Skip to content

Let mdb_admin manage resource groups#1804

Open
Alena0704 wants to merge 1 commit into
apache:REL_2_STABLEfrom
Alena0704:REL_2_STABLE-mdb_admin-resource-group
Open

Let mdb_admin manage resource groups#1804
Alena0704 wants to merge 1 commit into
apache:REL_2_STABLEfrom
Alena0704:REL_2_STABLE-mdb_admin-resource-group

Conversation

@Alena0704
Copy link
Copy Markdown
Contributor

@Alena0704 Alena0704 commented Jun 4, 2026
edited
Loading

Let mdb_admin manage resource groups
In Greenplum/Cloudberry only a superuser may CREATE/ALTER/DROP resource
groups. In managed-service deployments superuser is never handed to
the client, so a cloud admin has no way to tune their own CPU/memory
limits.

The upstream-shaped fix is a predefined role pinned in pg_authid.dat.
That is correct for master, but a new bootstrap catalog entry bumps
CATALOG_VERSION_NO and thus needs a fresh initdb / gpupgrade.
We must be able to grant this capability between minor versions.

So instead of pinning an OID, gate the four entry points on membership
of the mdb_admin role, resolved by name at runtime:

role = get_role_oid("mdb_admin", true);
if (!is_member_of_role(GetUserId(), role))
    ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), ...));

mdb_admin is an ordinary role created by the control plane with a plain
CREATE ROLE, not a built-in catalog role. If the role does not exist,
get_role_oid returns InvalidOid, so on a stock cluster only superusers
pass the check and nothing changes. The capability is enabled only
where the control plane creates the role.

admin_group stays superuser-only for ALTER/DROP: it is infrastructure,
not a user-tunable group.

This commit is adapted from open-gpdb/gpdb commit 3ac99962ad2.
Some tests are added from apache/cloudberry PR #1763.

Fixes #ISSUE_Number

What does this PR do?

Type of Change

  • Bug fix (non-breaking change)
  • New feature (non-breaking change)
  • Breaking change (fix or feature with breaking changes)
  • Documentation update

Breaking Changes

Test Plan

  • Unit tests added/updated
  • Integration tests added/updated
  • Passed make installcheck
  • Passed make -C src/test installcheck-cbdb-parallel

Impact

Performance:

User-facing changes:

Dependencies:

Checklist

Additional Context

CI Skip Instructions

my-ship-it
my-ship-it reviewed Jun 4, 2026
View reviewed changes
Comment thread src/backend/commands/resgroupcmds.c
my-ship-it
my-ship-it reviewed Jun 4, 2026
View reviewed changes
Comment thread src/include/catalog/pg_authid.dat Outdated
rolcreaterole => 'f', rolcreatedb => 'f', rolcanlogin => 'f',
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '6312', oid_symbol => 'ROLE_PG_MANAGE_RESOURCE_GROUPS',
Copy link
Copy Markdown
Contributor

@my-ship-it my-ship-it Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can ROLE_PG_MANAGE_RESOURCE_GROUPS be dropped? If dropped, we cannot create it again.

Copy link
Copy Markdown
Contributor Author

@Alena0704 Alena0704 Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't drop this role. This function checks it:

/* This case can be dispatched quickly */
	if (IsPinnedObject(classId, objectId))
	{
		object.classId = classId;
		object.objectId = objectId;
		object.objectSubId = 0;
		ereport(ERROR,
				(errcode(ERRCODE_DEPENDENT_OBJECTS_STILL_EXIST),
				 errmsg("cannot drop %s because it is required by the database system",
						getObjectDescription(&object, false))));
	}

src/backend/catalog/pg_shdepend.c:654

my-ship-it
my-ship-it reviewed Jun 4, 2026
View reviewed changes
Comment thread src/include/catalog/pg_authid.dat Outdated
rolreplication => 'f', rolbypassrls => 'f', rolconnlimit => '-1',
rolpassword => '_null_', rolvaliduntil => '_null_' },
{ oid => '6312', oid_symbol => 'ROLE_PG_MANAGE_RESOURCE_GROUPS',
rolname => 'pg_manage_resource_groups', rolsuper => 'f', rolinherit => 't',
Copy link
Copy Markdown
Contributor

@my-ship-it my-ship-it Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We change catalog here, but for 2X_STABLE, we suppose not.

Copy link
Copy Markdown
Contributor Author

@Alena0704 Alena0704 Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, agree and because of this I'm going to return to this solution #1763 but I will save tests that I have added before here. But I will take into account your current suggestions here #1795

my-ship-it
my-ship-it reviewed Jun 4, 2026
View reviewed changes
Comment thread src/backend/commands/resgroupcmds.c

/* The system admin_group can only be altered by a superuser. */
if (!superuser() && (strcmp(stmt->name, "admin_group") == 0))
ereport(ERROR,
Copy link
Copy Markdown
Contributor

@my-ship-it my-ship-it Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also protect SYSTEMRESGROUP_OID?

Copy link
Copy Markdown
Contributor Author

@Alena0704 Alena0704 Jun 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should compare it with admin_group and default_group too. because the first one is a default group for superuser sessions and default_group contains system roles without superuser privileges.

@Alena0704
Let mdb_admin manage resource groups
c429871 
In Greenplum/Cloudberry only a superuser may CREATE/ALTER/DROP resource
groups. In managed-service deployments superuser is never handed to
the client, so a cloud admin has no way to tune their own CPU/memory
limits.

The upstream-shaped fix is a predefined role pinned in pg_authid.dat.
That is correct for master, but a new bootstrap catalog entry bumps
CATALOG_VERSION_NO and thus needs a fresh initdb / gpupgrade.
We must be able to grant this capability between minor versions.

So instead of pinning an OID, gate the four entry points on membership
of the mdb_admin role, resolved by name at runtime:

    role = get_role_oid("mdb_admin", true);
    if (!is_member_of_role(GetUserId(), role))
        ereport(ERROR, (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), ...));

mdb_admin is an ordinary role created by the control plane with a plain
CREATE ROLE, not a built-in catalog role. If the role does not exist,
get_role_oid returns InvalidOid, so on a stock cluster only superusers
pass the check and nothing changes. The capability is enabled only
where the control plane creates the role.

admin_group stays superuser-only for ALTER/DROP: it is infrastructure,
not a user-tunable group.

This commit is adapted from open-gpdb/gpdb commit 3ac99962ad2.
Some tests are added from apache/cloudberry PR apache#1763.
@Alena0704 Alena0704 force-pushed the REL_2_STABLE-mdb_admin-resource-group branch from 3cf18f1 to c429871 Compare June 4, 2026 07:35
@Alena0704
Copy link
Copy Markdown
Contributor Author

Alena0704 commented Jun 4, 2026
edited
Loading

I rewrote the patch completely because a new bootstrap catalog entry bumps CATALOG_VERSION_NO and incompatible with minor gpupgrade - I adapted the commit from open-gpdb 3ac99962ad2 and added my tests.

@Alena0704 Alena0704 changed the title Add predefined role pg_manage_resource_groups Let mdb_admin manage resource groups Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@my-ship-it my-ship-it my-ship-it left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Alena0704 @my-ship-it