From 2a355fc6bb937590382f66bb091ff5344fd9a68e Mon Sep 17 00:00:00 2001 From: "romg@pecan.ai" Date: Sun, 8 Sep 2024 18:06:58 +0100 Subject: [PATCH] add by default public --- .github/workflows/docker.yml | 2 +- .../postgres/postgres_controller.go | 14 +++++------ pkg/postgres/database.go | 24 ++++++++++++++----- pkg/postgres/mock/postgres.go | 2 +- pkg/postgres/postgres.go | 2 -- 5 files changed, 27 insertions(+), 17 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 351e9689..6ef9580a 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -3,7 +3,7 @@ name: Publish Container Image on: push: branches: - - 'main' + - '*' tags: - '*' workflow_dispatch: diff --git a/pkg/controller/postgres/postgres_controller.go b/pkg/controller/postgres/postgres_controller.go index d86ba542..bba25f37 100644 --- a/pkg/controller/postgres/postgres_controller.go +++ b/pkg/controller/postgres/postgres_controller.go @@ -206,7 +206,7 @@ func (r *ReconcilePostgres) Reconcile(request reconcile.Request) (_ reconcile.Re readerPrivs = "SELECT" writerPrivs = "SELECT,INSERT,DELETE,UPDATE" ) - for _, schema := range instance.Spec.Schemas { + for _, schema := range append(instance.Spec.Schemas, "public") { // Schema was previously created if utils.ListContains(instance.Status.Schemas, schema) { continue @@ -220,26 +220,26 @@ func (r *ReconcilePostgres) Reconcile(request reconcile.Request) (_ reconcile.Re } // Set privileges on schema - schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{database, owner, reader, schema, readerPrivs, false} + schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{database, reader, schema, readerPrivs, false} err = r.pg.SetSchemaPrivileges(schemaPrivilegesReader, reqLogger) if err != nil { reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", reader, readerPrivs)) continue } - reqLogger.Info("about to give writer %s permissions", writer) - schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{database, owner, writer, schema, writerPrivs, true} + reqLogger.Info(fmt.Sprintf("about to give writer %s permissions", writer)) + schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{database, writer, schema, writerPrivs, false} err = r.pg.SetSchemaPrivileges(schemaPrivilegesWriter, reqLogger) if err != nil { reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs)) continue } - sequncesPrivilegesWriter := postgres.PostgresSequncesPrivileges{database, owner, writer, schema, writerPrivs} + sequncesPrivilegesWriter := postgres.PostgresSequncesPrivileges{database, writer, schema, "USAGE"} err = r.pg.SetSequncesPrivileges(sequncesPrivilegesWriter, reqLogger) if err != nil { - reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions for sequnces \"%s\"", writer, writerPrivs)) + reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions for sequnces \"%s\"", writer, "USAGE")) continue } - schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{database, owner, owner, schema, readerPrivs, true} + schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{database, owner, schema, readerPrivs, true} err = r.pg.SetSchemaPrivileges(schemaPrivilegesOwner, reqLogger) if err != nil { reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs)) diff --git a/pkg/postgres/database.go b/pkg/postgres/database.go index 580707bd..b16f430a 100644 --- a/pkg/postgres/database.go +++ b/pkg/postgres/database.go @@ -17,8 +17,8 @@ const ( GRANT_CREATE_TABLE = `GRANT CREATE ON SCHEMA "%s" TO "%s"` GRANT_ALL_TABLES = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"` GRANT_ALL_SEQUENCES = `GRANT %s ON ALL SEQUENCES IN SCHEMA "%s" TO "%s"` - DEFAULT_PRIVS_SCHEMA = `ALTER DEFAULT PRIVILEGES FOR ROLE "%s" IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"` - DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES FOR ROLE "%s" IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"` + DEFAULT_PRIVS_SCHEMA = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"` + DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"` REVOKE_CONNECT = `REVOKE CONNECT ON DATABASE "%s" FROM public` TERMINATE_BACKEND = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()` GET_DB_OWNER = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'` @@ -109,16 +109,22 @@ func (c *pg) SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logg if err != nil { return err } - logger.Info("about to give permissions of %s to %s", schemaPrivileges.Privs, schemaPrivileges.Role) + logger.Info(fmt.Sprintf("about to give permissions of %s to %s", schemaPrivileges.Privs, schemaPrivileges.Role)) + logger.Info("about to run:") + logger.Info(fmt.Sprintf(GRANT_ALL_TABLES, schemaPrivileges.Privs, schemaPrivileges.Schema, schemaPrivileges.Role)) // Grant role privs on existing tables in schema _, err = tmpDb.Exec(fmt.Sprintf(GRANT_ALL_TABLES, schemaPrivileges.Privs, schemaPrivileges.Schema, schemaPrivileges.Role)) if err != nil { + logger.Error(err, "failed in GRANT_ALL_TABLES") return err } - logger.Info("about to give default permissions of %s to %s", schemaPrivileges.Privs, schemaPrivileges.Role) + logger.Info(fmt.Sprintf("about to give default permissions of %s to %s", schemaPrivileges.Privs, schemaPrivileges.Role)) // Grant role privs on future tables in schema - _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Creator, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role)) + logger.Info("about to run:") + logger.Info(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role)) + _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role)) if err != nil { + logger.Error(err, "failed in DEFAULT_PRIVS_SCHEMA") return err } @@ -140,15 +146,21 @@ func (c *pg) SetSequncesPrivileges(SequncesPrivileges PostgresSequncesPrivileges } defer tmpDb.Close() + logger.Info("about to run:") + logger.Info(fmt.Sprintf(GRANT_ALL_SEQUENCES, SequncesPrivileges.Privs, SequncesPrivileges.Schema, SequncesPrivileges.Role)) // Grant role privs on existing sequences in schema _, err = tmpDb.Exec(fmt.Sprintf(GRANT_ALL_SEQUENCES, SequncesPrivileges.Privs, SequncesPrivileges.Schema, SequncesPrivileges.Role)) if err != nil { + logger.Error(err, "failed in GRANT_ALL_SEQUENCES") return err } + logger.Info("about to run:") + logger.Info(fmt.Sprintf(DEFAULT_PRIVS_SEQUENCES, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role)) // Grant role privs on future sequences in schema - _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, SequncesPrivileges.Creator, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role)) + _, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SEQUENCES, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role)) if err != nil { + logger.Error(err, "failed in DEFAULT_PRIVS_SEQUENCES") return err } diff --git a/pkg/postgres/mock/postgres.go b/pkg/postgres/mock/postgres.go index 7d2746d4..fcaff597 100644 --- a/pkg/postgres/mock/postgres.go +++ b/pkg/postgres/mock/postgres.go @@ -137,7 +137,7 @@ func (mr *MockPGMockRecorder) GrantRole(role, grantee interface{}) *gomock.Call // SetSchemaPrivileges mocks base method func (m *MockPG) SetSchemaPrivileges(privileges postgres.PostgresSchemaPrivileges, logger logr.Logger) error { m.ctrl.T.Helper() - ret := m.ctrl.Call(m, "SetSchemaPrivileges", privileges.DB, privileges.Creator, privileges.Role, privileges.Schema, privileges.Privs, privileges.CreateSchema, logger) + ret := m.ctrl.Call(m, "SetSchemaPrivileges", privileges.DB, privileges.Role, privileges.Schema, privileges.Privs, privileges.CreateSchema, logger) ret0, _ := ret[0].(error) return ret0 } diff --git a/pkg/postgres/postgres.go b/pkg/postgres/postgres.go index f3166078..6e6e44fe 100644 --- a/pkg/postgres/postgres.go +++ b/pkg/postgres/postgres.go @@ -38,7 +38,6 @@ type pg struct { type PostgresSchemaPrivileges struct { DB string - Creator string Role string Schema string Privs string @@ -47,7 +46,6 @@ type PostgresSchemaPrivileges struct { type PostgresSequncesPrivileges struct { DB string - Creator string Role string Schema string Privs string