mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Provide non-superuser predefined roles for vacuum and analyze
This provides two new predefined roles: pg_vacuum_all_tables and pg_analyze_all_tables. Roles which have been granted these roles can perform vacuum or analyse respectively on any or all tables as if they were a superuser. This removes the need to grant superuser privilege to roles just so they can perform vacuum and/or analyze. Nathan Bossart Reviewed by: Bharath Rupireddy, Kyotaro Horiguchi, Stephen Frost, Robert Haas, Mark Dilger, Tom Lane, Corey Huinker, David G. Johnston, Michael Paquier. Discussion: https://postgr.es/m/20220722203735.GB3996698@nathanxps13
This commit is contained in:
@ -148,12 +148,16 @@ ANALYZE [ VERBOSE ] [ <replaceable class="parameter">table_and_columns</replacea
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
To analyze a table, one must ordinarily be the table's owner or a
|
||||
superuser or have the <literal>ANALYZE</literal> privilege on the table.
|
||||
To analyze a table, one must ordinarily have the <literal>ANALYZE</literal>
|
||||
privilege on the table or be the table's owner, a superuser, or a role with
|
||||
privileges of the
|
||||
<link linkend="predefined-roles-table"><literal>pg_analyze_all_tables</literal></link>
|
||||
role.
|
||||
However, database owners are allowed to
|
||||
analyze all tables in their databases, except shared catalogs.
|
||||
(The restriction for shared catalogs means that a true database-wide
|
||||
<command>ANALYZE</command> can only be performed by a superuser.)
|
||||
<command>ANALYZE</command> can only be performed by superusers and roles
|
||||
with privileges of <literal>pg_analyze_all_tables</literal>.)
|
||||
<command>ANALYZE</command> will skip over any tables that the calling user
|
||||
does not have permission to analyze.
|
||||
</para>
|
||||
|
@ -356,12 +356,16 @@ VACUUM [ FULL ] [ FREEZE ] [ VERBOSE ] [ ANALYZE ] [ <replaceable class="paramet
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
To vacuum a table, one must ordinarily be the table's owner or a
|
||||
superuser or have the <literal>VACUUM</literal> privilege on the table.
|
||||
To vacuum a table, one must ordinarily have the <literal>VACUUM</literal>
|
||||
privilege on the table or be the table's owner, a superuser, or a role with
|
||||
privileges of the
|
||||
<link linkend="predefined-roles-table"><literal>pg_vacuum_all_tables</literal></link>
|
||||
role.
|
||||
However, database owners are allowed to
|
||||
vacuum all tables in their databases, except shared catalogs.
|
||||
(The restriction for shared catalogs means that a true database-wide
|
||||
<command>VACUUM</command> can only be performed by a superuser.)
|
||||
<command>VACUUM</command> can only be performed by superusers and roles
|
||||
with privileges of <literal>pg_vacuum_all_tables</literal>.)
|
||||
<command>VACUUM</command> will skip over any tables that the calling user
|
||||
does not have permission to vacuum.
|
||||
</para>
|
||||
|
@ -635,6 +635,18 @@ DROP ROLE doomed_role;
|
||||
the <link linkend="sql-checkpoint"><command>CHECKPOINT</command></link>
|
||||
command.</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>pg_vacuum_all_tables</entry>
|
||||
<entry>Allow executing the
|
||||
<link linkend="sql-vacuum"><command>VACUUM</command></link> command on
|
||||
all tables.</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>pg_analyze_all_tables</entry>
|
||||
<entry>Allow executing the
|
||||
<link linkend="sql-analyze"><command>ANALYZE</command></link> command on
|
||||
all tables.</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
</table>
|
||||
|
Reference in New Issue
Block a user