Parametrize neon_superuser via privileged_role_name var (#677)

ololobus · MMeent · web-flow · commit 8de764e44b56 · 2025-07-15T17:42:40.000+02:00
neondatabase/neon#12539 Co-authored-by: Matthias van de Meent <matthias@neon.tech>
diff --git a/src/backend/commands/publicationcmds.c b/src/backend/commands/publicationcmds.c
@@ -748,7 +748,7 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt)
 					   get_database_name(MyDatabaseId));
 
 	/* FOR ALL TABLES requires superuser */
-	if (stmt->for_all_tables && !superuser() && !is_neon_superuser())
+	if (stmt->for_all_tables && !superuser() && !is_privileged_role())
 		ereport(ERROR,
 				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 				 errmsg("must be superuser to create FOR ALL TABLES publication")));
@@ -819,7 +819,7 @@ CreatePublication(ParseState *pstate, CreatePublicationStmt *stmt)
 								   &schemaidlist);
 
 		/* FOR TABLES IN SCHEMA requires superuser */
-		if (schemaidlist != NIL && !superuser() && !is_neon_superuser())
+		if (schemaidlist != NIL && !superuser() && !is_privileged_role())
 			ereport(ERROR,
 					errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
 					errmsg("must be superuser to create FOR TABLES IN SCHEMA publication"));
diff --git a/src/backend/utils/adt/acl.c b/src/backend/utils/adt/acl.c
@@ -129,17 +129,29 @@ static AclResult pg_role_aclcheck(Oid role_oid, Oid roleid, AclMode mode);
 
 static void RoleMembershipCacheCallback(Datum arg, int cacheid, uint32 hashvalue);
 
+/*
+ * Name of the user-accessible privileged role in this system.
+ * Generally neon_superuser on neon.com
+ */
+char *privileged_role_name = NULL;
+
 bool
-is_neon_superuser(void)
+is_privileged_role(void)
 {
-	return is_neon_superuser_arg(GetUserId());
+	return is_privileged_role_arg(GetUserId());
 }
 
 bool
-is_neon_superuser_arg(Oid roleid)
+is_privileged_role_arg(Oid roleid)
 {
-	Oid neon_superuser_oid = get_role_oid("neon_superuser", true /*missing_ok*/);
-	return neon_superuser_oid != InvalidOid && has_privs_of_role(roleid, neon_superuser_oid);
+	Oid privileged_role_oid;
+
+	if (privileged_role_name == NULL)
+		return false;
+
+	privileged_role_oid = get_role_oid(privileged_role_name, true /* missing_ok */);
+
+	return privileged_role_oid != InvalidOid && has_privs_of_role(roleid, privileged_role_oid);
 }
 
 /*
diff --git a/src/include/miscadmin.h b/src/include/miscadmin.h
@@ -430,8 +430,9 @@ extern bool superuser(void);	/* current user is superuser */
 extern bool superuser_arg(Oid roleid);	/* given user is superuser */
 
 /* in utils/adt/acl.c */
-extern bool is_neon_superuser(void); /* current user is neon_superuser */
-extern bool is_neon_superuser_arg(Oid roleid); /* given user is neon_superuser */
+extern PGDLLIMPORT char *privileged_role_name;
+extern bool is_privileged_role(void); /* current user is a privileged role */
+extern bool is_privileged_role_arg(Oid roleid); /* given user is a privileged role */
 
 /*****************************************************************************
  *	  pmod.h --																 *
