Role Granting Issues in PostgreSQL: Need Help
Hi,
I need to assign role permissions from one role to another. However, after
granting the role, I see that the permission list for the target role has
not been updated. For this process, I followed the PostgreSQL documentation
available at PostgreSQL Role Membership
<https://www.postgresql.org/docs/current/role-membership.html>. Please let
me know if I've missed anything.
I am using PostgreSQL version 16 and I have followed these steps.
postgres=# select version();
version
---------------------------------------------------------------------------------------------------------
PostgreSQL 16.4 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0
20210514 (Red Hat 8.5.0-22), 64-bit
(1 row)
1. Create a role with specific permissions
CREATE ROLE rep_admin WITH LOGIN CREATEDB CREATEROLE REPLICATION;
2.Create another role named replication_expert:
CREATE ROLE replication_expert;
3.Grant the rep_admin role to the replication_expert role with inheritance:
GRANT rep_admin TO replication_expert with INHERIT true;
GRANT ROLE
4.Attempt to log in using the replication_expert role:
postgres=# \c postgres replication_expert
connection to server on socket "/run/postgresql/.s.PGSQL.5432" failed:
FATAL: role "replication_expert" is not permitted to log in
5.Check the role attributes to see if they have been reflected:
postgres=# \du+
List of roles
Role name | Attributes
| Description
--------------------+------------------------------------------------------------+-------------
postgres | Superuser, Create role, Create DB, Replication,
Bypass RLS |
rep_admin | Create role, Create DB, Replication
|
replication_expert | Cannot login
6.Examine the pg_roles table to confirm that the permissions for
replication_expert have not been updated:
postgres=# SELECT rolname,rolinherit, rolcreaterole, rolcreatedb,
rolcanlogin,rolreplication
FROM pg_roles where rolname in('rep_admin','replication_expert');;
rolname | rolinherit | rolcreaterole | rolcreatedb |
rolcanlogin | rolreplication
--------------------+------------+---------------+-------------+-------------+----------------
rep_admin | t | t | t | t
| t
replication_expert | t | f | f | f
| f
(2 rows)
postgres=#
Regards,
Muhammad Imtiaz
On Wednesday, September 4, 2024, Muhammad Imtiaz <imtiazpg712@gmail.com>
wrote:
1. Create a role with specific permissions
CREATE ROLE rep_admin WITH LOGIN CREATEDB CREATEROLE REPLICATION;
List of roles
Role name | Attributes
| Description
--------------------+---------------------------------------
---------------------+-------------
postgres | Superuser, Create role, Create DB, Replication,
Bypass RLS |
rep_admin | Create role, Create DB, Replication
|
replication_expert | Cannot login6.Examine the pg_roles table to confirm that the permissions for
replication_expert have not been updated:postgres=# SELECT rolname,rolinherit, rolcreaterole, rolcreatedb,
rolcanlogin,rolreplication
FROM pg_roles where rolname in('rep_admin','replication_expert');;
rolname | rolinherit | rolcreaterole | rolcreatedb |
rolcanlogin | rolreplication
--------------------+------------+---------------+----------
---+-------------+----------------
rep_admin | t | t | t | t
| t
replication_expert | t | f | f | f
| f
(2 rows)
Those are not permissions, they are attributes, and attributes are not
inherited.
David J.
"David G. Johnston" <david.g.johnston@gmail.com> writes:
On Wednesday, September 4, 2024, Muhammad Imtiaz <imtiazpg712@gmail.com>
wrote:replication_expert | Cannot login
Those are not permissions, they are attributes, and attributes are not
inherited.
Specifically: the NOLOGIN attribute on a role is a hard block on
logging in with that role, independently of any and every other
condition.
regards, tom lane