diff --git a/product_docs/docs/pgd/5/node_management/creating_and_joining.mdx b/product_docs/docs/pgd/5/node_management/creating_and_joining.mdx index 1c94d45854a..0a2ceb59aef 100644 --- a/product_docs/docs/pgd/5/node_management/creating_and_joining.mdx +++ b/product_docs/docs/pgd/5/node_management/creating_and_joining.mdx @@ -56,6 +56,9 @@ The node that's joining the cluster must not contain any schema or data that already exists on databases in the PGD group. We recommend that the newly joining database be empty except for the BDR extension. However, it's important that all required database users and roles are created. +Additionally, if the joining operation is to be carried out by a non-superuser, +extensions requiring superuser permission will need to be manually created. For +more details see [Connections and roles](../security/role-management#connections-and-roles). Optionally, you can skip the schema synchronization using the `synchronize_structure` parameter of the diff --git a/product_docs/docs/pgd/5/security/role-management.mdx b/product_docs/docs/pgd/5/security/role-management.mdx index 8df0e7bf0eb..6960ae18f8a 100644 --- a/product_docs/docs/pgd/5/security/role-management.mdx +++ b/product_docs/docs/pgd/5/security/role-management.mdx @@ -53,6 +53,21 @@ nodes, such that following stipulations are satisfied: - It owns all database objects to replicate, either directly or from permissions from the owner roles. +Additionally, if any non-default extensions (excluding the `bdr` extension +itself) are present on the source node, and any of these can only be installed +by a superuser, these extensions must be created manually (by a superuser) on +the join target node, otherwise the join process will fail. + +In PostgreSQL 13 and later, extensions requiring superuser permission and which +therefore need to be manually installed, can be identified by executing (on the +source node): + +```sql + SELECT name, (trusted IS FALSE AND superuser) AS superuser_only + FROM pg_available_extension_versions + WHERE installed AND name != 'bdr'; +``` + Once all nodes are joined, to continue to allow DML and DDL replication, you can reduce the permissions further to the following: - The user has the `REPLICATION` attribute.