Support creating subscriptions as neon_superuser

Sasha Krassovsky · tristan957 · commit 0ff55c5b3965 · 2024-02-06T13:05:52.000-06:00
diff --git a/src/backend/commands/publicationcmds.c b/src/backend/commands/publicationcmds.c
@@ -727,13 +727,6 @@ CheckPubRelationColumnList(char *pubname, List *tables,
 	}
 }
 
-static bool
-is_neon_superuser(void)
-{
-	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
-	return neon_superuser_oid != InvalidOid && has_privs_of_role(GetUserId(), neon_superuser_oid);
-}
-
 /*
  * Create new publication.
  */
diff --git a/src/backend/commands/subscriptioncmds.c b/src/backend/commands/subscriptioncmds.c
@@ -541,7 +541,7 @@ CreateSubscription(ParseState *pstate, CreateSubscriptionStmt *stmt,
 	if (opts.create_slot)
 		PreventInTransactionBlock(isTopLevel, "CREATE SUBSCRIPTION ... WITH (create_slot = true)");
 
-	if (!superuser())
+	if (!superuser() && !is_neon_superuser())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 errmsg("must be superuser to create subscriptions")));
@@ -1666,7 +1666,7 @@ AlterSubscriptionOwner_internal(Relation rel, HeapTuple tup, Oid newOwnerId)
 					   NameStr(form->subname));
 
 	/* New owner must be a superuser */
-	if (!superuser_arg(newOwnerId))
+	if (!superuser_arg(newOwnerId) && !is_neon_superuser_arg(newOwnerId))
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 errmsg("permission denied to change owner of subscription \"%s\"",
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
@@ -117,6 +117,18 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);
 
 static void RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue);
 
+bool
+is_neon_superuser(void)
+{
+	return is_neon_superuser_arg(GetUserId());
+}
+
+bool
+is_neon_superuser_arg(Oid roleid)
+{
+	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
+	return neon_superuser_oid != InvalidOid && has_privs_of_role(roleid, neon_superuser_oid);
+}
 
 /*
  * getid
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
@@ -373,6 +373,10 @@ extern void SetCurrentRoleId(Oid roleid, bool is_superuser);
 extern bool superuser(void);	/* current user is superuser */
 extern bool superuser_arg(Oid roleid);	/* given user is superuser */
 
+/* in utils/adt/acl.c */
+extern bool is_neon_superuser(void); /* current user is neon_superuser */
+extern bool is_neon_superuser_arg(Oid roleid); /* given user is neon_superuser */
+
 
 /*****************************************************************************
  *	  pmod.h --																 *

Original file line number	Diff line number	Diff line change
`@@ -727,13 +727,6 @@ CheckPubRelationColumnList(char pubname, List tables,`
`727`	`727`	`}`
`728`	`728`	`}`
`729`	`729`
`730`		`-static bool`
`731`		`-is_neon_superuser(void)`
`732`		`-{`
`733`		`- Oid neon_superuser_oid = get_role_oid("neon_superuser", true /missing_ok/);`
`734`		`- return neon_superuser_oid != InvalidOid && has_privs_of_role(GetUserId(), neon_superuser_oid);`
`735`		`-}`
`736`		`-`
`737`	`730`	`/*`
`738`	`731`	`* Create new publication.`
`739`	`732`	`*/`