mirror/postgresql
2
0
Fork 0
mirror of https://git.postgresql.org/git/postgresql.git synced 2024-12-27 08:39:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add pg_checkpointer predefined role for CHECKPOINT command.

Browse Source 
Any user with the privileges of pg_checkpointer can issue a CHECKPOINT
command.

Reviewed-by: Stephen Frost
Discussion: https://postgr.es/m/67a1d667e8ec228b5e07f232184c80348c5d93f4.camel%40j-davis.com
This commit is contained in:
Jeff Davis 2021-11-09 10:59:08 -08:00
parent b66767b56b
commit 4168a47454
5 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/src/sgml/ref/checkpoint.sgml
View File

@ -52,7 +52,9 @@ CHECKPOINT
</para> </para>
<para> <para>
Only superusers can call <command>CHECKPOINT</command>. Only superusers or users with the privileges of
the <link linkend="predefined-roles-table"><literal>pg_checkpointer</literal></link>
role can call <command>CHECKPOINT</command>.
</para> </para>
</refsect1> </refsect1>

6
doc/src/sgml/user-manag.sgml
View File

@ -582,6 +582,12 @@ DROP ROLE doomed_role;
<entry>Allow executing programs on the database server as the user the database runs as with <entry>Allow executing programs on the database server as the user the database runs as with
COPY and other functions which allow executing a server-side program.</entry> COPY and other functions which allow executing a server-side program.</entry>
</row> </row>
<row>
<entry>pg_checkpointer</entry>
<entry>Allow executing
the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
command.</entry>
</row>
</tbody> </tbody>
</tgroup> </tgroup>
</table> </table>

5
src/backend/tcop/utility.c
View File

@ -24,6 +24,7 @@
#include "catalog/catalog.h" #include "catalog/catalog.h"
#include "catalog/index.h" #include "catalog/index.h"
#include "catalog/namespace.h" #include "catalog/namespace.h"
#include "catalog/pg_authid.h"
#include "catalog/pg_inherits.h" #include "catalog/pg_inherits.h"
#include "catalog/toasting.h" #include "catalog/toasting.h"
#include "commands/alter.h" #include "commands/alter.h"
@ -939,10 +940,10 @@ standard_ProcessUtility(PlannedStmt *pstmt,
break; break;
case T_CheckPointStmt: case T_CheckPointStmt:
if (!superuser()) if (!has_privs_of_role(GetUserId(), ROLE_PG_CHECKPOINTER))
ereport(ERROR, ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser to do CHECKPOINT"))); errmsg("must be superuser or have privileges of pg_checkpointer to do CHECKPOINT")));
RequestCheckpoint(CHECKPOINT_IMMEDIATE | CHECKPOINT_WAIT | RequestCheckpoint(CHECKPOINT_IMMEDIATE | CHECKPOINT_WAIT |
(RecoveryInProgress() ? 0 : CHECKPOINT_FORCE)); (RecoveryInProgress() ? 0 : CHECKPOINT_FORCE));

2
src/include/catalog/catversion.h
View File

@ -53,6 +53,6 @@
*/ */
/* yyyymmddN */ /* yyyymmddN */
#define CATALOG_VERSION_NO 202110272 #define CATALOG_VERSION_NO 202111091
#endif #endif

5
src/include/catalog/pg_authid.dat
View File

@ -79,5 +79,10 @@
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f', rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1', rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' }, rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '4544', oid_symbol => 'ROLE_PG_CHECKPOINTER',
rolname => 'pg_checkpointer', rolsuper => 'f', rolinherit => 't',
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' },
] ]