLE regress_nosuch_stat_scan_tables IN ROLE pg_stat_scan_tables;
+ERROR:  must have admin option on role "pg_stat_scan_tables"
+CREATE ROLE regress_nosuch_read_server_files IN ROLE pg_read_server_files;
+ERROR:  must have admin option on role "pg_read_server_files"
+CREATE ROLE regress_nosuch_write_server_files IN ROLE pg_write_server_files;
+ERROR:  must have admin option on role "pg_write_server_files"
+CREATE ROLE regress_nosuch_execute_server_program IN ROLE pg_execute_server_program;
+ERROR:  must have admin option on role "pg_execute_server_program"
+CREATE ROLE regress_nosuch_signal_backend IN ROLE pg_signal_backend;
+ERROR:  must have admin option on role "pg_signal_backend"
+-- ok, superuser can grant ADMIN on privileged roles
+SET SESSION AUTHORIZATION regress_role_super;
+GRANT pg_read_all_data, pg_write_all_data, pg_monitor, pg_read_all_settings,
+	  pg_read_all_stats, pg_stat_scan_tables, pg_read_server_files,
+	  pg_write_server_files, pg_execute_server_program, pg_signal_backend
+TO regress_createrole WITH ADMIN OPTION;
+-- ok, having CREATEROLE plus ADMIN is enough to create roles in privileged roles
+SET SESSION AUTHORIZATION regress_createrole;
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
@@ -103,7 +193,89 @@ ERROR:  role "regress_nosuch_recursive" does not exist
 DROP ROLE regress_nosuch_admin_recursive;
 ERROR:  role "regress_nosuch_admin_recursive" does not exist
 DROP ROLE regress_plainrole;
+-- fail, cannot change attributes without ADMIN for them
+SET SESSION AUTHORIZATION regress_role_minoradmin;
+ALTER ROLE regress_role_login LOGIN;
+ERROR:  must have admin on login to change login attribute
+ALTER ROLE regress_role_login NOLOGIN;
+ERROR:  must have admin on login to change login attribute
+ALTER ROLE regress_role_login REPLICATION;
+ERROR:  must have admin on replication to alter replication roles or change replication attribute
+ALTER ROLE regress_role_login NOREPLICATION;
+ERROR:  must have admin on replication to alter replication roles or change replication attribute
+ALTER ROLE regress_role_login CREATEDB;
+ERROR:  must have admin on createdb to change createdb attribute
+ALTER ROLE regress_role_login NOCREATEDB;
+ERROR:  must have admin on createdb to change createdb attribute
+ALTER ROLE regress_role_login CREATEROLE;
+ERROR:  must have admin on createrole to change createrole attribute
+ALTER ROLE regress_role_login NOCREATEROLE;
+ERROR:  must have admin on createrole to change createrole attribute
+ALTER ROLE regress_role_login INHERIT;
+ERROR:  must have admin on inherit to change inherit attribute
+ALTER ROLE regress_role_login NOINHERIT;
+ERROR:  must have admin on inherit to change inherit attribute
+ALTER ROLE regress_role_login CONNECTION LIMIT 5;
+ERROR:  must have admin on connection limit to change connection limit attribute
+ALTER ROLE regress_role_login VALID ALWAYS;
+ERROR:  must have admin on valid until to change valid until attribute
+ALTER ROLE regress_role_login PASSWORD 'foobar';
+ERROR:  must have admin on password to change password attribute
+-- ok, regress_role_admin got ADMIN on attributes by way of having CREATEROLE
+SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_role_login LOGIN;
+ALTER ROLE regress_role_login NOLOGIN;
+ALTER ROLE regress_role_login CREATEDB;
+ALTER ROLE regress_role_login NOCREATEDB;
+ALTER ROLE regress_role_login CREATEROLE;
+ALTER ROLE regress_role_login NOCREATEROLE;
+ALTER ROLE regress_role_login INHERIT;
+ALTER ROLE regress_role_login NOINHERIT;
+ALTER ROLE regress_role_login CONNECTION LIMIT 5;
+ALTER ROLE regress_role_login VALID ALWAYS;
+ALTER ROLE regress_role_login PASSWORD 'foobar';
+-- fail, regress_role_admin did not get ADMIN on these 
+ALTER ROLE regress_role_login SUPERUSER;
+ERROR:  must be superuser to alter superuser roles or change superuser attribute
+ALTER ROLE regress_role_login NOSUPERUSER;
+ERROR:  must be superuser to alter superuser roles or change superuser attribute
+ALTER ROLE regress_role_login REPLICATION;
+ERROR:  must have admin on replication to alter replication roles or change replication attribute
+ALTER ROLE regress_role_login NOREPLICATION;
+ERROR:  must have admin on replication to alter replication roles or change replication attribute
+ALTER ROLE regress_role_login BYPASSRLS;
+ERROR:  must have admin on bypassrls to change bypassrls attribute
+ALTER ROLE regress_role_login NOBYPASSRLS;
+ERROR:  must have admin on bypassrls to change bypassrls attribute
+-- superuser can grant them now, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_admin
+	NOREPLICATION WITH ADMIN OPTION
+	NOBYPASSRLS WITH ADMIN OPTION;
+-- ok, regress_role_admin can now grant these
+SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_role_login REPLICATION;
+ALTER ROLE regress_role_login NOREPLICATION;
+ALTER ROLE regress_role_login BYPASSRLS;
+ALTER ROLE regress_role_login NOBYPASSRLS;
+-- fail, but regress_role_admin still cannot grant this
+ALTER ROLE regress_role_login SUPERUSER;
+ERROR:  must be superuser to alter superuser roles or change superuser attribute
+ALTER ROLE regress_role_login NOSUPERUSER;
+ERROR:  must be superuser to alter superuser roles or change superuser attribute
+-- ok, regress_role_admin can grant attributes with ADMIN
+ALTER ROLE regress_role_unprivileged LOGIN WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged CREATEDB WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged CREATEROLE WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged INHERIT WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged CONNECTION LIMIT 5 WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged VALID ALWAYS WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged PASSWORD 'foobar' WITH ADMIN OPTION;
 -- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_login;
+DROP ROLE regress_role_replication;
+DROP ROLE regress_role_login_replication;
+DROP ROLE regress_role_unprivileged;
 DROP ROLE regress_createdb;
 DROP ROLE regress_createrole;
 DROP ROLE regress_login;
@@ -141,5 +313,7 @@ DROP INDEX tenant_idx;
 DROP TABLE tenant_table;
 DROP VIEW tenant_view;
 DROP ROLE regress_tenant;
+DROP ROLE regress_role_minoradmin;
+DROP ROLE regress_role_repladmin;
 DROP ROLE regress_role_admin;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/expected/privileges.out b/src/test/regress/expected/privileges.out
index 291e21d7a6..60370626f4 100644
--- a/src/test/regress/expected/privileges.out
+++ b/src/test/regress/expected/privileges.out
@@ -59,6 +59,10 @@ CREATE GROUP regress_priv_group2 WITH USER regress_priv_user1, regress_priv_user
 ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;
 ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;	-- duplicate
 NOTICE:  role "regress_priv_user2" is already a member of role "regress_priv_group2"
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user4, regress_priv_user2;	-- duplicates
+NOTICE:  role "regress_priv_user2" is already a member of role "regress_priv_group2"
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user5, regress_priv_user6, regress_priv_user7;
+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user7, regress_priv_user6, regress_priv_user5;
 ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2;
 GRANT regress_priv_group2 TO regress_priv_user4 WITH ADMIN OPTION;
 -- prepare non-leakproof function for later
diff --git a/src/test/regress/sql/create_role.sql b/src/test/regress/sql/create_role.sql
index 292dc08797..c15fc33be3 100644
--- a/src/test/regress/sql/create_role.sql
+++ b/src/test/regress/sql/create_role.sql
@@ -2,14 +2,64 @@
 CREATE ROLE regress_role_super SUPERUSER;
 CREATE ROLE regress_role_admin CREATEDB CREATEROLE REPLICATION BYPASSRLS;
 
--- fail, only superusers can create users with these privileges
+-- ok, superuser can create a role that can create login replication users, but
+-- cannot itself login, nor perform replication
+CREATE ROLE regress_role_repladmin
+	CREATEROLE WITHOUT ADMIN OPTION		-- can create roles, but cannot give it away
+	NOCREATEDB WITHOUT ADMIN OPTION		-- cannot create db, nor give it away
+	NOLOGIN WITH ADMIN OPTION			-- cannot log in, but can give it away
+	NOREPLICATION WITH ADMIN OPTION		-- cannot replicate, but can give it away
+	NOBYPASSRLS WITHOUT ADMIN OPTION;	-- cannot bypassrls, nor give it away
+
+-- ok, superuser can create a role with CREATEROLE but restrict give-aways
+CREATE ROLE regress_role_minoradmin
+	NOSUPERUSER							-- WITHOUT ADMIN OPTION is implied
+	CREATEROLE WITHOUT ADMIN OPTION
+	NOCREATEDB WITHOUT ADMIN OPTION
+	NOLOGIN WITHOUT ADMIN OPTION
+	NOREPLICATION						-- WITHOUT ADMIN OPTION is implied
+	NOBYPASSRLS							-- WITHOUT ADMIN OPTION is implied
+	NOINHERIT WITHOUT ADMIN OPTION
+	CONNECTION LIMIT NONE WITHOUT ADMIN OPTION
+	VALID ALWAYS WITHOUT ADMIN OPTION
+	PASSWORD NULL WITHOUT ADMIN OPTION;
+
+-- fail, not granted privilege to create these users
+SET SESSION AUTHORIZATION regress_role_repladmin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+CREATE ROLE regress_nosuch_createrole CREATEROLE;
+CREATE ROLE regress_nosuch_createdb CREATEDB;
+CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+
+-- ok, can create login and replication users
+CREATE ROLE regress_role_login LOGIN;
+CREATE ROLE regress_role_replication REPLICATION;
+CREATE ROLE regress_role_login_replication LOGIN REPLICATION;
+
+-- fail, cannot create privileged users
+SET SESSION AUTHORIZATION regress_role_minoradmin;
+CREATE ROLE regress_nosuch_superuser SUPERUSER;
+CREATE ROLE regress_nosuch_createrole CREATEROLE;
+CREATE ROLE regress_nosuch_createdb CREATEDB;
+CREATE ROLE regress_nosuch_replication REPLICATION;
+CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
+
+-- ok, can create unprivileged roles
+CREATE ROLE regress_role_unprivileged;
+
+-- fail, CREATEROLE does not imply ADMIN on roles
+CREATE ROLE regress_nosuch_inrole IN ROLE regress_role_unprivileged;
+CREATE ROLE regress_nosuch_inrole IN GROUP regress_role_unprivileged;
+
+-- fail, having CREATEROLE does not by default give ADMIN OPTION on these
 SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_superuser SUPERUSER;
 CREATE ROLE regress_nosuch_replication_bypassrls REPLICATION BYPASSRLS;
 CREATE ROLE regress_nosuch_replication REPLICATION;
 CREATE ROLE regress_nosuch_bypassrls BYPASSRLS;
 
--- ok, having CREATEROLE is enough to create users with these privileges
+-- ok, having CREATEROLE does by default give ADMIN OPTION on these
 CREATE ROLE regress_createdb CREATEDB;
 CREATE ROLE regress_createrole CREATEROLE;
 CREATE ROLE regress_login LOGIN;
@@ -24,7 +74,14 @@ CREATE ROLE regress_noiseword SYSID 12345;
 -- fail, cannot grant membership in superuser role
 CREATE ROLE regress_nosuch_super IN ROLE regress_role_super;
 
+-- fail, lack ADMIN privilege on role pg_database_owner;
+CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
+
 -- fail, database owner cannot have members
+RESET SESSION AUTHORIZATION;
+GRANT pg_database_owner TO regress_role_admin WITH ADMIN OPTION;
+
+SET SESSION AUTHORIZATION regress_role_admin;
 CREATE ROLE regress_nosuch_dbowner IN ROLE pg_database_owner;
 
 -- ok, can grant other users into a role
@@ -74,7 +131,27 @@ DROP VIEW tenant_view;
 -- fail, cannot take ownership of these objects from regress_tenant
 REASSIGN OWNED BY regress_tenant TO regress_createrole;
 
--- ok, having CREATEROLE is enough to create roles in privileged roles
+-- fail, having CREATEROLE is not enough to create roles in privileged roles
+CREATE ROLE regress_nosuch_read_all_data IN ROLE pg_read_all_data;
+CREATE ROLE regress_nosuch_write_all_data IN ROLE pg_write_all_data;
+CREATE ROLE regress_nosuch_monitor IN ROLE pg_monitor;
+CREATE ROLE regress_nosuch_read_all_settings IN ROLE pg_read_all_settings;
+CREATE ROLE regress_nosuch_read_all_stats IN ROLE pg_read_all_stats;
+CREATE ROLE regress_nosuch_stat_scan_tables IN ROLE pg_stat_scan_tables;
+CREATE ROLE regress_nosuch_read_server_files IN ROLE pg_read_server_files;
+CREATE ROLE regress_nosuch_write_server_files IN ROLE pg_write_server_files;
+CREATE ROLE regress_nosuch_execute_server_program IN ROLE pg_execute_server_program;
+CREATE ROLE regress_nosuch_signal_backend IN ROLE pg_signal_backend;
+
+-- ok, superuser can grant ADMIN on privileged roles
+SET SESSION AUTHORIZATION regress_role_super;
+GRANT pg_read_all_data, pg_write_all_data, pg_monitor, pg_read_all_settings,
+	  pg_read_all_stats, pg_stat_scan_tables, pg_read_server_files,
+	  pg_write_server_files, pg_execute_server_program, pg_signal_backend
+TO regress_createrole WITH ADMIN OPTION;
+
+-- ok, having CREATEROLE plus ADMIN is enough to create roles in privileged roles
+SET SESSION AUTHORIZATION regress_createrole;
 CREATE ROLE regress_read_all_data IN ROLE pg_read_all_data;
 CREATE ROLE regress_write_all_data IN ROLE pg_write_all_data;
 CREATE ROLE regress_monitor IN ROLE pg_monitor;
@@ -98,7 +175,75 @@ DROP ROLE regress_nosuch_recursive;
 DROP ROLE regress_nosuch_admin_recursive;
 DROP ROLE regress_plainrole;
 
+-- fail, cannot change attributes without ADMIN for them
+SET SESSION AUTHORIZATION regress_role_minoradmin;
+ALTER ROLE regress_role_login LOGIN;
+ALTER ROLE regress_role_login NOLOGIN;
+ALTER ROLE regress_role_login REPLICATION;
+ALTER ROLE regress_role_login NOREPLICATION;
+ALTER ROLE regress_role_login CREATEDB;
+ALTER ROLE regress_role_login NOCREATEDB;
+ALTER ROLE regress_role_login CREATEROLE;
+ALTER ROLE regress_role_login NOCREATEROLE;
+ALTER ROLE regress_role_login INHERIT;
+ALTER ROLE regress_role_login NOINHERIT;
+ALTER ROLE regress_role_login CONNECTION LIMIT 5;
+ALTER ROLE regress_role_login VALID ALWAYS;
+ALTER ROLE regress_role_login PASSWORD 'foobar';
+
+-- ok, regress_role_admin got ADMIN on attributes by way of having CREATEROLE
+SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_role_login LOGIN;
+ALTER ROLE regress_role_login NOLOGIN;
+ALTER ROLE regress_role_login CREATEDB;
+ALTER ROLE regress_role_login NOCREATEDB;
+ALTER ROLE regress_role_login CREATEROLE;
+ALTER ROLE regress_role_login NOCREATEROLE;
+ALTER ROLE regress_role_login INHERIT;
+ALTER ROLE regress_role_login NOINHERIT;
+ALTER ROLE regress_role_login CONNECTION LIMIT 5;
+ALTER ROLE regress_role_login VALID ALWAYS;
+ALTER ROLE regress_role_login PASSWORD 'foobar';
+
+-- fail, regress_role_admin did not get ADMIN on these 
+ALTER ROLE regress_role_login SUPERUSER;
+ALTER ROLE regress_role_login NOSUPERUSER;
+ALTER ROLE regress_role_login REPLICATION;
+ALTER ROLE regress_role_login NOREPLICATION;
+ALTER ROLE regress_role_login BYPASSRLS;
+ALTER ROLE regress_role_login NOBYPASSRLS;
+
+-- superuser can grant them now, though
+RESET SESSION AUTHORIZATION;
+ALTER ROLE regress_role_admin
+	NOREPLICATION WITH ADMIN OPTION
+	NOBYPASSRLS WITH ADMIN OPTION;
+
+-- ok, regress_role_admin can now grant these
+SET SESSION AUTHORIZATION regress_role_admin;
+ALTER ROLE regress_role_login REPLICATION;
+ALTER ROLE regress_role_login NOREPLICATION;
+ALTER ROLE regress_role_login BYPASSRLS;
+ALTER ROLE regress_role_login NOBYPASSRLS;
+
+-- fail, but regress_role_admin still cannot grant this
+ALTER ROLE regress_role_login SUPERUSER;
+ALTER ROLE regress_role_login NOSUPERUSER;
+
+-- ok, regress_role_admin can grant attributes with ADMIN
+ALTER ROLE regress_role_unprivileged LOGIN WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged CREATEDB WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged CREATEROLE WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged INHERIT WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged CONNECTION LIMIT 5 WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged VALID ALWAYS WITH ADMIN OPTION;
+ALTER ROLE regress_role_unprivileged PASSWORD 'foobar' WITH ADMIN OPTION;
+
 -- ok, should be able to drop non-superuser roles we created
+DROP ROLE regress_role_login;
+DROP ROLE regress_role_replication;
+DROP ROLE regress_role_login_replication;
+DROP ROLE regress_role_unprivileged;
 DROP ROLE regress_createdb;
 DROP ROLE regress_createrole;
 DROP ROLE regress_login;
@@ -134,5 +279,7 @@ DROP INDEX tenant_idx;
 DROP TABLE tenant_table;
 DROP VIEW tenant_view;
 DROP ROLE regress_tenant;
+DROP ROLE regress_role_minoradmin;
+DROP ROLE regress_role_repladmin;
 DROP ROLE regress_role_admin;
 DROP ROLE regress_role_super;
diff --git a/src/test/regress/sql/privileges.sql b/src/test/regress/sql/privileges.sql
index c8c545b64c..8658b6e83c 100644
--- a/src/test/regress/sql/privileges.sql
+++ b/src/test/regress/sql/privileges.sql
@@ -72,6 +72,9 @@ CREATE GROUP regress_priv_group2 WITH USER regress_priv_user1, regress_priv_user
 ALTER GROUP regress_priv_group1 ADD USER regress_priv_user4;
 
 ALTER GROUP regress_priv_group2 ADD USER regress_priv_user2;	-- duplicate
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user4, regress_priv_user2;	-- duplicates
+ALTER GROUP regress_priv_group2 ADD USER regress_priv_user5, regress_priv_user6, regress_priv_user7;
+ALTER GROUP regress_priv_group2 DROP USER regress_priv_user7, regress_priv_user6, regress_priv_user5;
 ALTER GROUP regress_priv_group2 DROP USER regress_priv_user2;
 GRANT regress_priv_group2 TO regress_priv_user4 WITH ADMIN OPTION;
 
diff --git a/src/tools/pgindent/typedefs.list b/src/tools/pgindent/typedefs.list
index 89249ecc97..2bb87b3b45 100644
--- a/src/tools/pgindent/typedefs.list
+++ b/src/tools/pgindent/typedefs.list
@@ -2260,6 +2260,7 @@ RmgrData
 RmgrDescData
 RmgrId
 RmgrIds
+RoleElem
 RoleSpec
 RoleSpecType
 RoleStmtType
-- 
2.21.1 (Apple Git-122.3)