Skip to content

Role mdb_superuser: feature and regress testsing #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 30, 2025
Merged

Role mdb_superuser: feature and regress testsing #5

merged 1 commit into from
Sep 30, 2025

Conversation

reshke
Copy link

@reshke reshke commented Sep 23, 2025

This commit introduces new mdb internal role mdb_superuser.

Role is capaple of:

GRANT/REVOKE any set of priviledges to/from any object in database. Has power of pg_database_owner in any database, including: DROP any object in database (except system catalog and stuff)

Role is NOT capaple of:

Create database, role, extension or alter other roles with such priviledges.

Transfer ownership to /pass has_priv of roles:

PG_READ_ALL_DATA
PG_WRITE_ALL_DATA
PG_EXECUTE_SERVER_PROGRAM
PG_READ_SERVER_FILES
PG_WRITE_SERVER_FILES
PG_DATABASE_OWNER

Fix configure.ac USE_MDBLOCALES option handling

Apply autoreconf stuff

Set missing ok parameter ito true while acquiring mdb_superuser oid

In regress tests, nobody creates mdb_superuser role, so missing ok is fine

Allow mdb_superuser to have power of pg_database_owner

Allow mdb_superuser to alter objects and grant ACl to objects, owner by pg_database_owner. Also, when acl check, allow mdb_supersuer use pg_database_owner role power to pass check

Fixes #ISSUE_Number

What does this PR do?

Type of Change

  • Bug fix (non-breaking change)
  • New feature (non-breaking change)
  • Breaking change (fix or feature with breaking changes)
  • Documentation update

Breaking Changes

Test Plan

  • Unit tests added/updated
  • Integration tests added/updated
  • Passed make installcheck
  • Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

Additional Context

CI Skip Instructions

@reshke
Role mdb_superuser: feature and regress testsing
2d0f2a0 
This commit introduces new mdb internal role mdb_superuser.

Role is capaple of:

GRANT/REVOKE any set of priviledges to/from any object in database.
Has power of pg_database_owner in any database, including:
DROP any object in database (except system catalog and stuff)

Role is NOT capaple of:

Create database, role, extension or alter other roles with such
priviledges.

Transfer ownership to /pass has_priv of roles:

PG_READ_ALL_DATA
PG_WRITE_ALL_DATA
PG_EXECUTE_SERVER_PROGRAM
PG_READ_SERVER_FILES
PG_WRITE_SERVER_FILES
PG_DATABASE_OWNER

Fix configure.ac USE_MDBLOCALES option handling

Apply autoreconf stuff

Set missing ok parameter ito true while acquiring mdb_superuser oid

In regress tests, nobody creates mdb_superuser role, so missing ok is
fine

Allow mdb_superuser to have power of pg_database_owner

Allow mdb_superuser to alter objects and grant ACl to
objects, owner by pg_database_owner. Also, when acl check,
allow mdb_supersuer use pg_database_owner role power to pass check
x4m
x4m reviewed Sep 24, 2025
View reviewed changes
src/backend/commands/functioncmds.c
if (isLeakProof && !superuser())
{
Oid role = get_role_oid("mdb_admin", true);
Oid role = get_role_oid("mdb_admin", true /*if nodoby created mdb_admin role in this database*/);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nobody?

@leborchuk leborchuk merged commit ea9e36f into main Sep 30, 2025
26 of 28 checks passed
leborchuk pushed a commit that referenced this pull request Sep 30, 2025
@reshke
Role mdb_superuser: feature and regress testsing (#5)
9322cd4 
This commit introduces new mdb internal role mdb_superuser.

Role is capaple of:

GRANT/REVOKE any set of priviledges to/from any object in database.
Has power of pg_database_owner in any database, including:
DROP any object in database (except system catalog and stuff)

Role is NOT capaple of:

Create database, role, extension or alter other roles with such
priviledges.

Transfer ownership to /pass has_priv of roles:

PG_READ_ALL_DATA
PG_WRITE_ALL_DATA
PG_EXECUTE_SERVER_PROGRAM
PG_READ_SERVER_FILES
PG_WRITE_SERVER_FILES
PG_DATABASE_OWNER

Fix configure.ac USE_MDBLOCALES option handling

Apply autoreconf stuff

Set missing ok parameter ito true while acquiring mdb_superuser oid

In regress tests, nobody creates mdb_superuser role, so missing ok is
fine

Allow mdb_superuser to have power of pg_database_owner

Allow mdb_superuser to alter objects and grant ACl to
objects, owner by pg_database_owner. Also, when acl check,
allow mdb_supersuer use pg_database_owner role power to pass check
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@x4m x4m x4m left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reshke @x4m @leborchuk