mirror of
https://github.com/EnterpriseDB/repmgr.git
synced 2026-03-22 22:56:29 +00:00
f69485c0ba
* Added check for pg_checkpoint role presence This commit provides the needed infrastructure in `repmgr` so if the `repmgr` database user is a member of the `pg_checkpoint` role, and inherits its privileges, there is no need for such a user to be a superuser. Co-authored-by: Martín Marqués <martin.marques@enterprisedb.com>
201 lines
9.6 KiB
XML
201 lines
9.6 KiB
XML
<sect1 id="configuration-permissions" xreflabel="Database user permissions">
|
|
<title>repmgr database user permissions</title>
|
|
|
|
<indexterm>
|
|
<primary>configuration</primary>
|
|
<secondary>database user permissions</secondary>
|
|
</indexterm>
|
|
|
|
<para>
|
|
If the &repmgr; database user (the PostgreSQL user defined in the
|
|
<varname>conninfo</varname> setting is a superuser, no further user permissions need
|
|
to be granted.
|
|
</para>
|
|
|
|
<sect2 id="configuration-permissions-no-superuser" xreflabel="Non-super user permissions">
|
|
<title>repmgr user as a non-superuser</title>
|
|
<para>
|
|
In principle the &repmgr; database user does not need to be a superuser.
|
|
In this case the &repmgr; will need to be granted execution permissions on certain
|
|
functions, and membership of certain roles. However be aware that &repmgr; does
|
|
expect to be able to execute certain commands which are restricted to superusers;
|
|
in this case either a superuser must be specified with the <option>-S</option>/<option>--superuser</option>
|
|
(where available) option, or the corresponding action should be executed manually as a superuser.
|
|
</para>
|
|
<para>
|
|
The following sections describe the actions needed to use &repmgr; with a non-superuser,
|
|
and relevant caveats.
|
|
</para>
|
|
<sect3 id="configuration-permissions-replication" xreflabel="Replication role">
|
|
<title>Replication role</title>
|
|
<para>
|
|
&repmgr; requires a database user with the <literal>REPLICATION</literal> role
|
|
to be able to create a replication connection and (if configured) to administer
|
|
replication slots.
|
|
</para>
|
|
<para>
|
|
By default this is the database user defined in the <varname>conninfo</varname>
|
|
setting. This user can be:
|
|
<itemizedlist spacing="compact" mark="bullet">
|
|
<listitem>
|
|
<simpara>
|
|
a superuser
|
|
</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara>
|
|
a non-superuser with the <literal>REPLICATION</literal> role
|
|
</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara>
|
|
another user defined in the <filename>repmgr.conf</filename> parameter <varname>replication_user</varname> with the <literal>REPLICATION</literal> role
|
|
</simpara>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3 id="configuration-permissions-roles" xreflabel="Database roles for non-superusers">
|
|
<title>Database roles</title>
|
|
<para>
|
|
A non-superuser &repmgr; database user should be a member of the following
|
|
<ulink url="https://www.postgresql.org/docs/current/predefined-roles.html">predefined roles</ulink>
|
|
(PostgreSQL 10 and later):
|
|
<itemizedlist spacing="compact" mark="bullet">
|
|
<listitem>
|
|
<simpara>
|
|
<varname>pg_read_all_stats</varname>
|
|
(to read the <varname>status</varname> column of <literal>pg_stat_replication</literal>
|
|
and execute <function>pg_database_size()</function> on all databases)
|
|
</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara>
|
|
<varname>pg_read_all_settings</varname> (to access the <varname>data_directory</varname> setting)
|
|
</simpara>
|
|
</listitem>
|
|
</itemizedlist>
|
|
Alternatively the meta-role <varname>pg_monitor</varname> can be granted, which includes membership
|
|
of the above predefined roles.
|
|
</para>
|
|
<para>
|
|
PostgreSQL 15 introduced the <varname>pg_checkpoint</varname> predefined role which allows a
|
|
non-superuser &repmgr; database user to perform a CHECKPOINT command.
|
|
</para>
|
|
<para>
|
|
Membership of these roles can be granted with e.g. <command>GRANT pg_read_all_stats TO repmgr</command>.
|
|
</para>
|
|
<para>
|
|
Users of PostgreSQL 9.6 or earlier should upgrade to a supported PostgreSQL version, or provide
|
|
the <option>-S</option>/<option>--superuser</option> where available.
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3 id="configuration-permissions-extension" xreflabel="Extension creation">
|
|
<title>Extension creation</title>
|
|
<para>
|
|
&repmgr; requires that the database defined in the <varname>conninfo</varname>
|
|
setting contains the <literal>repmgr</literal> extension. The database user defined in the
|
|
<varname>conninfo</varname> setting must be able to access this database and
|
|
the database objects contained within the extension.
|
|
</para>
|
|
<para>
|
|
The <literal>repmgr</literal> extension can only be installed by a superuser.
|
|
If the &repmgr; user is a superuser, &repmgr; will create the extension automatically.
|
|
</para>
|
|
|
|
<para>
|
|
Alternatively, the extension can be created manually by a superuser
|
|
(with "<command>CREATE EXTENSION repmgr</command>") before executing
|
|
<link linkend="repmgr-primary-register">repmgr primary register</link>.
|
|
</para>
|
|
</sect3>
|
|
|
|
|
|
<sect3 id="configuration-permissions-functions" xreflabel="Function permissions for non-superusers">
|
|
<title>Function permissions</title>
|
|
<para>
|
|
If the &repmgr; database user is not a superuser, <literal>EXECUTE</literal> permission should be
|
|
granted on the following function:
|
|
<itemizedlist spacing="compact" mark="bullet">
|
|
<listitem>
|
|
<simpara>
|
|
<function>pg_wal_replay_resume()</function> (required by &repmgrd; during failover operations;
|
|
if permission is not granted, the failoved process may not function reliably if a node
|
|
has WAL replay paused)
|
|
</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara>
|
|
<function>pg_promote()</function> (PostgreSQL 12 and later; if permission is not granted,
|
|
&repmgr; will fall back to <command>pg_ctl promote</command>)
|
|
</simpara>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
<para>
|
|
<literal>EXECUTE</literal> permission on functions can be granted with e.g.:
|
|
<command>GRANT EXECUTE ON FUNCTION pg_catalog.pg_wal_replay_resume() TO repmgr</command>.
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3 id="configuration-permissions-superuser-required" xreflabel="repmgr actions requiring a superuser">
|
|
<title>repmgr actions requiring a superuser</title>
|
|
<para>
|
|
In some circumstances, &repmgr; may need to perform an operation which cannot be delegated to a
|
|
non-superuser.
|
|
<itemizedlist spacing="compact" mark="bullet">
|
|
<listitem>
|
|
<simpara>
|
|
The <command>CHECKPOINT</command> command is executed by
|
|
<link linkend="repmgr-standby-switchover">repmgr standby switchover</link>. This can only
|
|
be executed by a superuser; if the &repmgr; user is not a superuser,
|
|
the <option>-S</option>/<option>--superuser</option> should be used.
|
|
From PostgreSQL 15 the <varname>pg_checkpoint</varname> predefined role removes the need of
|
|
superuser permissions to perform <command>CHECKPOINT</command> command.
|
|
</simpara>
|
|
<simpara>
|
|
If &repmgr; is not able to execute <command>CHECKPOINT</command>,
|
|
there is a risk that the demotion candidate may not be able to shut down as smoothly as might otherwise
|
|
have been the case.
|
|
</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara>
|
|
The <command>ALTER SYSTEM</command> is executed by &repmgrd; if
|
|
<varname>standby_disconnect_on_failover</varname> is set to <literal>true</literal> in
|
|
<filename>repmgr.conf</filename>. Until PostgreSQL 14 <command>ALTER SYSTEM</command> can only be executed by
|
|
a superuser; if the &repmgr; user is not a superuser, this functionality will not be available.
|
|
From PostgreSQL 15 a specific ALTER SYSTEM privilege can be granted with e.g.
|
|
<command>GRANT ALTER SYSTEM ON PARAMETER wal_retrieve_retry_interval TO repmgr</command>.
|
|
</simpara>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</sect3>
|
|
|
|
<sect3 id="configuration-permissions-superuser-option" xreflabel="repmgr commands with --superuser option">
|
|
<title>repmgr commands with --superuser option</title>
|
|
<para>
|
|
The following repmgr commands provide the <option>-S</option>/<option>--superuser</option> option:
|
|
<itemizedlist spacing="compact" mark="bullet">
|
|
<listitem>
|
|
<simpara><link linkend="repmgr-standby-clone">repmgr standby clone</link> (to be able to copy configuration files outside of the data directory if <option>--copy-external-config-files</option> provided)</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara><link linkend="repmgr-standby-switchover">repmgr standby switchover</link> (to execute <command>CHECKPOINT</command>)</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara><link linkend="repmgr-node-check">repmgr node check</link> (to execute <command>repmgr node check --data-directory-config</command>; note this is also called by <link linkend="repmgr-standby-switchover">repmgr standby switchover</link>)</simpara>
|
|
</listitem>
|
|
<listitem>
|
|
<simpara><link linkend="repmgr-node-service">repmgr node service</link> (to execute <command>CHECKPOINT</command> via the <option>--checkpoint</option>; note this is also called by <link linkend="repmgr-standby-switchover">repmgr standby switchover</link>)</simpara>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</para>
|
|
</sect3>
|
|
|
|
</sect2>
|
|
</sect1>
|