roles

SELECT 
  pg_roles.rolname, 
  pg_roles.rolconnlimit 
FROM pg_roles

pg_roles_connection_limit{rolname="postgres"} -1
pg_roles_connection_limit{rolname="app_user"} 100
pg_roles_connection_limit{rolname="readonly_user"} 10
pg_roles_connection_limit{rolname="admin"} -1
pg_roles_connection_limit{rolname="backup_role"} 2
pg_roles_connection_limit{rolname="group_role"} 0

# Roles with connection limits
pg_roles_connection_limit > 0

# Roles with unlimited connections
pg_roles_connection_limit == -1

# Non-login roles (group roles)
pg_roles_connection_limit == 0

# Compare active connections to limits (requires stat_activity collector)
pg_stat_activity_count{state="active"} / 
on(rolname) pg_roles_connection_limit > 0.8

# List all roles and their limits
group by (rolname) (pg_roles_connection_limit)

# Count roles by limit type
count by (connection_limit) (pg_roles_connection_limit)

-- Set connection limit for application user
ALTER ROLE app_user CONNECTION LIMIT 50;

-- Set connection limit for batch processing user
ALTER ROLE batch_user CONNECTION LIMIT 5;

-- Remove connection limit (unlimited)
ALTER ROLE admin CONNECTION LIMIT -1;

-- Prevent direct login (group role)
ALTER ROLE reporting_group CONNECTION LIMIT 0;

# Sum of all role limits (excluding -1/unlimited)
sum(pg_roles_connection_limit > 0)

# Compare to max_connections setting
pg_settings_max_connections

- alert: RoleNearConnectionLimit
  expr: |
    (pg_stat_activity_count / on(rolname) pg_roles_connection_limit) > 0.9
    and pg_roles_connection_limit > 0
  for: 5m
  annotations:
    summary: "Role {{ $labels.rolname }} near connection limit"
    description: "Role using {{ $value | humanizePercentage }} of allowed connections"

- alert: UnlimitedConnectionRole
  expr: |
    pg_roles_connection_limit{rolname!~"postgres|admin.*"} == -1
  annotations:
    summary: "Non-admin role has unlimited connections"
    description: "Role {{ $labels.rolname }} should have a connection limit"

-- Query to see role properties
SELECT 
  rolname,
  rolconnlimit,
  CASE 
    WHEN rolconnlimit = -1 THEN 'Unlimited'
    WHEN rolconnlimit = 0 THEN 'Cannot login'
    ELSE rolconnlimit::text || ' connections'
  END as limit_description,
  rolcanlogin as can_login,
  rolsuper as is_superuser
FROM pg_roles
ORDER BY rolname;

-- Database limit
ALTER DATABASE myapp CONNECTION LIMIT 100;

-- Role limit  
ALTER ROLE app_user CONNECTION LIMIT 50;

-- Check role's connection limit
SELECT rolname, rolconnlimit, rolcanlogin 
FROM pg_roles 
WHERE rolname = 'username';

-- Check current connections for the role
SELECT count(*) 
FROM pg_stat_activity 
WHERE usename = 'username';

-- Increase limit if needed
ALTER ROLE username CONNECTION LIMIT 100;

-- Application roles that should have limits
SELECT rolname, rolconnlimit
FROM pg_roles
WHERE rolconnlimit = -1  -- unlimited
  AND rolcanlogin = true  -- can login
  AND NOT rolsuper        -- not superuser
ORDER BY rolname;

-- See connection usage per role
SELECT 
  usename,
  count(*) as active_connections,
  r.rolconnlimit,
  CASE 
    WHEN r.rolconnlimit = -1 THEN 'unlimited'
    ELSE round(100.0 * count(*) / r.rolconnlimit, 1)::text || '%'
  END as usage_percent
FROM pg_stat_activity a
JOIN pg_roles r ON a.usename = r.rolname
WHERE r.rolconnlimit != 0
GROUP BY usename, r.rolconnlimit
ORDER BY count(*) DESC;

# Example: PgBouncer with 100 pooled connections
# Set role limit to 120 (100 pool + 20 buffer)
ALTER ROLE app_user CONNECTION LIMIT 120;

-- Create tenant role with limited connections
CREATE ROLE tenant_acme LOGIN CONNECTION LIMIT 20;

-- Monitor all tenant roles
SELECT 
  rolname, 
  rolconnlimit,
  count(a.pid) as current_connections
FROM pg_roles r
LEFT JOIN pg_stat_activity a ON r.rolname = a.usename
WHERE rolname LIKE 'tenant_%'
GROUP BY rolname, rolconnlimit
ORDER BY current_connections DESC;