feat: grant REINDEX capability to analytics user in read-write mode

- PG < 16 read-write: use superuser (pg_maintain doesn't exist)
- PG >= 16 read-write: grant pg_maintain for REINDEX/VACUUM/ANALYZE
- PG >= 14 read-only: unchanged (pg_read_all_data only)
- PG < 14: unchanged (superuser)

Author: passcod

src/controllers/replica.rs

@@ -1167,7 +1167,8 @@ async fn reconcile_schema_migration(
 		return Err(Error::SchemaMigration(msg));
 	}
 
-	// The analytics user already has pg_write_all_data + CREATE ON DATABASE
+	// The analytics user already has write privileges (superuser on PG < 17,
+	// pg_write_all_data + pg_maintain + CREATE ON DATABASE on PG >= 17)
 	// when persistent_schemas is configured (read_only is effectively false),
 	// so we reuse the replica creds secret for write access to the target.
 	let target_superuser_secret_name = reader_secret_name.clone();

src/controllers/restore/builders.rs

@@ -599,7 +599,8 @@ fi
 
 echo "Detected PG major version: $PG_MAJOR"
 
-if [ "$PG_MAJOR" -ge 14 ]; then
+if [ "$PG_MAJOR" -ge 14 ] && [ "{read_only}" = "true" ]; then
+  # PG >= 14 read-only: granular read role
   psql -U postgres -d postgres << SQLEOF
 DO \$\$
 BEGIN
@@ -612,13 +613,23 @@ END
 \$\$;
 GRANT pg_read_all_data TO ${{ANALYTICS_USERNAME}};
 SQLEOF
+  echo "Read-only mode with PG >= 14, granted pg_read_all_data"
 
-  if [ "{read_only}" = "true" ]; then
-    echo "Read-only mode with PG >= 14, granted pg_read_all_data"
-  else
-    echo "Read-write mode with PG >= 14, granting pg_write_all_data + CREATE ON DATABASE..."
-    psql -U postgres -d postgres << SQLEOF
+elif [ "$PG_MAJOR" -ge 17 ]; then
+  # PG >= 17 read-write: granular roles including pg_maintain
+  psql -U postgres -d postgres << SQLEOF
+DO \$\$
+BEGIN
+  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = '${{ANALYTICS_USERNAME}}') THEN
+    CREATE ROLE ${{ANALYTICS_USERNAME}} WITH LOGIN PASSWORD '${{ANALYTICS_PASSWORD}}';
+  ELSE
+    ALTER ROLE ${{ANALYTICS_USERNAME}} WITH PASSWORD '${{ANALYTICS_PASSWORD}}';
+  END IF;
+END
+\$\$;
+GRANT pg_read_all_data TO ${{ANALYTICS_USERNAME}};
 GRANT pg_write_all_data TO ${{ANALYTICS_USERNAME}};
+GRANT pg_maintain TO ${{ANALYTICS_USERNAME}};
 DO \$\$
 DECLARE
   dbname text;
@@ -630,9 +641,11 @@ BEGIN
 END
 \$\$;
 SQLEOF
-  fi
+  echo "Read-write mode with PG >= 17, granted pg_read_all_data + pg_write_all_data + pg_maintain + CREATE ON DATABASE"
+
 else
-  echo "PG < 14, granting superuser to analytics user..."
+  # PG < 14, or PG 14-16 read-write: superuser
+  echo "Granting superuser to analytics user (PG < 17 read-write or PG < 14)..."
   psql -U postgres -d postgres << SQLEOF
 DO \$\$
 BEGIN

tests/lifecycle.rs

@@ -399,6 +399,22 @@ async fn analytics_create_schema_read_write() {
 	)
 	.await;
 
+	println!("--- verifying analytics user can REINDEX");
+	kubectl_exec(
+		ns,
+		&deploy_target,
+		&[
+			"psql",
+			"-U",
+			"analytics",
+			"-d",
+			"myapp",
+			"-c",
+			"REINDEX TABLE test_pgro_app.rw_test",
+		],
+	)
+	.await;
+
 	println!("--- all read-write assertions passed, cleaning up");
 	cleanup_namespace(&client, ns, &["rw-replica"]).await;
 }