diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 351e9689..6ef9580a 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -3,7 +3,7 @@ name: Publish Container Image on: push: branches: - - 'main' + - '*' tags: - '*' workflow_dispatch: diff --git a/pkg/controller/postgres/postgres_controller.go b/pkg/controller/postgres/postgres_controller.go index e979f512..42e8a0a5 100644 --- a/pkg/controller/postgres/postgres_controller.go +++ b/pkg/controller/postgres/postgres_controller.go @@ -206,7 +206,7 @@ func (r *ReconcilePostgres) Reconcile(request reconcile.Request) (_ reconcile.Re readerPrivs = "SELECT" writerPrivs = "SELECT,INSERT,DELETE,UPDATE" ) - for _, schema := range instance.Spec.Schemas { + for _, schema := range append(instance.Spec.Schemas, "public") { // Schema was previously created if utils.ListContains(instance.Status.Schemas, schema) { continue @@ -220,25 +220,30 @@ func (r *ReconcilePostgres) Reconcile(request reconcile.Request) (_ reconcile.Re } // Set privileges on schema - schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{database, owner, reader, schema, readerPrivs, false} + schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{database, reader, schema, readerPrivs, false} err = r.pg.SetSchemaPrivileges(schemaPrivilegesReader, reqLogger) if err != nil { reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", reader, readerPrivs)) continue } - schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{database, owner, writer, schema, writerPrivs, true} + schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{database, writer, schema, writerPrivs, false} err = r.pg.SetSchemaPrivileges(schemaPrivilegesWriter, reqLogger) if err != nil { reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs)) continue } - sequncesPrivilegesWriter := postgres.PostgresSequncesPrivileges{database, owner, writer, schema, writerPrivs} + sequncesPrivilegesWriter := postgres.PostgresSequncesPrivileges{database, writer, schema, "USAGE"} err = r.pg.SetSequncesPrivileges(sequncesPrivilegesWriter, reqLogger) if err != nil { - reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions for sequnces \"%s\"", writer, writerPrivs)) + reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions for sequnces \"%s\"", writer, "USAGE")) continue } - schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{database, owner, owner, schema, readerPrivs, true} + ownerCreateSchema := true + if schema == "public" { + reqLogger.Info("schema is public, skipping creating") + ownerCreateSchema = false + } + schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{database, owner, schema, readerPrivs, ownerCreateSchema} err = r.pg.SetSchemaPrivileges(schemaPrivilegesOwner, reqLogger) if err != nil { reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs)) diff --git a/pkg/postgres/database.go b/pkg/postgres/database.go index 71bf47b8..b22c7f74 100644 --- a/pkg/postgres/database.go +++ b/pkg/postgres/database.go @@ -8,21 +8,21 @@ import ( ) const ( - CREATE_DB = `CREATE DATABASE "%s"` - CREATE_SCHEMA = `CREATE SCHEMA IF NOT EXISTS "%s" AUTHORIZATION "%s"` - CREATE_EXTENSION = `CREATE EXTENSION IF NOT EXISTS "%s"` - ALTER_DB_OWNER = `ALTER DATABASE "%s" OWNER TO "%s"` - DROP_DATABASE = `DROP DATABASE "%s"` - GRANT_USAGE_SCHEMA = `GRANT USAGE ON SCHEMA "%s" TO "%s"` - GRANT_CREATE_TABLE = `GRANT CREATE ON SCHEMA "%s" TO "%s"` - GRANT_ALL_TABLES = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"` + CREATE_DB = `CREATE DATABASE "%s"` + CREATE_SCHEMA = `CREATE SCHEMA IF NOT EXISTS "%s" AUTHORIZATION "%s"` + CREATE_EXTENSION = `CREATE EXTENSION IF NOT EXISTS "%s"` + ALTER_DB_OWNER = `ALTER DATABASE "%s" OWNER TO "%s"` + DROP_DATABASE = `DROP DATABASE "%s"` + GRANT_USAGE_SCHEMA = `GRANT USAGE ON SCHEMA "%s" TO "%s"` + GRANT_CREATE_TABLE = `GRANT CREATE ON SCHEMA "%s" TO "%s"` + GRANT_ALL_TABLES = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"` GRANT_ALL_SEQUENCES = `GRANT %s ON ALL SEQUENCES IN SCHEMA "%s" TO "%s"` - DEFAULT_PRIVS_SCHEMA = `ALTER DEFAULT PRIVILEGES FOR ROLE "%s" IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"` - DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES FOR ROLE "%s" IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"` - REVOKE_CONNECT = `REVOKE CONNECT ON DATABASE "%s" FROM public` - TERMINATE_BACKEND = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()` - GET_DB_OWNER = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'` - GRANT_CREATE_SCHEMA = `GRANT CREATE ON DATABASE "%s" TO "%s"` + DEFAULT_PRIVS_SCHEMA = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"` + DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"` + REVOKE_CONNECT = `REVOKE CONNECT ON DATABASE "%s" FROM public` + TERMINATE_BACKEND = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()` + GET_DB_OWNER = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'` + GRANT_CREATE_SCHEMA = `GRANT CREATE ON DATABASE "%s" TO "%s"` ) func (c *pg) CreateDB(dbname, role string) error { @@ -117,7 +117,7 @@ func (c *pg) SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logg } // Grant role privs on future tables in schema - _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Creator, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role)) + _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role)) if err != nil { return err } @@ -148,7 +148,7 @@ func (c *pg) SetSequncesPrivileges(SequncesPrivileges PostgresSequncesPrivileges } // Grant role privs on future sequences in schema - _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, SequncesPrivileges.Creator, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role)) + _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SEQUENCES, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role)) if err != nil { return err } diff --git a/pkg/postgres/mock/postgres.go b/pkg/postgres/mock/postgres.go index 7d2746d4..fcaff597 100644 --- a/pkg/postgres/mock/postgres.go +++ b/pkg/postgres/mock/postgres.go @@ -137,7 +137,7 @@ func (mr *MockPGMockRecorder) GrantRole(role, grantee interface{}) *gomock.Call // SetSchemaPrivileges mocks base method func (m *MockPG) SetSchemaPrivileges(privileges postgres.PostgresSchemaPrivileges, logger logr.Logger) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "SetSchemaPrivileges", privileges.DB, privileges.Creator, privileges.Role, privileges.Schema, privileges.Privs, privileges.CreateSchema, logger) + ret := m.ctrl.Call(m, "SetSchemaPrivileges", privileges.DB, privileges.Role, privileges.Schema, privileges.Privs, privileges.CreateSchema, logger) ret0, _ := ret[0].(error) return ret0 } diff --git a/pkg/postgres/postgres.go b/pkg/postgres/postgres.go index f3166078..6e6e44fe 100644 --- a/pkg/postgres/postgres.go +++ b/pkg/postgres/postgres.go @@ -38,7 +38,6 @@ type pg struct { type PostgresSchemaPrivileges struct { DB string - Creator string Role string Schema string Privs string @@ -47,7 +46,6 @@ type PostgresSchemaPrivileges struct { type PostgresSequncesPrivileges struct { DB string - Creator string Role string Schema string Privs string