Fix role propagation error due to missing grantor dependencies

[Copilot]

DESCRIPTION: Add grantor role dependencies to fix node addition with interdependent roles

Problem

When adding nodes to a cluster, role propagation fails if role A is used as a grantor when granting role B to role C:

-- Role setup on coordinator
GRANT read_only_role TO role1 WITH ADMIN OPTION;
GRANT read_only_role TO role2 GRANTED BY role1;

-- Adding node fails with:
-- ERROR: permission denied to grant privileges as role "role1"
-- DETAIL: The grantor must have the ADMIN option on the role

The issue: role2 is propagated before role1 has its admin options established, causing the GRANTED BY role1 statement to fail.

Changes

Modified ExpandRolesToGroups in dependency.c to track grantor roles as dependencies alongside role memberships. This ensures grantors are propagated before roles that reference them in grant statements.

Before: Only roles where roleid is a member were tracked
After: Both member roles and grantor roles are tracked as dependencies

Added regression test covering the interdependent role scenario from the issue.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• esm.ubuntu.com
  • Triggering command: /usr/lib/apt/methods/https /usr/lib/apt/methods/https 2-1--11.3-1.sql 3-1--12.2-1.sql 2-1--13.2-1.sql 2-1--14.0-1.sql 0-1--15.0-1.sql 0.0-2.sql 0.1-1.sql 0.2-1.sql 0.2-2.sql 0.2-3.sql 0.2-4.sql 1.0-�� 1.1-1.sql .0-1.sql /home/REDACTED/.config/composer/vendor/bin/bash (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Role propagation error due to interdependent roles while adding new nodes</issue_title>
<issue_description>On the cluster, we had a role set like the following:

select * from pg_roles;

rolname: read_only_role
rolsuper = f       
rolinherit = t          
rolcreaterole = f
rolcreatedb = f
rolcanlogin = t
rolreplication = f
rolbypassrls = f
rolconnlimit = -1 
rolvaliduntil = ''

SELECT
  parent.rolname  AS role,
  member.rolname  AS member,
  am.admin_option
FROM pg_auth_members am
JOIN pg_roles parent ON parent.oid = am.roleid
JOIN pg_roles member ON member.oid = am.member
ORDER BY role, member;

            role             |     member     | admin_option
-----------------------------+----------------+--------------
...
...
read_only_role              | role1     | t
read_only_role              | role2     | f
role2                       | role1     | t

On the Pg logs for the newly created node:

... ERROR: permission denied to grant priviledges as role "role1"
... DETAIL:  The grantor must have the ADMIN option on the role "read_only_role"
STATEMENT: SELECT woker_create_or_alter_role("role2", 'CREATE ROLE role2 NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1 PASSWORD ''SCRAM SHA *** '); GRANT read_only_role to role2 WITH INHERIT TRUE GRANTED BY role1;

In the newly created node, citus creates the objects in the following order:

- CREATE ROLE read_only_role 
- CREATE ROLE role2
- GRANT read_only_role to role2 WITH INHERIT TRUE GRANTED BY role1;
      -  ... but at this time, since role1 does not have the ADMIN option, above query cannot succeed. 
      - The fix is to make sure to create the "read_only_role | role1 | t" entry before above

To sum up, citus creates roles that have interdependencies in an incorrect order, and this failure causes add node operation to fail. The new node cannot be registered until we login to the new node and execute:

CREATE ROLE read_only_role WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT -1
GRANT read_only_role TO  espdevadmin  WITH ADMIN OPTION;

so that node registration can succeed.
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Role propagation error due to interdependent roles while adding new nodes #8425

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.91%. Comparing base (4d6fb1d) to head (8dade25).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8466   +/-   ##
=======================================
  Coverage   88.90%   88.91%           
=======================================
  Files         286      286           
  Lines       63227    63235    +8     
  Branches     7937     7938    +1     
=======================================
+ Hits        56214    56226   +12     
+ Misses       4736     4734    -2     
+ Partials     2277     2275    -2     

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.