The following bug has been logged on the website:
Bug reference: 18622
Logged by: Alexander Lakhin
Email address: exclusion@gmail.com
PostgreSQL version: 17rc1
Operating system: Ubuntu 22.04
Description:
The last command of the following script:
CREATE ROLE role0;
CREATE ROLE role1 WITH CREATEROLE;
SET role role1;
CREATE ROLE role2 WITH CREATEROLE;
SET role role2;
CREATE ROLE role3;
CREATE ROLE role4;
SET role role1;
CREATE ROLE role5 IN ROLE role3;
fails with
ERROR: XX000: no possible grantors
LOCATION: check_role_grantor, user.c:2232
whilst:
CREATE ROLE role5 IN ROLE role0;
fails with
ERROR: permission denied to grant role "role0"
DETAIL: Only roles with the ADMIN option on role "role0" may grant this
role.
Another, simpler example:
GRANT role3 TO role4;
ERROR: no possible grantors
Both "no possible grantors" errors go away after:
GRANT role2 TO role1 WITH INHERIT OPTION;
This error is raised at check_role_grantor() where it accompanied by the
comment:
We shouldn't fail to find a best grantor ...
This was added by ce6b672e44 and was true back then, until cf5eb37c5.
Now this error is raised due to a difference between:
check_role_membership_authorization() -> is_admin_of_role() ->
roles_is_member_of(member, ROLERECURSE_MEMBERS, ...)
and
check_role_grantor() -> select_best_admin() ->
roles_is_member_of(member, ROLERECURSE_PRIVS, ...)
