Support creating subscriptions as neon_superuser

neondatabase · Feb 6, 2024 · 0ff55c5 · 0ff55c5
1 parent 8d18a8d
commit 0ff55c5
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 9 deletions.
diff --git a/src/backend/commands/publicationcmds.c b/src/backend/commands/publicationcmds.c
@@ -727,13 +727,6 @@ CheckPubRelationColumnList(char *pubname, List *tables,
 	}
 }
 
-static bool
-is_neon_superuser(void)
-{
-	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
-	return neon_superuser_oid != InvalidOid && has_privs_of_role(GetUserId(), neon_superuser_oid);
-}
-
 /*
  * Create new publication.
  */

diff --git a/src/backend/commands/subscriptioncmds.c b/src/backend/commands/subscriptioncmds.c
@@ -541,7 +541,7 @@ CreateSubscription(ParseState *pstate, CreateSubscriptionStmt *stmt,
 	if (opts.create_slot)
 		PreventInTransactionBlock(isTopLevel, "CREATE SUBSCRIPTION ... WITH (create_slot = true)");
 
-	if (!superuser())
+	if (!superuser() && !is_neon_superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 errmsg("must be superuser to create subscriptions")));
@@ -1666,7 +1666,7 @@ AlterSubscriptionOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId)
 					   NameStr(form->subname));
 
 	/* New owner must be a superuser */
-	if (!superuser_arg(newOwnerId))
+	if (!superuser_arg(newOwnerId) && !is_neon_superuser_arg(newOwnerId))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 errmsg("permission denied to change owner of subscription \"%s\"",

diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
@@ -117,6 +117,18 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);
 
 static void RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue);
 
+bool
+is_neon_superuser(void)
+{
+	return is_neon_superuser_arg(GetUserId());
+}
+
+bool
+is_neon_superuser_arg(Oid roleid)
+{
+	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
+	return neon_superuser_oid != InvalidOid && has_privs_of_role(roleid, neon_superuser_oid);
+}
 
 /*
  * getid

diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
@@ -373,6 +373,10 @@ extern void SetCurrentRoleId(Oid roleid, bool is_superuser);
 extern bool superuser(void);	/* current user is superuser */
 extern bool superuser_arg(Oid roleid);	/* given user is superuser */
 
+/* in utils/adt/acl.c */
+extern bool is_neon_superuser(void); /* current user is neon_superuser */
+extern bool is_neon_superuser_arg(Oid roleid); /* given user is neon_superuser */
+
 
 /*****************************************************************************
  *	  pmod.h --																 *