Alena0704 commented on code in PR #1804:
URL: https://github.com/apache/cloudberry/pull/1804#discussion_r3356847579


##########
src/backend/commands/resgroupcmds.c:
##########
@@ -375,11 +391,22 @@ AlterResourceGroup(AlterResourceGroupStmt *stmt)
        ResourceGroupCallbackContext    *callbackCtx;
        MemoryContext oldContext;
 
-       /* Permission check - only superuser can alter resource groups. */
-       if (!superuser())
+       /*
+        * Permission check - superusers and members of the predefined role
+        * pg_manage_resource_groups can alter resource groups.
+        */
+       if (!has_privs_of_role(GetUserId(), ROLE_PG_MANAGE_RESOURCE_GROUPS))
+               ereport(ERROR,
+                               (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+                                errmsg("permission denied to alter resource 
group \"%s\"", stmt->name),
+                                errhint("Must be superuser or have privileges 
of the pg_manage_resource_groups role.")));
+
+       /* The system admin_group can only be altered by a superuser. */
+       if (!superuser() && (strcmp(stmt->name, "admin_group") == 0))
                ereport(ERROR,

Review Comment:
   I have added the check only for system and admin groups here. Only here 
super roles can be found. I save this check only for alter operation. For drop 
operation it still compares with ‘mdb_admin’ to avoid unnecessary scanning 
catalog to find particular record to delete it - you can notice it checks the 
same.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to