Add pg_checkpointer predefined role for CHECKPOINT command.

Any user with the privileges of pg_checkpointer can issue a CHECKPOINT
command.

Reviewed-by: Stephen Frost
Discussion: https://postgr.es/m/67a1d667e8ec228b5e07f232184c80348c5d93f4.camel%40j-davis.com

diff --git a/doc/src/sgml/ref/checkpoint.sgml b/doc/src/sgml/ref/checkpoint.sgml
index 2afee6d7b59b55d7f2965aaeeb2acba08477b185..1cebc03d15e0c0852351bf36dc0c651ba52ed8ca 100644 (file)
--- a/doc/src/sgml/ref/checkpoint.sgml
+++ b/doc/src/sgml/ref/checkpoint.sgml
@@ -52,7 +52,9 @@ CHECKPOINT
   
 
   
-   Only superusers can call CHECKPOINT.
+   Only superusers or users with the privileges of
+   the pg_checkpointer
+   role can call CHECKPOINT.
   
  
 

diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml
index afbf67c28cfadbd4280890e240d58dd9e0d964d5..9067be1d9c7811d061ac87923e973ced73480f7c 100644 (file)
--- a/doc/src/sgml/user-manag.sgml
+++ b/doc/src/sgml/user-manag.sgml
@@ -582,6 +582,12 @@ DROP ROLE doomed_role;
        Allow executing programs on the database server as the user the database runs as with
        COPY and other functions which allow executing a server-side program.
       
+      
+       pg_checkpointer
+       Allow executing
+       the CHECKPOINT
+       command.
+      
      
     
    

diff --git a/src/backend/tcop/utility.c b/src/backend/tcop/utility.c
index bf085aa93b2055012a8adb9f34265c3f91e8133c..1fbc387d471a10cc61f33d65353647bc9ec069fa 100644 (file)
--- a/src/backend/tcop/utility.c
+++ b/src/backend/tcop/utility.c
@@ -24,6 +24,7 @@
 #include "catalog/catalog.h"
 #include "catalog/index.h"
 #include "catalog/namespace.h"
+#include "catalog/pg_authid.h"
 #include "catalog/pg_inherits.h"
 #include "catalog/toasting.h"
 #include "commands/alter.h"
@@ -939,10 +940,10 @@ standard_ProcessUtility(PlannedStmt *pstmt,
            break;
 
        case T_CheckPointStmt:
-           if (!superuser())
+           if (!has_privs_of_role(GetUserId(), ROLE_PG_CHECKPOINTER))
                ereport(ERROR,
                        (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
-                        errmsg("must be superuser to do CHECKPOINT")));
+                        errmsg("must be superuser or have privileges of pg_checkpointer to do CHECKPOINT")));
 
            RequestCheckpoint(CHECKPOINT_IMMEDIATE | CHECKPOINT_WAIT |
                              (RecoveryInProgress() ? 0 : CHECKPOINT_FORCE));

diff --git a/src/include/catalog/catversion.h b/src/include/catalog/catversion.h
index 9faf017457adcacf47e664753a368a29edde09fc..49e8e5912907b862e460092c54cbf4820aa7c8d0 100644 (file)
--- a/src/include/catalog/catversion.h
+++ b/src/include/catalog/catversion.h
@@ -53,6 +53,6 @@
  */
 
 /*                         yyyymmddN */
-#define CATALOG_VERSION_NO 202110272
+#define CATALOG_VERSION_NO 202111091
 
 #endif

diff --git a/src/include/catalog/pg_authid.dat b/src/include/catalog/pg_authid.dat
index 3da68016b61ea9e24572f51bfdb6a0f08b541645..9c65174f3c61a715362f72e9946b61e059be975b 100644 (file)
--- a/src/include/catalog/pg_authid.dat
+++ b/src/include/catalog/pg_authid.dat
@@ -79,5 +79,10 @@
   rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
   rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
   rolpassword => '_null_', rolvaliduntil => '_null_' },
+{ oid => '4544', oid_symbol => 'ROLE_PG_CHECKPOINTER',
+  rolname => 'pg_checkpointer', rolsuper => 'f', rolinherit => 't',
+  rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
+  rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
+  rolpassword => '_null_', rolvaliduntil => '_null_' },
 
 ]