CREATE SCHEMA alter_role; SET citus.enable_alter_role_propagation to ON; CREATE ROLE alter_role_1 WITH LOGIN; NOTICE: not propagating CREATE ROLE/USER commands to worker nodes HINT: Connect to worker nodes directly to manually create all necessary users and roles. SELECT run_command_on_workers($$CREATE ROLE alter_role_1 WITH LOGIN;$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"CREATE ROLE") (localhost,57638,t,"CREATE ROLE") (2 rows) -- postgres errors out ALTER ROLE alter_role_1 WITH SUPERUSER NOSUPERUSER; ERROR: conflicting or redundant options -- make sure that we propagate all options accurately ALTER ROLE alter_role_1 WITH SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS CONNECTION LIMIT 66 VALID UNTIL '2032-05-05'; SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'; row --------------------------------------------------------------------- (alter_role_1,t,t,t,t,t,t,t,66,,2032) (1 row) SELECT run_command_on_workers($$SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"(alter_role_1,t,t,t,t,t,t,t,66,,2032)") (localhost,57638,t,"(alter_role_1,t,t,t,t,t,t,t,66,,2032)") (2 rows) -- make sure that we propagate all options accurately ALTER ROLE alter_role_1 WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT 0 VALID UNTIL '2052-05-05'; SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'; row --------------------------------------------------------------------- (alter_role_1,f,f,f,f,f,f,f,0,,2052) (1 row) SELECT run_command_on_workers($$SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"(alter_role_1,f,f,f,f,f,f,f,0,,2052)") (localhost,57638,t,"(alter_role_1,f,f,f,f,f,f,f,0,,2052)") (2 rows) -- make sure that non-existent users are handled properly ALTER ROLE alter_role_2 WITH SUPERUSER NOSUPERUSER; ERROR: conflicting or redundant options ALTER ROLE alter_role_2 WITH SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS CONNECTION LIMIT 66 VALID UNTIL '2032-05-05'; ERROR: role "alter_role_2" does not exist -- make sure that CURRENT_USER just works fine ALTER ROLE CURRENT_USER WITH CONNECTION LIMIT 123; SELECT rolconnlimit FROM pg_authid WHERE rolname = CURRENT_USER; rolconnlimit --------------------------------------------------------------------- 123 (1 row) SELECT run_command_on_workers($$SELECT rolconnlimit FROM pg_authid WHERE rolname = CURRENT_USER;$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,123) (localhost,57638,t,123) (2 rows) -- make sure that SESSION_USER just works fine ALTER ROLE SESSION_USER WITH CONNECTION LIMIT 124; SELECT rolconnlimit FROM pg_authid WHERE rolname = SESSION_USER; rolconnlimit --------------------------------------------------------------------- 124 (1 row) SELECT run_command_on_workers($$SELECT rolconnlimit FROM pg_authid WHERE rolname = SESSION_USER;$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,124) (localhost,57638,t,124) (2 rows) -- now lets test the passwords in more detail ALTER ROLE alter_role_1 WITH PASSWORD NULL; SELECT rolpassword is NULL FROM pg_authid WHERE rolname = 'alter_role_1'; ?column? --------------------------------------------------------------------- t (1 row) SELECT run_command_on_workers($$SELECT rolpassword is NULL FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,t) (localhost,57638,t,t) (2 rows) ALTER ROLE alter_role_1 WITH PASSWORD 'test1'; SELECT rolpassword FROM pg_authid WHERE rolname = 'alter_role_1'; rolpassword --------------------------------------------------------------------- md52f9cc8d65e37edcc45c4a489bdfc699d (1 row) SELECT run_command_on_workers($$SELECT rolpassword FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,md52f9cc8d65e37edcc45c4a489bdfc699d) (localhost,57638,t,md52f9cc8d65e37edcc45c4a489bdfc699d) (2 rows) ALTER ROLE alter_role_1 WITH ENCRYPTED PASSWORD 'test2'; SELECT rolpassword FROM pg_authid WHERE rolname = 'alter_role_1'; rolpassword --------------------------------------------------------------------- md5e17f7818c5ec023fa87bdb97fd3e842e (1 row) SELECT run_command_on_workers($$SELECT rolpassword FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,md5e17f7818c5ec023fa87bdb97fd3e842e) (localhost,57638,t,md5e17f7818c5ec023fa87bdb97fd3e842e) (2 rows) ALTER ROLE alter_role_1 WITH ENCRYPTED PASSWORD 'md59cce240038b7b335c6aa9674a6f13e72'; SELECT rolpassword FROM pg_authid WHERE rolname = 'alter_role_1'; rolpassword --------------------------------------------------------------------- md59cce240038b7b335c6aa9674a6f13e72 (1 row) SELECT run_command_on_workers($$SELECT rolpassword FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,md59cce240038b7b335c6aa9674a6f13e72) (localhost,57638,t,md59cce240038b7b335c6aa9674a6f13e72) (2 rows) -- edge case role names CREATE ROLE "alter_role'1" WITH LOGIN; NOTICE: not propagating CREATE ROLE/USER commands to worker nodes HINT: Connect to worker nodes directly to manually create all necessary users and roles. SELECT run_command_on_workers($$CREATE ROLE "alter_role'1" WITH LOGIN;$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"CREATE ROLE") (localhost,57638,t,"CREATE ROLE") (2 rows) ALTER ROLE "alter_role'1" CREATEROLE; SELECT rolcreaterole FROM pg_authid WHERE rolname = 'alter_role''1'; rolcreaterole --------------------------------------------------------------------- t (1 row) SELECT run_command_on_workers($$SELECT rolcreaterole FROM pg_authid WHERE rolname = 'alter_role''1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,t) (localhost,57638,t,t) (2 rows) CREATE ROLE "alter_role""1" WITH LOGIN; NOTICE: not propagating CREATE ROLE/USER commands to worker nodes HINT: Connect to worker nodes directly to manually create all necessary users and roles. SELECT run_command_on_workers($$CREATE ROLE "alter_role""1" WITH LOGIN;$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"CREATE ROLE") (localhost,57638,t,"CREATE ROLE") (2 rows) ALTER ROLE "alter_role""1" CREATEROLE; SELECT rolcreaterole FROM pg_authid WHERE rolname = 'alter_role"1'; rolcreaterole --------------------------------------------------------------------- t (1 row) SELECT run_command_on_workers($$SELECT rolcreaterole FROM pg_authid WHERE rolname = 'alter_role"1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,t) (localhost,57638,t,t) (2 rows) -- add node ALTER ROLE alter_role_1 WITH SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN REPLICATION BYPASSRLS CONNECTION LIMIT 66 VALID UNTIL '2032-05-05' PASSWORD 'test3'; SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'; row --------------------------------------------------------------------- (alter_role_1,t,t,t,t,t,t,t,66,md5ead5c53df946838b1291bba7757f41a7,2032) (1 row) SELECT run_command_on_workers($$SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"(alter_role_1,t,t,t,t,t,t,t,66,md5ead5c53df946838b1291bba7757f41a7,2032)") (localhost,57638,t,"(alter_role_1,t,t,t,t,t,t,t,66,md5ead5c53df946838b1291bba7757f41a7,2032)") (2 rows) SELECT master_remove_node('localhost', :worker_1_port); master_remove_node --------------------------------------------------------------------- (1 row) ALTER ROLE alter_role_1 WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN NOREPLICATION NOBYPASSRLS CONNECTION LIMIT 0 VALID UNTIL '2052-05-05' PASSWORD 'test4'; SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'; row --------------------------------------------------------------------- (alter_role_1,f,f,f,f,f,f,f,0,md5be308f25c7b1a2d50c85cf7e6f074df9,2052) (1 row) SELECT run_command_on_workers($$SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57638,t,"(alter_role_1,f,f,f,f,f,f,f,0,md5be308f25c7b1a2d50c85cf7e6f074df9,2052)") (1 row) SELECT 1 FROM master_add_node('localhost', :worker_1_port); ?column? --------------------------------------------------------------------- 1 (1 row) SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'; row --------------------------------------------------------------------- (alter_role_1,f,f,f,f,f,f,f,0,md5be308f25c7b1a2d50c85cf7e6f074df9,2052) (1 row) SELECT run_command_on_workers($$SELECT row(rolname, rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin, rolreplication, rolbypassrls, rolconnlimit, rolpassword, EXTRACT (year FROM rolvaliduntil)) FROM pg_authid WHERE rolname = 'alter_role_1'$$); run_command_on_workers --------------------------------------------------------------------- (localhost,57637,t,"(alter_role_1,f,f,f,f,f,f,f,0,md5be308f25c7b1a2d50c85cf7e6f074df9,2052)") (localhost,57638,t,"(alter_role_1,f,f,f,f,f,f,f,0,md5be308f25c7b1a2d50c85cf7e6f074df9,2052)") (2 rows) -- table belongs to a role -- we don't support propagation of configuration_parameters and notice the users ALTER ROLE alter_role_1 SET enable_hashagg TO FALSE; NOTICE: Citus partially supports ALTER ROLE for distributed databases DETAIL: Citus does not propagate ALTER ROLE ... SET/RESET commands to workers HINT: You can manually alter roles on workers. -- we don't support propagation of ALTER ROLE ... RENAME TO commands. ALTER ROLE alter_role_1 RENAME TO alter_role_1_new; NOTICE: MD5 password cleared because of role rename NOTICE: Citus partially supports ALTER ROLE for distributed databases DETAIL: Citus does not propagate ALTER ROLE ... RENAME TO commands to workers HINT: You can manually alter roles on workers. SET citus.enable_alter_role_propagation to OFF; DROP SCHEMA alter_role CASCADE;