Re: Orphaned users in PG16 and above can only be managed by Superusers

On Wed, Mar 5, 2025 at 3:13 PM Nathan Bossart <nathandbossart@gmail.com> wrote:
> * The patch alleges to only block DROP ROLE commands when there exists
>   _both_ admins of the target role and roles for which the target role is
>   an admin.  However, it's not clear to me why both need to be true.  I
>   might be able to glean the reason if I read this thread carefully or
>   spend more time thinking about it, but IMHO that patch itself should make
>   it obvious.  I'd suggest expanding the comment atop
>   check_drop_role_dependency().

The error message needs work, too. Nobody is ever going to guess what
the rule is from that error message.

> * Does this introduce any race conditions?  For example, is it possible for
>   the new check to pass and then for a dependency to be added before the
>   drop completes?

This is a serious concern for me as well.

--
Robert Haas
EDB: http://www.enterprisedb.com