Make it possible to grant self created roles

[knizhnik]

See https://neondb.slack.com/archives/C04USJQNLD6/p1689973957908869

[MMeent]

BOOTSTRAP_SUPERUSERID

Is that correct?

[knizhnik]

It is taken from PG 16:

	/*
	 * If the current user isn't a superuser, make them an admin of the new
	 * role so that they can administer the new object they just created.
	 * Superusers will be able to do that anyway.
	 *
	 * The grantor of record for this implicit grant is the bootstrap
	 * superuser, which means that the CREATEROLE user cannot revoke the
	 * grant. They can however grant the created role back to themselves with
	 * different options, since they enjoy ADMIN OPTION on it.
	 */
	if (!superuser())
	{
...
		AddRoleMems(BOOTSTRAP_SUPERUSERID, stmt->role, roleid,
					memberSpecs, memberIds,
					BOOTSTRAP_SUPERUSERID, &poptself);

PG 16 also also granting roles to themselves:

		/*
		 * Because of the implicit grant above, a CREATEROLE user who creates
		 * a role has the ability to grant that role back to themselves with
		 * the INHERIT or SET options, if they wish to inherit the role's
		 * privileges or be able to SET ROLE to it. The createrole_self_grant
		 * GUC can be used to make this happen automatically. This has no
		 * security implications since the same user is able to make the same
		 * grant using an explicit GRANT statement; it's just convenient.
		 */
		if (createrole_self_grant_enabled)
			AddRoleMems(currentUserId, stmt->role, roleid,
						memberSpecs, memberIds,
						currentUserId, &createrole_self_grant_options);

but I have not posted this fragment. - it requires adding createrole_self_grant_enabled GUC and more related changes.

[MMeent]

Why not for roles which are superuser?

[knizhnik]

Superuser in any case has admin permission so no need to make this trick.