Re: BUG #18934: Even with WITH ADMIN OPTION, I Cannot Manage Role Memberships

On Mon, 2025-05-19 at 08:44 +0000, PG Bug reporting form wrote:
> PostgreSQL version: 16.8
> Operating system: Windows 10
>
> In PostgreSQL, I have a role hierarchy involving a user and two group roles:
> Roles:
> tester1(at)something — a user role (not superuser)
> user_manager — an intermediate group role
> user_group — the target group role whose membership I want to manage
> > Role | Member Of | `WITH ADMIN OPTION` |
> > `tester1(at)something` | `user_manager` | YES
> > `user_manager` | `user_group` | YES
> >
> In this configuration:
> tester1(at)something should be able to add/remove members from user_group.
> But it cannot — GRANT or REVOKE on user_group fails.
> Even though tester1(at)something has full admin rights on user_manager, and
> user_manager has admin rights on user_group.
> Role Setup (After Manual Fix)
> When I run:
> REVOKE ADMIN OPTION FOR user_group FROM user_manager;
> So that now:
> Role Member Of WITH ADMIN OPTION
> tester1(at)something user_manager YES
> user_manager user_group NO
> Now, unexpectedly:
> tester1(at)something can add and remove members from user_group.
> Even though no role in the chain has WITH ADMIN OPTION on user_group.

I cannot reproduce that:

\c - postgres
You are now connected to database "postgres" as user "postgres".

CREATE ROLE a LOGIN;
CREATE ROLE b ADMIN a;
CREATE ROLE c ADMIN b;

\drg
List of role grants
Role name │ Member of │ Options │ Grantor
═══════════╪═══════════════════════════╪═════════════════════╪══════════
a │ b │ ADMIN, INHERIT, SET │ postgres
b │ c │ ADMIN, INHERIT, SET │ postgres
[...]

\c - a
You are now connected to database "postgres" as user "a".

GRANT c TO laurenz;

Works without a hitch!

Let's undo the grant and remove the ADMIN option as user "postgres":

REVOKE c FROM laurenz;

\c - postgres
You are now connected to database "postgres" as user "postgres".

GRANT c TO b WITH ADMIN FALSE;

\drg
List of role grants
Role name │ Member of │ Options │ Grantor
═══════════╪═══════════════════════════╪═════════════════════╪══════════
a │ b │ ADMIN, INHERIT, SET │ postgres
b │ c │ INHERIT, SET │ postgres
[...]

Now let's try again as user "a":

\c - a
You are now connected to database "postgres" as user "a".

GRANT c TO laurenz;
ERROR: permission denied to grant role "c"
DETAIL: Only roles with the ADMIN option on role "c" may grant this role.

So please explain in detail what doesn't work for you.

Yours,
Laurenz Albe