From 4441fc704d7048b2f1f039cc74b72bd23e7e36d0 Mon Sep 17 00:00:00 2001 From: Andrew Dunstan Date: Mon, 28 Nov 2022 11:57:28 -0500 Subject: Provide non-superuser predefined roles for vacuum and analyze This provides two new predefined roles: pg_vacuum_all_tables and pg_analyze_all_tables. Roles which have been granted these roles can perform vacuum or analyse respectively on any or all tables as if they were a superuser. This removes the need to grant superuser privilege to roles just so they can perform vacuum and/or analyze. Nathan Bossart Reviewed by: Bharath Rupireddy, Kyotaro Horiguchi, Stephen Frost, Robert Haas, Mark Dilger, Tom Lane, Corey Huinker, David G. Johnston, Michael Paquier. Discussion: https://postgr.es/m/20220722203735.GB3996698@nathanxps13 --- doc/src/sgml/ref/analyze.sgml | 10 +++++++--- doc/src/sgml/ref/vacuum.sgml | 10 +++++++--- doc/src/sgml/user-manag.sgml | 12 ++++++++++++ 3 files changed, 26 insertions(+), 6 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/ref/analyze.sgml b/doc/src/sgml/ref/analyze.sgml index 400ea30cd0..16c0b886fd 100644 --- a/doc/src/sgml/ref/analyze.sgml +++ b/doc/src/sgml/ref/analyze.sgml @@ -148,12 +148,16 @@ ANALYZE [ VERBOSE ] [ table_and_columnsNotes - To analyze a table, one must ordinarily be the table's owner or a - superuser or have the ANALYZE privilege on the table. + To analyze a table, one must ordinarily have the ANALYZE + privilege on the table or be the table's owner, a superuser, or a role with + privileges of the + pg_analyze_all_tables + role. However, database owners are allowed to analyze all tables in their databases, except shared catalogs. (The restriction for shared catalogs means that a true database-wide - ANALYZE can only be performed by a superuser.) + ANALYZE can only be performed by superusers and roles + with privileges of pg_analyze_all_tables.) ANALYZE will skip over any tables that the calling user does not have permission to analyze. diff --git a/doc/src/sgml/ref/vacuum.sgml b/doc/src/sgml/ref/vacuum.sgml index 70c0d81346..9cd880ea34 100644 --- a/doc/src/sgml/ref/vacuum.sgml +++ b/doc/src/sgml/ref/vacuum.sgml @@ -356,12 +356,16 @@ VACUUM [ FULL ] [ FREEZE ] [ VERBOSE ] [ ANALYZE ] [ pg_vacuum_all_tables + role. However, database owners are allowed to vacuum all tables in their databases, except shared catalogs. (The restriction for shared catalogs means that a true database-wide - VACUUM can only be performed by a superuser.) + VACUUM can only be performed by superusers and roles + with privileges of pg_vacuum_all_tables.) VACUUM will skip over any tables that the calling user does not have permission to vacuum. diff --git a/doc/src/sgml/user-manag.sgml b/doc/src/sgml/user-manag.sgml index 601fff3e6b..2bff4e47d0 100644 --- a/doc/src/sgml/user-manag.sgml +++ b/doc/src/sgml/user-manag.sgml @@ -635,6 +635,18 @@ DROP ROLE doomed_role; the CHECKPOINT command. + + pg_vacuum_all_tables + Allow executing the + VACUUM command on + all tables. + + + pg_analyze_all_tables + Allow executing the + ANALYZE command on + all tables. + -- cgit v1.2.3