Alena0704 commented on code in PR #1804:
URL: https://github.com/apache/cloudberry/pull/1804#discussion_r3353888997


##########
src/backend/commands/resgroupcmds.c:
##########
@@ -375,11 +391,22 @@ AlterResourceGroup(AlterResourceGroupStmt *stmt)
        ResourceGroupCallbackContext    *callbackCtx;
        MemoryContext oldContext;
 
-       /* Permission check - only superuser can alter resource groups. */
-       if (!superuser())
+       /*
+        * Permission check - superusers and members of the predefined role
+        * pg_manage_resource_groups can alter resource groups.
+        */
+       if (!has_privs_of_role(GetUserId(), ROLE_PG_MANAGE_RESOURCE_GROUPS))
+               ereport(ERROR,
+                               (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+                                errmsg("permission denied to alter resource 
group \"%s\"", stmt->name),
+                                errhint("Must be superuser or have privileges 
of the pg_manage_resource_groups role.")));
+
+       /* The system admin_group can only be altered by a superuser. */
+       if (!superuser() && (strcmp(stmt->name, "admin_group") == 0))
                ereport(ERROR,

Review Comment:
   I think we should compare it with admin_group and default_group too. because 
the first one is a default group for superuser sessions and default_group 
contains system roles without superuser privileges.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to