BUG #15275: Trigger don't take supperuser role into account to create role

On 2018-07-11 17:14:17 +0000, PG Bug reporting form wrote:

The following bug has been logged on the website:

Bug reference: 15275
Logged by: Alexandre Marquis
Email address: alexandre.marquis@mamot.gouv.qc.ca
PostgreSQL version: 10.0
Operating system: Windows
Description:

I've got a trigger whose purpose is to create a postgres user every time an
employee is added to my employee table. If I use my SUPERUSER account to add
an employee it doesn't work because I've got NOCREATEROLE instead of
CREATEROLE. But according to the CREATE ROLE docs at
https://www.postgresql.org/docs/10/static/sql-createrole.html, " You must
have CREATEROLE privilege or be a database superuser to use this command."
so as a superuser this should work.

I think you'll need to provide more context. Because the current
implementation indeed works like the docs suggest:

bool
has_createrole_privilege(Oid roleid)
{
bool result = false;
HeapTuple utup;

/* Superusers bypass all permission checking. */
if (superuser_arg(roleid))
return true;

utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
if (HeapTupleIsValid(utup))
{
result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
ReleaseSysCache(utup);
}
return result;
}

(note the superuser check).

I suspect your problem is more likely related to the user that the
trigger runs under?

Greetings,

Andres Freund