5

I'm sure I'm missing something simple, but I've created the following:

postgres=# \du
                          List of roles
 Role name |               Attributes                | Member of
-----------+-----------------------------------------+-----------
 admin     | No inheritance, Create DB, Cannot login | {}
 postgres  | Superuser, Create role, Create DB       | {}
 wade      |                                         | {admin}

(Note that Cannot login and No inheritance don't affect what's happening to wade, here. See the PostgreSQL documentation for role membership to understand why. —bignose)

However, when I try to create a db, I get:

bin wwilliam$ createdb -U wade test
Password:
createdb: database creation failed: ERROR:  permission denied to create database

What am I missing?

bignose
  • 30,281
  • 14
  • 77
  • 110
wadesworld
  • 13,535
  • 14
  • 60
  • 93

2 Answers2

10

An excerpt from the manual:

The INHERIT attribute governs inheritance of grantable privileges (that is, access privileges for database objects and role memberships). It does not apply to the special role attributes set by CREATE ROLE and ALTER ROLE. For example, being a member of a role with CREATEDB privilege does not immediately grant the ability to create databases, even if INHERIT is set; it would be necessary to become that role via SET ROLE before creating a database.

(Emphasis mine).

Milen A. Radev
  • 60,241
  • 22
  • 105
  • 110
0

In documentation:

The role attributes LOGIN, SUPERUSER, CREATEDB, and CREATEROLE can be thought of as special privileges, but they are never inherited as ordinary privileges on database objects are. You must actually SET ROLE to a specific role having one of these attributes in order to make use of the attribute

So you must activate admin role using SET ROLE admin; before creating DB.

Hùng Ng Vi
  • 1,251
  • 2
  • 14
  • 20