Remove various special checks around default roles

Default roles really should be like regular roles, for the most part.
This removes a number of checks that were trying to make default roles
extra special by not allowing them to be used as regular roles.

We still prevent users from creating roles in the "pg_" namespace or
from altering roles which exist in that namespace via ALTER ROLE, as
we can't preserve such changes, but otherwise the roles are very much
like regular roles.

Based on discussion with Robert and Tom.

9 files changed, 0 insertions, 56 deletions

diff --git a/src/backend/catalog/aclchk.c b/src/backend/catalog/aclchk.c
index 7d656d5c6de..d074e85b27a 100644
--- a/src/backend/catalog/aclchk.c
+++ b/src/backend/catalog/aclchk.c
@@ -423,9 +423,6 @@ ExecuteGrantStmt(GrantStmt *stmt)
 				grantee_uid = ACL_ID_PUBLIC;
 				break;
 			default:
-				if (!IsBootstrapProcessingMode())
-					check_rolespec_name((Node *) grantee,
-			"Cannot GRANT or REVOKE privileges to or from a reserved role.");
 				grantee_uid = get_rolespec_oid((Node *) grantee, false);
 				break;
 		}
@@ -921,8 +918,6 @@ ExecAlterDefaultPrivilegesStmt(AlterDefaultPrivilegesStmt *stmt)
 				grantee_uid = ACL_ID_PUBLIC;
 				break;
 			default:
-				check_rolespec_name((Node *) grantee,
-	"Cannot GRANT or REVOKE default privileges to or from a reserved role.");
 				grantee_uid = get_rolespec_oid((Node *) grantee, false);
 				break;
 		}
@@ -1013,8 +1008,6 @@ ExecAlterDefaultPrivilegesStmt(AlterDefaultPrivilegesStmt *stmt)
 		{
 			RoleSpec   *rolespec = lfirst(rolecell);
 
-			check_rolespec_name((Node *) rolespec,
-						"Cannot alter default privileges for reserved role.");
 			iacls.roleid = get_rolespec_oid((Node *) rolespec, false);
 
 			/*
diff --git a/src/backend/commands/alter.c b/src/backend/commands/alter.c
index 47a5c501320..4b08cb832e9 100644
--- a/src/backend/commands/alter.c
+++ b/src/backend/commands/alter.c
@@ -747,9 +747,6 @@ ExecAlterOwnerStmt(AlterOwnerStmt *stmt)
 {
 	Oid			newowner = get_rolespec_oid(stmt->newowner, false);
 
-	check_rolespec_name(stmt->newowner,
-						"Cannot make reserved roles owners of objects.");
-
 	switch (stmt->objectType)
 	{
 		case OBJECT_DATABASE:
diff --git a/src/backend/commands/foreigncmds.c b/src/backend/commands/foreigncmds.c
index 88cefb7f958..804bab2e1f5 100644
--- a/src/backend/commands/foreigncmds.c
+++ b/src/backend/commands/foreigncmds.c
@@ -1148,10 +1148,6 @@ CreateUserMapping(CreateUserMappingStmt *stmt)
 	else
 		useId = get_rolespec_oid(stmt->user, false);
 
-	/* Additional check to protect reserved role names */
-	check_rolespec_name(stmt->user,
-						"Cannot specify reserved role as mapping user.");
-
 	/* Check that the server exists. */
 	srv = GetForeignServerByName(stmt->servername, false);
 
@@ -1252,10 +1248,6 @@ AlterUserMapping(AlterUserMappingStmt *stmt)
 	else
 		useId = get_rolespec_oid(stmt->user, false);
 
-	/* Additional check to protect reserved role names */
-	check_rolespec_name(stmt->user,
-						"Cannot alter reserved role mapping user.");
-
 	srv = GetForeignServerByName(stmt->servername, false);
 
 	umId = GetSysCacheOid2(USERMAPPINGUSERSERVER,
@@ -1345,11 +1337,6 @@ RemoveUserMapping(DropUserMappingStmt *stmt)
 	else
 	{
 		useId = get_rolespec_oid(stmt->user, stmt->missing_ok);
-
-		/* Additional check to protect reserved role names */
-		check_rolespec_name(stmt->user,
-							"Cannot remove reserved role mapping user.");
-
 		if (!OidIsValid(useId))
 		{
 			/*
diff --git a/src/backend/commands/policy.c b/src/backend/commands/policy.c
index 146b36c2fa5..93d15e477af 100644
--- a/src/backend/commands/policy.c
+++ b/src/backend/commands/policy.c
@@ -176,13 +176,8 @@ policy_role_list_to_array(List *roles, int *num_roles)
 			return role_oids;
 		}
 		else
-		{
-			/* Additional check to protect reserved role names */
-			check_rolespec_name((Node *) spec,
-							"Cannot specify reserved role as policy target");
 			role_oids[i++] =
 				ObjectIdGetDatum(get_rolespec_oid((Node *) spec, false));
-		}
 	}
 
 	return role_oids;
diff --git a/src/backend/commands/schemacmds.c b/src/backend/commands/schemacmds.c
index dea3299ced5..a60ceb8eba7 100644
--- a/src/backend/commands/schemacmds.c
+++ b/src/backend/commands/schemacmds.c
@@ -65,10 +65,6 @@ CreateSchemaCommand(CreateSchemaStmt *stmt, const char *queryString)
 	else
 		owner_uid = saved_uid;
 
-	/* Additional check to protect reserved role names */
-	check_rolespec_name(stmt->authrole,
-						"Cannot specify reserved role as owner.");
-
 	/* fill schema name with the user name if not specified */
 	if (!schemaName)
 	{
diff --git a/src/backend/commands/tablecmds.c b/src/backend/commands/tablecmds.c
index 45a51446434..86e98148c16 100644
--- a/src/backend/commands/tablecmds.c
+++ b/src/backend/commands/tablecmds.c
@@ -3566,8 +3566,6 @@ ATExecCmd(List **wqueue, AlteredTableInfo *tab, Relation rel,
 												(List *) cmd->def, lockmode);
 			break;
 		case AT_ChangeOwner:	/* ALTER OWNER */
-			check_rolespec_name(cmd->newowner,
-								"Cannot specify reserved role as owner.");
 			ATExecChangeOwner(RelationGetRelid(rel),
 							  get_rolespec_oid(cmd->newowner, false),
 							  false, lockmode);
diff --git a/src/backend/commands/tablespace.c b/src/backend/commands/tablespace.c
index fe7f25337dc..7902d433d55 100644
--- a/src/backend/commands/tablespace.c
+++ b/src/backend/commands/tablespace.c
@@ -256,10 +256,6 @@ CreateTableSpace(CreateTableSpaceStmt *stmt)
 	else
 		ownerId = GetUserId();
 
-	/* Additional check to protect reserved role names */
-	check_rolespec_name(stmt->owner,
-						"Cannot specify reserved role as owner.");
-
 	/* Unix-ify the offered path, and strip any trailing slashes */
 	location = pstrdup(stmt->location);
 	canonicalize_path(location);
diff --git a/src/backend/commands/user.c b/src/backend/commands/user.c
index cc3d5645343..f0ac636b9b7 100644
--- a/src/backend/commands/user.c
+++ b/src/backend/commands/user.c
@@ -1262,18 +1262,10 @@ GrantRole(GrantRoleStmt *stmt)
 	ListCell   *item;
 
 	if (stmt->grantor)
-	{
-		check_rolespec_name(stmt->grantor,
-							"Cannot specify reserved role as grantor.");
 		grantor = get_rolespec_oid(stmt->grantor, false);
-	}
 	else
 		grantor = GetUserId();
 
-	foreach(item, stmt->grantee_roles)
-		check_rolespec_name(lfirst(item),
-							"Cannot GRANT roles to a reserved role.");
-
 	grantee_ids = roleSpecsToIds(stmt->grantee_roles);
 
 	/* AccessShareLock is enough since we aren't modifying pg_authid */
@@ -1364,9 +1356,6 @@ ReassignOwnedObjects(ReassignOwnedStmt *stmt)
 					 errmsg("permission denied to reassign objects")));
 	}
 
-	check_rolespec_name(stmt->newrole,
-						"Cannot specify reserved role as owner.");
-
 	/* Must have privileges on the receiving side too */
 	newrole = get_rolespec_oid(stmt->newrole, false);
 
diff --git a/src/backend/commands/variable.c b/src/backend/commands/variable.c
index 05e59a6e097..f801faacd29 100644
--- a/src/backend/commands/variable.c
+++ b/src/backend/commands/variable.c
@@ -794,10 +794,6 @@ check_session_authorization(char **newval, void **extra, GucSource source)
 		return false;
 	}
 
-	/* Do not allow setting role to a reserved role. */
-	if (strncmp(*newval, "pg_", 3) == 0)
-		return false;
-
 	/* Look up the username */
 	roleTup = SearchSysCache1(AUTHNAME, PointerGetDatum(*newval));
 	if (!HeapTupleIsValid(roleTup))
@@ -858,9 +854,6 @@ check_role(char **newval, void **extra, GucSource source)
 		roleid = InvalidOid;
 		is_superuser = false;
 	}
-	/* Do not allow setting role to a reserved role. */
-	else if (strncmp(*newval, "pg_", 3) == 0)
-		return false;
 	else
 	{
 		if (!IsTransactionState())