Hi, Thank you for your reply.
> PostgreSQL calls select_best_admin() internally. If that function returns > InvalidOid, I think it means that “The system tried all the possible > grantor roles (roles we belong to that have ADMIN OPTION), but none are > currently usable.” i.e the system couldn’t find a grantor role in the > current context, so it reports: "no possible grantors" +1 > Again I think a “permission denied” would imply we tried as a specific > role, and that role doesn’t have permission. But here, Postgres never even > found which role we could be acting as. So from the system’s logic, it’s > not a denied action; it’s “no valid takers found to even attempt the > action.” Due to the "revoke inherit option for u2 from u1", I think reporting "permission denied ..." here is reasonable. The "no possible grantors" is more like an internal error, and should not be reported to users. > I believe is_admin_of_role() uses ROLERECURSE_MEMBERS because > is_admin_of_role() is not used for permission enforcement and Its purpose > is to answer checks like “does A have the ADMIN OPTION for B (anywhere in > the membership graph)?” So it needs to see all possible relationships, even > if the intermediate memberships are non-inheriting or currently inactive. But many places report "permission denied ..." if is_admin_of_role() return false. -- Regards, ChangAo Chen
