Skip to content

Parametrize neon_superuser via privileged_role_name var #676

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ololobus merged 1 commit into from
Jul 15, 2025
Merged

Parametrize neon_superuser via privileged_role_name var #676

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/backend/commands/publicationcmds.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -755,7 +755,7 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt)
get_database_name(MyDatabaseId));

/* FOR ALL TABLES requires superuser */
if (stmt->for_all_tables && !superuser() && !is_neon_superuser())
if (stmt->for_all_tables && !superuser() && !is_privileged_role())
ereport(ERROR,
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser to create FOR ALL TABLES publication")));
Expand Down Expand Up @@ -826,7 +826,7 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt)
&schemaidlist);

/* FOR TABLES IN SCHEMA requires superuser */
if (schemaidlist != NIL && !superuser() && !is_neon_superuser())
if (schemaidlist != NIL && !superuser() && !is_privileged_role())
ereport(ERROR,
errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
errmsg("must be superuser to create FOR TABLES IN SCHEMA publication"));
Expand Down
18 changes: 13 additions & 5 deletions src/backend/utils/adt/acl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,17 +123,25 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);

static void RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue);

char *privileged_role_name;

bool
is_neon_superuser(void)
is_privileged_role(void)
{
return is_neon_superuser_arg(GetUserId());
return is_privileged_role_arg(GetUserId());
}

bool
is_neon_superuser_arg(Oid roleid)
is_privileged_role_arg(Oid roleid)
{
Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
return neon_superuser_oid != InvalidOid && has_privs_of_role(roleid, neon_superuser_oid);
Oid privileged_role_oid;

if (privileged_role_name == NULL)
return false;

privileged_role_oid = get_role_oid(privileged_role_name, true /* missing_ok */);

return privileged_role_oid != InvalidOid && has_privs_of_role(roleid, privileged_role_oid);
}

/*
Expand Down
5 changes: 3 additions & 2 deletions src/include/miscadmin.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -387,8 +387,9 @@ extern bool superuser(void); /* current user is superuser */
extern bool superuser_arg(Oid roleid); /* given user is superuser */

/* in utils/adt/acl.c */
extern bool is_neon_superuser(void); /* current user is neon_superuser */
extern bool is_neon_superuser_arg(Oid roleid); /* given user is neon_superuser */
extern PGDLLIMPORT char *privileged_role_name;
extern bool is_privileged_role(void); /* current user is a privileged role */
extern bool is_privileged_role_arg(Oid roleid); /* given user is a privileged role */

/*****************************************************************************
* pmod.h -- *
Expand Down