Skip to main content
HashnodeHashNotes

Command Palette

Search for a command to run...

Predefined PostgreSQL Roles: Detailed Explanation

Published
4 min read
M
Mohamad Mahmood

Mohamad's interest is in Programming (Mobile, Web, Database and Machine Learning). He is studying at the Center For Artificial Intelligence Technology (CAIT), Universiti Kebangsaan Malaysia (UKM).

PostgreSQL comes with a set of predefined roles that grant specific privileges. These roles are designed to simplify permissions management, particularly for administrative tasks, monitoring, and data access. Below is a detailed breakdown of the predefined roles mentioned:

1. pg_checkpoint

  • Purpose: Allows the user to manually initiate a checkpoint in the database.

  • What is a Checkpoint?

    • A checkpoint is a point in time where PostgreSQL synchronizes the contents of memory with the disk.

    • It reduces the recovery time during a crash by ensuring that changes are saved up to the checkpoint.

  • Usage Scenario:

    • Useful for administrators performing database maintenance or preparing for a shutdown.

  • How to Use:

      SELECT pg_switch_wal();  -- Forces a WAL (Write-Ahead Logging) segment switch.
  SELECT pg_checkpoint();  -- Manually triggers a checkpoint.

  • Important Notes: This role should only be granted to trusted users due to its potential impact on performance.

2. pg_create_subscription

  • Purpose: Grants permission to create subscriptions for logical replication.

  • What is Logical Replication?

    • Logical replication allows selective replication of data between PostgreSQL databases.

    • Subscriptions define which publications a database subscribes to.

  • Usage Scenario:

    • Needed for setting up subscriber nodes in a replication topology.

  • How to Use:

      CREATE SUBSCRIPTION my_subscription
  CONNECTION 'host=source_host dbname=source_db user=replicator password=secret'
  PUBLICATION my_publication;

  • Important Notes: This role is essential for maintaining multi-node PostgreSQL clusters.

3. pg_database_owner

  • Purpose: Role specific to managing a database for its owner.

  • Privileges:

    • Full control over a specific database, including schema creation, table management, and granting permissions to other users.

  • Usage Scenario:

    • Used when assigning a specific user or team responsibility for a database.

  • How to Use:

    • Assign ownership of a database to a role:

        ALTER DATABASE my_database OWNER TO my_role;

4. pg_execute_server_program

  • Purpose: Allows the execution of server-side programs.

  • What are Server-Side Programs?

    • These are external programs or scripts executed via PostgreSQL, typically used for custom maintenance tasks or integrations.

  • Usage Scenario:

    • Needed when using extensions or tools requiring server-side execution (e.g., external backups or monitoring scripts).

  • Security Considerations:

    • Grant this role only to highly trusted users, as server-side programs can pose security risks.

5. pg_maintain

  • Purpose: Grants privileges for general maintenance tasks.

  • Privileges Include:

    • Performing vacuum operations.

    • Reindexing tables.

    • Managing table statistics.

  • Usage Scenario:

    • Ideal for database administrators responsible for performance tuning and maintenance.

  • How to Use:

      VACUUM FULL my_table;   -- Reclaims disk space and optimizes the table.
  REINDEX TABLE my_index; -- Rebuilds an index to improve query performance.

6. pg_monitor

  • Purpose: Allows viewing statistics and monitoring data.

  • Privileges Include:

    • Access to system catalog views like pg_stat_activity, pg_stat_database, etc.

    • Useful for analyzing query performance and database health.

  • Usage Scenario:

    • Database monitoring by operations teams.

  • How to Use:

      SELECT * FROM pg_stat_activity; -- View currently active queries.
  SELECT * FROM pg_stat_database; -- View database performance statistics.

  • Best Practice: Assign this role to monitoring tools (e.g., Prometheus or Zabbix).

7. pg_read_all_data

  • Purpose: Grants read access to all tables in the database.

  • Privileges Include:

    • SELECT privileges on all existing and future tables and views.

  • Usage Scenario:

    • Useful for read-only users or applications that need unrestricted data access.

  • How to Use:

      GRANT pg_read_all_data TO my_read_only_user;

8. pg_write_all_data

  • Purpose: Grants write access to all tables in the database.

  • Privileges Include:

    • INSERT, UPDATE, DELETE, and TRUNCATE privileges on all existing and future tables and views.

  • Usage Scenario:

    • Ideal for ETL (Extract, Transform, Load) jobs or applications requiring full write access.

  • How to Use:

      GRANT pg_write_all_data TO my_etl_user;

Important Notes for All Roles

  • Non-Inheritable: Predefined roles are not inherited by default. They must be explicitly granted.

  • Revoking Privileges:

    • Privileges from predefined roles can be revoked if needed:

        REVOKE pg_read_all_data FROM my_user;

  • Combining Roles:

    • Multiple predefined roles can be assigned to a single user, combining their privileges.

Practical Exercises

  1. Monitor Activity:

    • Assign the pg_monitor role to a user and query pg_stat_activity.

  2. Setup Logical Replication:

    • Use the pg_create_subscription role to configure a replication subscriber.

  3. Test Maintenance Privileges:

    • Grant pg_maintain to a user and perform a VACUUM ANALYZE.

These roles provide flexibility and simplify permission management for PostgreSQL administrators.

#postgresql
6 views

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

HashNotes

348 posts