Support `FOR ALL TABLES` in logical replication

[kelvich]

RDS supports it https://docs.aws.amazon.com/dms/latest/sbs/chap-manageddatabases.postgresql-rds-postgresql-full-load-publisher.html#chap-manageddatabases.postgresql-rds-postgresql-full-load-publisher-replication and it is handy feature to have.

Postgres allows it only for superusers:

/* FOR ALL TABLES requires superuser */
if (stmt->for_all_tables && !superuser())
    ereport(ERROR,
            (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
                errmsg("must be superuser to create FOR ALL TABLES publication")));

there is no specified reason for that, but looking down at the usage of this flag:

/* Associate objects with the publication. */
if (stmt->for_all_tables)
{
    /* Invalidate relcache so that publication info is rebuilt. */
    CacheInvalidateRelcacheAll();
}
else
{
    ObjectsInPublicationToOids(stmt->pubobjects, pstate, &relations,
                                &schemaidlist);

it looks like superuser requirement there because there is no good way to ensure that the current user has access to future tables. That way one can read some future table that they might not have access to.

In our setup it should be okay to change superuser requirement to neon_superuser group membership.

[stepashka]

FYA, @vadim2404 @knizhnik @arssher @save-buffer

[save-buffer]

Should we also eventually move neon_superuser into being a builtin role? Instead of having compute_ctl create it?

[vadim2404]

created a PR for review for Pg16. Waiting for review

[vadim2404]

Will be a part of the next release

[vadim2404]

A member of neon_superuser can't create a publication for all tables w/o switching the role

[save-buffer]

This should begin working once Migrations are merged in. Migrations enable INHERIT on neon_superuser.

[vadim2404]

To check it today (migrations were merged)

[save-buffer]

Migrations have been enabled for everyone, so I will close this issue

[andreasscherbaum]

It's released