PGD predefined roles v5
PGD predefined roles are created when the BDR extension is installed. After BDR extension is dropped from a database, the roles continue to exist. You need to drop them manually if dropping is required.
bdr_superuser
This is a role for an admin user that can manage anything PGD related. It allows you to separate management of the database and table access. Using it allows you to have a user that can manage the PGD cluster without giving them PostgreSQL superuser privileges.
Privileges
- ALL PRIVILEGES ON ALL TABLES IN SCHEMA BDR
- ALL PRIVILEGES ON ALL ROUTINES IN SCHEMA BDR
bdr_read_all_stats
This role provides read access to most of the tables, views, and functions that users or applications may need to observe the statistics and state of the PGD cluster.
Privileges
SELECT
privilege on:
bdr.autopartition_partitions
bdr.autopartition_rules
bdr.ddl_epoch
bdr.ddl_replication
bdr.global_consensus_journal_details
bdr.global_lock
bdr.global_locks
bdr.group_camo_details
bdr.local_consensus_state
bdr.local_node_summary
bdr.node
bdr.node_catchup_info
bdr.node_catchup_info_details
bdr.node_conflict_resolvers
bdr.node_group
bdr.node_local_info
bdr.node_peer_progress
bdr.node_replication_rates
bdr.node_slots
bdr.node_summary
bdr.replication_sets
bdr.replication_status
bdr.sequences
bdr.stat_activity
bdr.stat_relation
bdr.stat_subscription
deprecatedbdr.state_journal_details
bdr.subscription
bdr.subscription_summary
bdr.tables
bdr.taskmgr_local_work_queue
bdr.taskmgr_work_queue
bdr.worker_errors
deprecatedbdr.workers
bdr.writers
bdr.xid_peer_progress
EXECUTE privilege on:
bdr.bdr_edition
deprecatedbdr.bdr_version
bdr.bdr_version_num
bdr.decode_message_payload
bdr.get_consensus_status
bdr.get_decoding_worker_stat
bdr.get_global_locks
bdr.get_min_required_replication_slots
bdr.get_min_required_worker_processes
bdr.get_raft_status
bdr.get_relation_stats
bdr.get_slot_flush_timestamp
bdr.get_sub_progress_timestamp
bdr.get_subscription_stats
bdr.lag_control
bdr.lag_history
bdr.node_catchup_state_name
bdr.node_kind_name
bdr.peer_state_name
bdr.pglogical_proto_version_ranges
bdr.show_subscription_status
bdr.show_workers
bdr.show_writers
bdr.stat_get_activity
bdr.wal_sender_stats
bdr.worker_role_id_name
bdr_monitor
This role provides read access to any tables, views, and functions that users or applications may need to monitor the PGD cluster. It includes all the privileges of the bdr_read_all_stats
role.
Privileges
All privileges from bdr_read_all_stats
plus the following additional privileges:
SELECT
privilege on:
bdr.group_raft_details
bdr.group_replslots_details
bdr.group_subscription_summary
bdr.group_versions_details
bdr.raft_instances
EXECUTE
privilege on:
bdr.get_raft_instance_by_nodegroup
bdr.monitor_camo_on_all_nodes
bdr.monitor_group_raft
bdr.monitor_group_versions
bdr.monitor_local_replslots
bdr.monitor_raft_details_on_all_nodes
bdr.monitor_replslots_details_on_all_nodes
bdr.monitor_subscription_details_on_all_nodes
bdr.monitor_version_details_on_all_nodes
bdr.node_group_member_info
bdr_application
This role is designed for applications that require access to PGD features, objects, and functions such as sequences, CRDT datatypes, CAMO status functions, or trigger management functions.
Privileges
EXECUTE
privilege on:
- All functions for column_timestamps datatypes
- All functions for CRDT datatypes
bdr.alter_sequence_set_kind
bdr.create_conflict_trigger
bdr.create_transform_trigger
bdr.drop_trigger
bdr.get_configured_camo_partner
bdr.global_lock_table
bdr.is_camo_partner_connected
bdr.is_camo_partner_ready
bdr.logical_transaction_status
bdr.ri_fkey_trigger
bdr.seq_nextval
bdr.seq_currval
bdr.seq_lastval
bdr.trigger_get_committs
bdr.trigger_get_conflict_type
bdr.trigger_get_origin_node_id
bdr.trigger_get_row
bdr.trigger_get_type
bdr.trigger_get_xid
bdr.wait_for_camo_partner_queue
bdr.wait_slot_confirm_lsn
bdr.wait_node_confirm_lsn
Many of these functions require additional privileges before you can use them.
For example, you must be the table owner to successfully execute
bdr.alter_sequence_set_kind
. These additional rules are described with each
specific function.
bdr_read_all_conflicts
PGD logs conflicts into the
bdr.conflict_history
table. Conflicts are visible only to table owners, so no extra privileges are
required for the owners to read the conflict history.
If, though, it's useful to have a user that can see conflicts for all tables,
you can optionally grant the role bdr_read_all_conflicts
to that user.
Privileges
An explicit policy is set on bdr.conflict_history
that allows this role to read the bdr.conflict_history
table.