Azure Postgresql 16 CREATE ROLE REPLICATION lacks membership

Question

Azure Postgresql 16 CREATE ROLE REPLICATION lacks membership

LiborOndruek-3549 21

Hello all.

We have Azure postgresql flexible server 16.

I'm connected as main admin user (using password) named rixo_sa

If I'm trying to create role without params, role i s created with default membership of current user rixo_sa.

User's image

But the problem is when try to create role with some parameter enabled e.g. REPLICATION:

CREATE ROLE rixo_role_for_test2 REPLICATION;

Then role is created without membership to rixo_sa and is blocked for every alter or drop:

User's image

GRANT rixo_role_for_test2 TO rixo_etl;

[42501] ERROR: permission denied to grant role "rixo_role_for_test2" Detail: Only roles with the ADMIN option on role "rixo_role_for_test2" may grant this role.

What can I do with those roles, which are blocked and cannot be dropped?

DROP ROLE rixo_role_for_test2;

[42501] ERROR: permission denied to drop role Detail: Only roles with the CREATEROLE attribute and the ADMIN option on role "rixo_role_for_test2" may drop this role.

2 answers

Your answer

Answer 1

Hi @LiborOndruek-3549,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

As i understand that you are facing permission issues while creating and dropping roles in Azure PostgreSQL Flexible Server.

When you create a role with a parameter enabled, such as REPLICATION, the role is created without membership to the rixo_sa role. This is because the rixo_sa role does not have the CREATEROLE attribute and the ADMIN option on the rixo_role_for_test2 role.

To grant the rixo_role_for_test2 role to the rixo_etl role, you need to have the ADMIN option on the rixo_role_for_test2 role. You can grant the ADMIN option to the rixo_sa role by running the following command:

GRANT rixo_role_for_test2 TO rixo_sa WITH ADMIN OPTION;

After granting the ADMIN option to the rixo_sa role, you can grant the rixo_role_for_test2 role to the rixo_etl role:

GRANT rixo_role_for_test2 TO rixo_etl;

Regarding the issue with dropping the role, you need to have the CREATEROLE attribute and the ADMIN option on the rixo_role_for_test2 role to drop it. Since you do not have these permissions, you cannot drop the role. You can try to contact your database administrator to grant you the necessary permissions to drop the role.

For more information, please refer the document: https://www.postgresql.org/docs/16/release-16.html

User's image

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

LiborOndruek-3549 21 Reputation points

2024-10-01T07:37:03.9333333+00:00

duplicated comment

Answer 2

LiborOndruek-3549 21

Hi Maesh.

My admin user rixo_sa has by default CREATEROLE privilege.
User's image

The problem is little bit magical circle. If you want alter role which is not granting admin option of your role, you have to have admin option on this role.

User's image

The restriction is by design of Azure Database for PostgreSQL flexible server, where admin user (created by ARM API) has no superuser privileges and is not able to grant roles without admin permissions.

Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2024-10-01T11:50:44.1266667+00:00

Hi @LiborOndruek-3549,

You are correct that the rixo_sa user has the CREATEROLE privilege by default. However, to grant the ADMIN option on the rixo_role_for_test2 role, you need to have the GRANT option on the rixo_role_for_test2 role.

For more information, please refer the document: The server admin account

Since the rixo_sa user is not a superuser in the PostgreSQL server, you cannot grant the ADMIN option on the rixo_role_for_test2 role. In this case, you can try to contact your database administrator to grant you the necessary permissions to grant the ADMIN option on the rixo_role_for_test2 role.

For more please refer the document: GRANT on Roles. Alternatively, you can create a new role with the CREATEROLE attribute, and the ADMIN option enabled, and then grant the rixo_role_for_test2 role to this new role. This new role can then be used to grant the rixo_role_for_test2 role to the rixo_etl role.

I hope this information helps. Please do let us know if you have any further queries.
LiborOndruek-3549 21 Reputation points

2024-10-01T21:11:30.2766667+00:00

In this case, you can try to contact your database administrator to grant you the necessary permissions to grant the ADMIN option on the rixo_role_for_test2 role
I'm the owner of the subscription (highest admin in our comapany) and I have no chance to do it, thats why I'm contacting the community

Create new role is not solution but only different way because I cannot (as the service administrator) to drop this wrong role and this ids from my point of view issue in Azure Database for PostgreSQL flexible server service.
Oury Ba-MSFT 20,911 Reputation points Microsoft Employee Moderator

2024-10-02T17:10:35.55+00:00

@LiborOndruek-3549

Thank you for reaching out.

When did you upgraded to version 16.?

It is a newly created PostgreSQL server ?

Regards,

Oury
LiborOndruek-3549 21 Reputation points

2024-10-02T20:23:27.0166667+00:00

Hi Oury.

I created this service this week and is version 16.4
BR Libor
Christian Patry 10 Reputation points

2024-10-09T20:50:27.8233333+00:00

Same issue here!
I think it's a bug.

See this post: https://learn.microsoft.com/en-us/answers/questions/1767915/ability-to-grant-admin-user-admin-option-in-azure
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2024-10-10T10:03:20.64+00:00
Hi @LiborOndruek-3549,

I apologize for the late response.

In PostgreSQL 16, users with CREATEROLE attribute no longer have the ability to hand out membership in any role to anyone; instead, like other users, without this attribute, they can only hand out memberships in roles for which they possess ADMIN OPTION. Also, in PostgreSQL 16, the CREATEROLE attribute still allows a nonsuperuser the ability to provision new users, however they can only drop users that they themselves created. Attempts to drop users, which isn't create by user with CREATEROLE attribute, will result in an error.

For more information, please refer the document: PostgreSQL 16 changes with role based security.

Alternatively try this:

REVOKE rixo_role_for_test2 FROM azure_pg_admin;

GRANT rixo_role_for_test2 TO azure_pg_admin WITH ADMIN OPTION.

SELECT roleid::regrole, member::regrole, grantor::regrole, admin_option FROM pg_auth_members WHERE roleid = 'rixo_role_for_test2'::regrole;

is a SQL query that can be used to verify the grantor of the rixo_role_for_test2 role in PostgreSQL.

I hope this information helps. Please do let us know if you have any further queries.
LiborOndruek-3549 21 Reputation points

2024-10-10T11:20:58.21+00:00
Hi Maesh.
however they can only drop users that they themselves created
This is not exactly true in PG 16.

If you create in PG 16 role with non superuser user and the creating role has REPLICATION oprion enabled, membership to this role will not be created and this is exactlu deadlock for this role changes. ONLY real superuser can change it and in Azure i have not REAL superuser privileges on administrator user.

Try this commands as administrator user:

-- Grant yourself REPLICATION attribute ALTER ROLE current_user REPLICATION; CREATE ROLE test_deadlocked_role WITH NOLOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT REPLICATION NOBYPASSRLS CONNECTION LIMIT -1; DROP ROLE test_deadlocked_role; -- Result: --

Error is raised because role test_deadlocked_role is created without "default" admin membership to administrator user!

Raw PG 16.4 server will create the admin membership normally.
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2024-10-10T12:53:44.4133333+00:00

Hi @LiborOndruek-3549,

Have you tried the alternative method I suggested above?
LiborOndruek-3549 21 Reputation points

2024-10-10T12:54:40.1566667+00:00

By the documentation server parameter createrole_self_grant is probably not set correctly to value 'set' and cannot be set by API

LiborOndruek-3549 21

rixo_role_for_test2 is not member of role azure_pg_admin so it cannot be revoked because is not member of azure_pg_admin with admin option

User's image

> REVOKE rixo_role_for_test2 FROM azure_pg_admin
[2024-10-10 14:58:28] [42501] ERROR: permission denied to revoke role "rixo_role_for_test2"
[2024-10-10 14:58:28] Detail: Only roles with the ADMIN option on role "rixo_role_for_test2" may revoke this role.

> GRANT rixo_role_for_test2 TO azure_pg_admin WITH ADMIN OPTION
[2024-10-10 14:58:35] [42501] ERROR: permission denied to grant role "rixo_role_for_test2"
[2024-10-10 14:58:35] Detail: Only roles with the ADMIN option on role "rixo_role_for_test2" may grant this role.

LiborOndruek-3549 21

SELECT * FROM pg_catalog.pg_settings WHERE name = 'createrole_self_grant';

and response is

'createrole_self_grant', '', NULL, 'Client Connection Defaults / Statement Behavior', 'Sets whether a CREATEROLE user automatically grants the role to themselves, and with which options.', NULL, 'user', 'string', 'default', NULL, NULL, NULL, '', '', NULL, NULL, false

Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2024-10-16T18:31:44.5033333+00:00

Hi @LiborOndruek-3549,

I apologize for the delay in response.

I agree that this issue looks strange, and I wasn't able to reproduce this issue. If you have a support plan, could you please file a support ticket for deeper investigation and do share the SR# with us? In case if you don't have a support plan, please let us know here.
Mahesh Kurva 5,025 Reputation points Microsoft External Staff Moderator

2024-10-17T17:29:44.5266667+00:00

Hi @LiborOndruek-3549,

We haven’t heard from you on the last response and was just checking back to see if you've had a chance to submit a support ticket. If you have, a reference to the ticket number would be greatly appreciated. This will allow us to track the progress of your request and ensure you receive the most efficient support possible.

Share via

Azure Postgresql 16 CREATE ROLE REPLICATION lacks membership

2 answers

Your answer