On 2023-09-20 17:53 -0400, Michael Corey wrote:
> To make matters even more strange. I checked the permissions of
> rds_superuser in 15 and 14
>
> For 14
> GRANT pg_monitor, pg_signal_backend, rds_password, rds_replication TO
> rds_superuser WITH ADMIN OPTION;
>
> For 15
> GRANT pg_checkpoint, pg_monitor, *pg_read_all_data*, pg_signal_backend,
> *pg_write_all_data*, rds_password, rds_replication TO rds_superuser WITH
> ADMIN OPTION;
>
> AWS added these permissions, but based on what they do you would think this
> would allow the SELECTs in 15.
Yes it would if sten_schema would inherit from rds_superuser. But it
cannot inherit privileges from rds_superuser (indrect membership through
object_creator) because object_creator was created with NOINHERIT. And
INHERIT applies to direct memberships only.
--
Erik