Alena0704 commented on code in PR #1804:
URL: https://github.com/apache/cloudberry/pull/1804#discussion_r3356847579
##########
src/backend/commands/resgroupcmds.c:
##########
@@ -375,11 +391,22 @@ AlterResourceGroup(AlterResourceGroupStmt *stmt)
ResourceGroupCallbackContext *callbackCtx;
MemoryContext oldContext;
- /* Permission check - only superuser can alter resource groups. */
- if (!superuser())
+ /*
+ * Permission check - superusers and members of the predefined role
+ * pg_manage_resource_groups can alter resource groups.
+ */
+ if (!has_privs_of_role(GetUserId(), ROLE_PG_MANAGE_RESOURCE_GROUPS))
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("permission denied to alter resource
group \"%s\"", stmt->name),
+ errhint("Must be superuser or have privileges
of the pg_manage_resource_groups role.")));
+
+ /* The system admin_group can only be altered by a superuser. */
+ if (!superuser() && (strcmp(stmt->name, "admin_group") == 0))
ereport(ERROR,
Review Comment:
I have added the check only for system and admin groups here. Only here
super roles can be found. I save this check only for alter operation. For drop
operation it still compares with ‘mdb_admin’ to avoid unnecessary scanning
catalog to find particular record to delete it - you can notice it checks the
same.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]