31

Some times ago I created a PostgreSQL user nameduser1 (PostgreSQL 9.4.9).

I want to drop this user. So I first revoke all permissions on tables, sequences, functions, default privileges and ownership too:

ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM user1;ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM user1;ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM user1;REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM user1;REVOKE ALL ON ALL TABLES IN SCHEMA public FROM user1;REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM user1;REASSIGN OWNED BY user1 TO postgres;

However it seems that one object remains linked to this user in 2 databases:

postgres=# DROP ROLE user1;ERROR:  role "user1" cannot be dropped because some objects depend on itDETAIL:  1 object in database db11 object in database db2

It even seems to be a function:

postgres=# \c db1You are now connected to database "db1" as user "postgres".db1=# DROP ROLE user1;ERROR:  role "user1" cannot be dropped because some objects depend on itDETAIL:  privileges for function text(boolean)1 object in database db2

But I can not determine which object is owned or related to user1.

If Ipg_dump -s db1 | grep user1 I get no result! Could it be a global object?

How can I identify the missing object?

I have executed the commands in each database (db1 and db2). I do not want to drop objects owned byuser1, just want to reassign or remove grants for this user.

Paul White's user avatar
Paul White
96k30 gold badges446 silver badges702 bronze badges
askedNov 15, 2016 at 16:36
Nicolas Payart's user avatar
2
  • Related question that this does not seem to address, but would be useful to address as other posts link to this one: When the Error is of the form:Could not drop the role. ERROR: role "[username]" cannot be dropped because some objects depend on it DETAIL: [#] objects in database [dbname]. How do you identify these objects prior to reassigning and/or dropping them?CommentedAug 12, 2020 at 16:08
  • 1
    ignore the above comment. i'm an idiot. If you use the pgadmin4 GUI to right-click on a role and select delete/drop, you get only the above error message. But if you actually run the querydrop role [username], then you get the full report of all the privileges that are causing the error in the pgadmin Messages pane. :facepalm:CommentedAug 12, 2020 at 16:14

4 Answers4

26

Answer to question asked

To look for the function in the error message and its owner:

SELECT oid::regprocedure AS function     , pg_get_userbyid(proowner) AS ownerFROM   pg_procWHERE  oid = 'text(boolean)'::regprocedure;

Related:

Actual problem

The error message says:

DETAIL: privileges for function text(boolean)

It'snot about ownership but aboutprivileges.

The manual forDROP ROLE:

Before dropping the role, you must drop all the objects it owns (or reassign their ownership)and revoke any privileges the role has been granted on other objects.

And forALTER DEFAULT PRIVILEGES:

If you wish to drop a role for which the default privileges have been altered, it is necessary to reverse the changes in its default privileges or useDROP OWNED BY toget rid of the default privileges entry for the role.

It also looks like you only executedREASSIGN OWNED in one DB, butthe manual instructs:

BecauseREASSIGN OWNED does not affect objects within other databases, it is usually necessary toexecute this command in each database that contains objects owned by a role that is to be removed.

Bold emphasis mine.

And you restricted your commands withIN SCHEMA public. Drop that clause to target the whole DB. But don't bother, there is a ...

Simple solution withDROP OWNED

REASSIGN OWNED BY user1 TO postgres;DROP OWNED BY user1;

All the role's objects changed ownership topostgres with the first command and are safe now. The wording ofDROP OWNED is a bit misleading, since it also gets rid of all privileges and default privileges.The manual forDROP OWNED:

DROP OWNED drops all the objects within the current database that are owned by one of the specified roles.Any privileges granted to the given roles on objects in the current database and on shared objects (databases, tablespaces) will also be revoked.

Repeat in all relevant DBs, then you can move in for the kill:

DROP ROLE user1;
answeredNov 15, 2016 at 20:07
Erwin Brandstetter's user avatar
3
  • This finds nothing. YetDROP ROLE myuser throws an error because there are still objects that the user owns...CommentedSep 14, 2023 at 18:22
  • @Cerin What is "this"? TheSELECT query at the top, which only looks for routines (functions and procedures) matching the OP's problem. OrREASSIGN OWNED +DROP OWNED as suggested, which takes care ofall objects and privileges in the current DB? (Has to be executed in all DBs of the same DB cluster that may be involved.)CommentedSep 14, 2023 at 21:47
  • I want to link this answer. With help of that query can list objects access to which were granted to your role:dba.stackexchange.com/a/285595/91706CommentedFeb 20, 2024 at 15:27
17

The query below lists objects with owners. For all privileges we actually need more.

--r = ordinary table, i = index, S = sequence, v = view, m = materialized view, c = composite type, t = TOAST table, f = foreign tableSELECT     n.nspname AS schema_name,    c.relname AS rel_name,    c.relkind AS rel_kind,    pg_get_userbyid(c.relowner) AS owner_name  FROM pg_class c  JOIN pg_namespace n ON n.oid = c.relnamespaceUNION ALL-- functions (or procedures)SELECT    n.nspname AS schema_name,    p.proname,    'p',    pg_get_userbyid(p.proowner)  FROM pg_proc p  JOIN pg_namespace n ON n.oid = p.pronamespace
answeredNov 15, 2016 at 21:20
Sahap Asci's user avatar
3
  • 2
    I still do not find the missing object with this.CommentedNov 15, 2016 at 23:05
  • @NicolasPayart: Are you executing the query in the right database?CommentedNov 16, 2016 at 4:01
  • The answer with more other approaches:dba.stackexchange.com/q/4286/91706CommentedFeb 20, 2024 at 16:16
2

You need to first connect to the database.In your instance that would be

\c db1

and

\c db2

Then try running theREVOKE ALL PRIVILEGES andREASSIGN OWNED/DROP OWNED BY statements again.

answeredFeb 5, 2019 at 4:24
Samuel Anyaele's user avatar
1
  • 3
    Hey, thanks for your first answer. However, before posting, please think about what does this add to the existing answers, and describe this in your answer, too.CommentedFeb 5, 2019 at 8:55
-2

DROP ROLE also depends on privileges of the ROLE - see DETAIL in the below:

DROP USER alice;

ERROR: role "alice" cannot be dropped because some objects depend on itDETAIL: privileges for table bloat

REVOKE UPDATE on bloat FROM alice;

REVOKE

DROP USER alice;

DROP ROLE

answeredMar 19, 2024 at 12:28
Bair O. Pinuev's user avatar

Your Answer

Sign up orlog in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

By clicking “Post Your Answer”, you agree to ourterms of service and acknowledge you have read ourprivacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.