Let mdb_admin manage resource groups

[Alena0704]

Let mdb_admin manage resource groups
In Greenplum/Cloudberry only a superuser may CREATE/ALTER/DROP resource
groups. In managed-service deployments superuser is never handed to
the client, so a cloud admin has no way to tune their own CPU/memory
limits.

The upstream-shaped fix is a predefined role pinned in pg_authid.dat.
That is correct for master, but a new bootstrap catalog entry bumps
CATALOG_VERSION_NO and thus needs a fresh initdb / gpupgrade.
We must be able to grant this capability between minor versions.

So instead of pinning an OID, gate the four entry points on membership
of the mdb_admin role, resolved by name at runtime:

role = get_role_oid("mdb_admin", true);
if (!is_member_of_role(GetUserId(), role))
    ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), ...));

mdb_admin is an ordinary role created by the control plane with a plain
CREATE ROLE, not a built-in catalog role. If the role does not exist,
get_role_oid returns InvalidOid, so on a stock cluster only superusers
pass the check and nothing changes. The capability is enabled only
where the control plane creates the role.

admin_group stays superuser-only for ALTER/DROP: it is infrastructure,
not a user-tunable group.

This commit is adapted from open-gpdb/gpdb commit 3ac99962ad2.
Some tests are added from apache/cloudberry PR #1763.

Fixes #ISSUE_Number

What does this PR do?

Type of Change

• Bug fix (non-breaking change)
• New feature (non-breaking change)
• Breaking change (fix or feature with breaking changes)
• Documentation update

Breaking Changes

Test Plan

• Unit tests added/updated
• Integration tests added/updated
• Passed make installcheck
• Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

• Followed contribution guide
• Added/updated documentation
• Reviewed code for security implications
• This PR contains AI-assisted code generation
• Requested review from cloudberry committers

Additional Context

CI Skip Instructions

---

[my-ship-it]

Can ROLE_PG_MANAGE_RESOURCE_GROUPS be dropped? If dropped, we cannot create it again.

[Alena0704]

We can't drop this role. This function checks it:

/* This case can be dispatched quickly */
	if (IsPinnedObject(classId, objectId))
	{
		object.classId = classId;
		object.objectId = objectId;
		object.objectSubId = 0;
		ereport(ERROR,
				(errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
				 errmsg("cannot drop %s because it is required by the database system",
						getObjectDescription(&object, false))));
	}

src/backend/catalog/pg_shdepend.c:654

[my-ship-it]

We change catalog here, but for 2X_STABLE, we suppose not.

[Alena0704]

Yes, agree and because of this I'm going to return to this solution #1763 but I will save tests that I have added before here. But I will take into account your current suggestions here #1795

[my-ship-it]

Yes, agree and because of this I'm going to return to this solution #1763 but I will save tests that I have added before here. But I will take into account your current suggestions here #1795

Got it, thanks for the explaination.

[my-ship-it]

Should we also protect SYSTEMRESGROUP_OID?

[Alena0704]

I think we should compare it with admin_group and default_group too. because the first one is a default group for superuser sessions and default_group contains system roles without superuser privileges.

[Alena0704]

I rewrote the patch completely because a new bootstrap catalog entry bumps CATALOG_VERSION_NO and incompatible with minor gpupgrade - I adapted the commit from open-gpdb 3ac99962ad2 and added my tests.