Tomas Vondra <tomas@vondra.me> writes:
> So it seems to me having a predefined role that allows managing all
> roles (including orphaned ones) might be the good alternative. I
> initially wrote "cleaner", but it feels a bit wrong to allow orphaned
> roles and then have to "fix" this by having this predefined role. Not
> allowing orphaned roles seems cleaner, but it's not a bug either.
IMO, there is not any such thing as an orphaned role. You can't drop
the bootstrap superuser, and a superuser can always manage any role.
The subtext of the current discussion, as near as I can tell, is
that certain service providers don't want to give their customers
superuser, and thus those customers would prefer not to get into
situations where superuser privileges are needed to clean things up.
That's fine, but it's a poor argument for making DROP ROLE far more
complicated and non-intuitive.
That line of reasoning leads to the same conclusion, that another
built-in role might be a suitable solution --- unless said role is
so powerful that the service providers might want to block access
to it too. Probably limiting it to manage non-superuser roles is
good enough for that, but I'm not quite sure.
regards, tom lane
