Re: BUG #18934: Even with WITH ADMIN OPTION, I Cannot Manage Role Memberships

On Mon, 2025-05-19 at 08:44 +0000, PG Bug reporting form wrote:
> PostgreSQL version: 16.8
> Operating system:   Windows 10
>
> In PostgreSQL, I have a role hierarchy involving a user and two group roles:
> Roles:
>     tester1@something — a user role (not superuser)
>     user_manager — an intermediate group role
>     user_group — the target group role whose membership I want to manage
> > Role                    | Member Of         | `WITH ADMIN OPTION` |
> > `tester1@something`     | `user_manager`    | YES
> > `user_manager`          | `user_group`      | YES
> >
> In this configuration:
>     tester1@something should be able to add/remove members from user_group.
>     But it cannot — GRANT or REVOKE on user_group fails.
>     Even though tester1@something has full admin rights on user_manager, and
> user_manager has admin rights on user_group.
> Role Setup (After Manual Fix)
> When I run:
> REVOKE ADMIN OPTION FOR user_group FROM user_manager;
> So that now:
> Role                    Member Of      WITH ADMIN OPTION
> tester1@something       user_manager   YES
> user_manager            user_group     NO
> Now, unexpectedly:
>     tester1@something can add and remove members from user_group.
>     Even though no role in the chain has WITH ADMIN OPTION on user_group.

I cannot reproduce that:

  \c - postgres
  You are now connected to database "postgres" as user "postgres".

  CREATE ROLE a LOGIN;
  CREATE ROLE b ADMIN a;
  CREATE ROLE c ADMIN b;

  \drg
                            List of role grants
   Role name │         Member of         │       Options       │ Grantor
  ═══════════╪═══════════════════════════╪═════════════════════╪══════════
   a         │ b                         │ ADMIN, INHERIT, SET │ postgres
   b         │ c                         │ ADMIN, INHERIT, SET │ postgres
  [...]

  \c - a
  You are now connected to database "postgres" as user "a".

  GRANT c TO laurenz;

Works without a hitch!

Let's undo the grant and remove the ADMIN option as user "postgres":

  REVOKE c FROM laurenz;

  \c - postgres
  You are now connected to database "postgres" as user "postgres".

  GRANT c TO b WITH ADMIN FALSE;

  \drg
                            List of role grants
   Role name │         Member of         │       Options       │ Grantor
  ═══════════╪═══════════════════════════╪═════════════════════╪══════════
   a         │ b                         │ ADMIN, INHERIT, SET │ postgres
   b         │ c                         │ INHERIT, SET        │ postgres
  [...]

Now let's try again as user "a":

  \c - a
  You are now connected to database "postgres" as user "a".

  GRANT c TO laurenz;
  ERROR:  permission denied to grant role "c"
  DETAIL:  Only roles with the ADMIN option on role "c" may grant this role.

So please explain in detail what doesn't work for you.

Yours,
Laurenz Albe