Re: BUG #15275: Trigger don't take supperuser role into account to create role

On 2018-07-11 17:14:17 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference: 15275
> Logged by: Alexandre Marquis
> Email address: alexandre(dot)marquis(at)mamot(dot)gouv(dot)qc(dot)ca
> PostgreSQL version: 10.0
> Operating system: Windows
> Description:
>
> I've got a trigger whose purpose is to create a postgres user every time an
> employee is added to my employee table. If I use my SUPERUSER account to add
> an employee it doesn't work because I've got NOCREATEROLE instead of
> CREATEROLE. But according to the CREATE ROLE docs at
> https://www.postgresql.org/docs/10/static/sql-createrole.html, " You must
> have CREATEROLE privilege or be a database superuser to use this command."
> so as a superuser this should work.

I think you'll need to provide more context. Because the current
implementation indeed works like the docs suggest:

bool
has_createrole_privilege(Oid roleid)
{
bool result = false;
HeapTuple utup;

/* Superusers bypass all permission checking. */
if (superuser_arg(roleid))
return true;

utup = SearchSysCache1(AUTHOID, ObjectIdGetDatum(roleid));
if (HeapTupleIsValid(utup))
{
result = ((Form_pg_authid) GETSTRUCT(utup))->rolcreaterole;
ReleaseSysCache(utup);
}
return result;
}

(note the superuser check).

I suspect your problem is more likely related to the user that the
trigger runs under?

Greetings,

Andres Freund