add sequence permissions

romga · Sep 9, 2024 · 7669fec · 7669fec
1 parent 8f3ae99
commit 7669fec
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 26 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -3,7 +3,7 @@ name: Publish Container Image
 on:
   push:
     branches:
-      - 'main'
+      - '*'
     tags:
       - '*'
   workflow_dispatch:

diff --git a/pkg/controller/postgres/postgres_controller.go b/pkg/controller/postgres/postgres_controller.go
@@ -206,7 +206,7 @@ func (r *ReconcilePostgres) Reconcile(request reconcile.Request) (_ reconcile.Re
 		readerPrivs = "SELECT"
 		writerPrivs = "SELECT,INSERT,DELETE,UPDATE"
 	)
-	for _, schema := range instance.Spec.Schemas {
+	for _, schema := range append(instance.Spec.Schemas, "public") {
 		// Schema was previously created
 		if utils.ListContains(instance.Status.Schemas, schema) {
 			continue
@@ -220,25 +220,29 @@ func (r *ReconcilePostgres) Reconcile(request reconcile.Request) (_ reconcile.Re
 		}
 
 		// Set privileges on schema
-		schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{database, owner, reader, schema, readerPrivs, false}
+		schemaPrivilegesReader := postgres.PostgresSchemaPrivileges{database, reader, schema, readerPrivs, false}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesReader, reqLogger)
 		if err != nil {
 			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", reader, readerPrivs))
 			continue
 		}
-		schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{database, owner, writer, schema, writerPrivs, true}
+		schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{database, writer, schema, writerPrivs, false}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesWriter, reqLogger)
 		if err != nil {
 			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs))
 			continue
 		}
-		sequncesPrivilegesWriter := postgres.PostgresSequncesPrivileges{database, owner, writer, schema, writerPrivs}
+		sequncesPrivilegesWriter := postgres.PostgresSequncesPrivileges{database, writer, schema, "USAGE"}
 		err = r.pg.SetSequncesPrivileges(sequncesPrivilegesWriter, reqLogger)
 		if err != nil {
-			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions for sequnces \"%s\"", writer, writerPrivs))
+			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions for sequnces \"%s\"", writer, "USAGE"))
 			continue
 		}
-		schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{database, owner, owner, schema, readerPrivs, true}
+		ownerCreateSchema := true
+		if schema == "public" {
+			ownerCreateSchema = false
+		}
+		schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{database, owner, schema, readerPrivs, ownerCreateSchema}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesOwner, reqLogger)
 		if err != nil {
 			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs))

diff --git a/pkg/postgres/database.go b/pkg/postgres/database.go
@@ -8,21 +8,21 @@ import (
 )
 
 const (
-	CREATE_DB            = `CREATE DATABASE "%s"`
-	CREATE_SCHEMA        = `CREATE SCHEMA IF NOT EXISTS "%s" AUTHORIZATION "%s"`
-	CREATE_EXTENSION     = `CREATE EXTENSION IF NOT EXISTS "%s"`
-	ALTER_DB_OWNER       = `ALTER DATABASE "%s" OWNER TO "%s"`
-	DROP_DATABASE        = `DROP DATABASE "%s"`
-	GRANT_USAGE_SCHEMA   = `GRANT USAGE ON SCHEMA "%s" TO "%s"`
-	GRANT_CREATE_TABLE   = `GRANT CREATE ON SCHEMA "%s" TO "%s"`
-	GRANT_ALL_TABLES     = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"`
+	CREATE_DB               = `CREATE DATABASE "%s"`
+	CREATE_SCHEMA           = `CREATE SCHEMA IF NOT EXISTS "%s" AUTHORIZATION "%s"`
+	CREATE_EXTENSION        = `CREATE EXTENSION IF NOT EXISTS "%s"`
+	ALTER_DB_OWNER          = `ALTER DATABASE "%s" OWNER TO "%s"`
+	DROP_DATABASE           = `DROP DATABASE "%s"`
+	GRANT_USAGE_SCHEMA      = `GRANT USAGE ON SCHEMA "%s" TO "%s"`
+	GRANT_CREATE_TABLE      = `GRANT CREATE ON SCHEMA "%s" TO "%s"`
+	GRANT_ALL_TABLES        = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"`
 	GRANT_ALL_SEQUENCES     = `GRANT %s ON ALL SEQUENCES IN SCHEMA "%s" TO "%s"`
-	DEFAULT_PRIVS_SCHEMA = `ALTER DEFAULT PRIVILEGES FOR ROLE "%s" IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"`
-	DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES FOR ROLE "%s" IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"`
-	REVOKE_CONNECT       = `REVOKE CONNECT ON DATABASE "%s" FROM public`
-	TERMINATE_BACKEND    = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity	WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()`
-	GET_DB_OWNER         = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'`
-	GRANT_CREATE_SCHEMA  = `GRANT CREATE ON DATABASE "%s" TO "%s"`
+	DEFAULT_PRIVS_SCHEMA    = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"`
+	DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"`
+	REVOKE_CONNECT          = `REVOKE CONNECT ON DATABASE "%s" FROM public`
+	TERMINATE_BACKEND       = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity	WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()`
+	GET_DB_OWNER            = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'`
+	GRANT_CREATE_SCHEMA     = `GRANT CREATE ON DATABASE "%s" TO "%s"`
 )
 
 func (c *pg) CreateDB(dbname, role string) error {
@@ -117,7 +117,7 @@ func (c *pg) SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logg
 	}
 
 	// Grant role privs on future tables in schema
-	_, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Creator, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role))
+	_, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, schemaPrivileges.Schema, schemaPrivileges.Privs, schemaPrivileges.Role))
 	if err != nil {
 		return err
 	}
@@ -148,7 +148,7 @@ func (c *pg) SetSequncesPrivileges(SequncesPrivileges PostgresSequncesPrivileges
 	}
 
 	// Grant role privs on future sequences in schema
-	_, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SCHEMA, SequncesPrivileges.Creator, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role))
+	_, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SEQUENCES, SequncesPrivileges.Schema, SequncesPrivileges.Privs, SequncesPrivileges.Role))
 	if err != nil {
 		return err
 	}

diff --git a/pkg/postgres/mock/postgres.go b/pkg/postgres/mock/postgres.go
diff --git a/pkg/postgres/postgres.go b/pkg/postgres/postgres.go
@@ -38,7 +38,6 @@ type pg struct {
 
 type PostgresSchemaPrivileges struct {
 	DB           string
-	Creator      string
 	Role         string
 	Schema       string
 	Privs        string
@@ -47,7 +46,6 @@ type PostgresSchemaPrivileges struct {
 
 type PostgresSequncesPrivileges struct {
 	DB           string
-	Creator      string
 	Role         string
 	Schema       string
 	Privs        string
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,7 +3,7 @@ name: Publish Container Image @@
     on:
       push:
         branches:
-          - 'main'
+          - '*'
         tags:
           - '*'
       workflow_dispatch:
@@ Expand Down @@