Added check for pg_checkpoint role presence (#807)

* Added check for pg_checkpoint role presence This commit provides the needed infrastructure in `repmgr` so if the `repmgr` database user is a member of the `pg_checkpoint` role, and inherits its privileges, there is no need for such a user to be a superuser. Co-authored-by: Martín Marqués <martin.marques@enterprisedb.com>
2026-03-22 22:56:29 +00:00 · 2024-09-11 20:13:44 +02:00
parent b4a0938081
commit f69485c0ba
7 changed files with 82 additions and 9 deletions
--- a/doc/configuration-permissions.xml
+++ b/doc/configuration-permissions.xml
@@ -79,6 +79,10 @@
        Alternatively the meta-role <varname>pg_monitor</varname> can be granted, which includes membership
        of the above predefined roles.
      </para>
+      <para>
+        PostgreSQL 15 introduced the <varname>pg_checkpoint</varname> predefined role which allows a 
+        non-superuser &repmgr; database user to perform a CHECKPOINT command.
+      </para>
      <para>
        Membership of these roles can be granted with e.g. <command>GRANT pg_read_all_stats TO repmgr</command>.
      </para>
@@ -148,6 +152,8 @@
              <link linkend="repmgr-standby-switchover">repmgr standby switchover</link>. This can only
              be executed by a superuser; if the &repmgr; user is not a superuser,
              the <option>-S</option>/<option>--superuser</option> should be used.
+              From PostgreSQL 15 the <varname>pg_checkpoint</varname> predefined role removes the need of
+              superuser permissions to perform <command>CHECKPOINT</command> command.
            </simpara>
            <simpara>
              If &repmgr; is not able to execute <command>CHECKPOINT</command>,
--- a/doc/repmgr-node-service.xml
+++ b/doc/repmgr-node-service.xml
@@ -77,7 +77,8 @@
          </para>
          <para>
            Note that a superuser connection is required to be able to execute the
-             <command>CHECKPOINT</command> command.
+            <command>CHECKPOINT</command> command. From PostgreSQL 15 the <varname>pg_checkpoint</varname>
+            predefined role removes the need for superuser permissions to perform <command>CHECKPOINT</command> command.
          </para>
        </listitem>
     </varlistentry>
--- a/doc/repmgr-standby-switchover.xml
+++ b/doc/repmgr-standby-switchover.xml
@@ -79,7 +79,8 @@
    <para>
      Note that <command>CHECKPOINT</command> requires database superuser permissions to execute.
      If the <literal>repmgr</literal> user is not a superuser, the name of a superuser should be
-      provided with the <option>-S</option>/<option>--superuser</option> option.
+      provided with the <option>-S</option>/<option>--superuser</option> option. From PostgreSQL 15 the <varname>pg_checkpoint</varname>
+      predefined role removes the need for superuser permissions to perform <command>CHECKPOINT</command> command.
    </para>
    <para>
      If &repmgr; is unable to execute the <command>CHECKPOINT</command> command, the switchover