BUG: Orphaned roles cannot be dropped on Azure DB for PostgreSQL v16

Question

BUG: Orphaned roles cannot be dropped on Azure DB for PostgreSQL v16

Thuerriedl, Reinhard 20

With Azure Database for PostgreSQL Flexible Server V16 it is not possible to drop orphaned roles with the cloud provider admin account azure_pg_admin.

Only actual DB superusers can manage orphaned roles in PG V16. The community is aware of the problem and discussing if they should provide a "fix" or declare it a "feature". See https://www.postgresql.org/message-id/flat/CAE9k0PmwJxFcajwnouQECsRWhtGSe0OeXP-BK%3DG%2Bn1umjuqEBw%40mail.gmail.com

Steps to reproduce

Create chain of roles

postgres=> SELECT CURRENT_USER;
 current_user 
--------------
 postgres
(1 row)

postgres=> CREATE ROLE grandpa CREATEROLE;
GRANT grandpa TO CURRENT_USER; -- not needed on native PG and AWS
SET ROLE grandpa;
CREATE ROLE papa CREATEROLE;
GRANT papa TO CURRENT_USER; -- not needed on native PG and AWS
SET ROLE papa;
CREATE ROLE son;

-- output
CREATE ROLE
GRANT ROLE
SET
CREATE ROLE
GRANT ROLE
SET
CREATE ROLE

postgres=> \drg
                              List of role grants
   Role name    |          Member of          |       Options       | Grantor  
----------------+-----------------------------+---------------------+----------
 azure_pg_admin | pg_checkpoint               | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_create_subscription      | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_monitor                  | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_read_all_data            | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_read_all_settings        | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_read_all_stats           | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_signal_autovacuum_worker | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_signal_backend           | ADMIN, INHERIT, SET | azuresu
 azure_pg_admin | pg_stat_scan_tables         | ADMIN, INHERIT, SET | azuresu
 grandpa        | papa                        | ADMIN               | azuresu
 grandpa        | papa                        | INHERIT, SET        | grandpa
 papa           | son                         | ADMIN               | azuresu
 postgres       | azure_pg_admin              | ADMIN, INHERIT, SET | azuresu
 postgres       | grandpa                     | ADMIN               | azuresu
 postgres       | grandpa                     | INHERIT, SET        | postgres
 postgres       | pg_read_all_settings        | ADMIN, INHERIT, SET | azuresu
 postgres       | pg_read_all_stats           | ADMIN, INHERIT, SET | azuresu
 postgres       | pg_stat_scan_tables         | ADMIN, INHERIT, SET | azuresu
 replication    | pg_use_reserved_connections | INHERIT, SET        | azuresu
(19 rows)

Create orphan and try to drop it

postgres=> SET ROLE grandpa;
DROP ROLE papa;
SET
DROP ROLE
postgres=> DROP ROLE son;
ERROR:  permission denied to drop role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "son" may drop this role.

postgres=> SET ROLE postgres;
SET
postgres=> DROP ROLE son;
ERROR:  permission denied to drop role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on role "son" may drop this role.

postgres=> SET ROLE azure_pg_admin;
SET
postgres=> DROP ROLE son;
ERROR:  permission denied to drop role
DETAIL:  Only roles with the CREATEROLE attribute and the ADMIN option on the target roles may drop roles.

No available user (including the admin account azure_pg_admin) can drop the orphaned role anymore!

At least on Azure. It is possible to drop the orphaned role with the AWS (Aurora-PostgreSQL) and GCP (Cloud SQL for PostgreSQL) managed PostgreSQL v16 databases.

Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-18T07:59:18.1466667+00:00

Hi Thuerriedl, Reinhard,

Greetings!

As I understand, you're encountering an issue with Azure Database for PostgreSQL Flexible Server (v16), where the cloud provider admin account azure_pg_admin is unable to drop orphaned roles due to permission restrictions introduced in PostgreSQL 16.

In PostgreSQL 16 significant changes were introduced to this attribute. In PostgreSQL 16, users with CREATEROLE attribute no longer have the ability to hand out membership in any role to anyone; instead, like other users, without this attribute, they can only hand out memberships in roles for which they possess ADMIN OPTION. Also, in PostgreSQL 16, the CREATEROLE attribute still allows a nonsuperuser the ability to provision new users, however they can only drop users that they themselves created.

https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security#postgresql-16-changes-with-role-based-security

I hope this information helps. Please do let us know if you have any further queries.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-21T01:27:25.9833333+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Thuerriedl, Reinhard 20 Reputation points

2025-04-21T19:50:52.27+00:00

Hi @Mahesh Kurva

thanks for your response. I know about the v16 changes in role management. No solution or workaround on my side. I hope Azure support can provide a solution.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-22T03:36:03.0033333+00:00

Hi Thuerriedl, Reinhard,

Apologies for the inconvenience caused.

We are reaching out to our internal team to explore a possible workaround for your query and will get back to you as soon as we have an update.

Thank you.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-24T01:00:54.6366667+00:00

Hi Thuerriedl, Reinhard,

Could you please share the details requested in the private message?
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-25T01:34:27.2233333+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-28T02:17:27.7566667+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
PratikLad 1,125 Reputation points Microsoft External Staff Moderator

2025-04-30T03:48:11.42+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. please share the requested information in private chat
Thuerriedl, Reinhard 20 Reputation points

2025-04-30T09:05:16.4066667+00:00

Hi @PratikLad @Mahesh Kurva
sorry, what information request in which private message? I am not aware of any message. EDIT: Found it and answered. Should I get some kind of notification for such messages or do I need to actively poll the private messages?
PratikLad 1,125 Reputation points Microsoft External Staff Moderator

2025-05-01T12:41:30.3966667+00:00

Hi Thuerriedl, Reinhard, We haven’t heard from you on the last response, please check the updated comment.

1 answer

Your answer

Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-18T07:59:18.1466667+00:00

Hi Thuerriedl, Reinhard,

Greetings!

As I understand, you're encountering an issue with Azure Database for PostgreSQL Flexible Server (v16), where the cloud provider admin account azure_pg_admin is unable to drop orphaned roles due to permission restrictions introduced in PostgreSQL 16.

In PostgreSQL 16 significant changes were introduced to this attribute. In PostgreSQL 16, users with CREATEROLE attribute no longer have the ability to hand out membership in any role to anyone; instead, like other users, without this attribute, they can only hand out memberships in roles for which they possess ADMIN OPTION. Also, in PostgreSQL 16, the CREATEROLE attribute still allows a nonsuperuser the ability to provision new users, however they can only drop users that they themselves created.

https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-security#postgresql-16-changes-with-role-based-security

I hope this information helps. Please do let us know if you have any further queries.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-21T01:27:25.9833333+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Thuerriedl, Reinhard 20 Reputation points

2025-04-21T19:50:52.27+00:00

Hi @Mahesh Kurva

thanks for your response. I know about the v16 changes in role management. No solution or workaround on my side. I hope Azure support can provide a solution.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-22T03:36:03.0033333+00:00

Hi Thuerriedl, Reinhard,

Apologies for the inconvenience caused.

We are reaching out to our internal team to explore a possible workaround for your query and will get back to you as soon as we have an update.

Thank you.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-24T01:00:54.6366667+00:00

Hi Thuerriedl, Reinhard,

Could you please share the details requested in the private message?
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-25T01:34:27.2233333+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Mahesh Kurva 3,985 Reputation points Microsoft External Staff Moderator

2025-04-28T02:17:27.7566667+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
PratikLad 1,125 Reputation points Microsoft External Staff Moderator

2025-04-30T03:48:11.42+00:00

Hi Thuerriedl, Reinhard,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. please share the requested information in private chat
Thuerriedl, Reinhard 20 Reputation points

2025-04-30T09:05:16.4066667+00:00

Hi @PratikLad @Mahesh Kurva
sorry, what information request in which private message? I am not aware of any message. EDIT: Found it and answered. Should I get some kind of notification for such messages or do I need to actively poll the private messages?
PratikLad 1,125 Reputation points Microsoft External Staff Moderator

2025-05-01T12:41:30.3966667+00:00

Hi Thuerriedl, Reinhard, We haven’t heard from you on the last response, please check the updated comment.

Answer 1

Hi Thuerriedl, Reinhard,

We have some limitation on Postgres 16, please check the below document.

Previously roles with CREATEROLE privileges could change many aspects of any non-superuser role. Such changes, including adding members, now require the role requesting the change to have ADMIN OPTION permission. For example, they can now change the CREATEDB, REPLICATION, and BYPASSRLS properties only if they also have those permissions.

https://www.postgresql.org/docs/16/release-16.html

To delete a non-superuser role in PostgreSQL, a user needs:

They must have the CREATEROLE privilege, which grants general permission to manage roles (including creating and deleting them).
They must also have been granted the ADMIN OPTION for the specific role they want to remove, which means they have explicit authority to manage that particular role.

I hope this answer your question.

Share via

BUG: Orphaned roles cannot be dropped on Azure DB for PostgreSQL v16

Steps to reproduce

1 answer

Your answer