public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

reflect feedback

This commit is contained in:
Felix Kunde 2022-04-27 15:01:00 +02:00
parent 6e5210f404
commit 226d896abf
2 changed files with 5 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/reference/operator_parameters.md
View File

@ -178,7 +178,7 @@ under the `users` key.
`standby`. `standby`.
* **additional_owner_roles** * **additional_owner_roles**
Specifies database roles that will granted to all database owners. Owners Specifies database roles that will be granted to all database owners. Owners
can then use `SET ROLE` to obtain privileges of these roles to e.g. can then use `SET ROLE` to obtain privileges of these roles to e.g.
create/update functionality from extensions as part of a migration script. create/update functionality from extensions as part of a migration script.
Note, that roles listed here should be preconfigured in the docker image Note, that roles listed here should be preconfigured in the docker image

12
pkg/util/users/users.go
View File

@ -119,7 +119,7 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
if err := strategy.alterPgUser(request.User, db); err != nil { if err := strategy.alterPgUser(request.User, db); err != nil {
reqretries = append(reqretries, request) reqretries = append(reqretries, request)
errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err)) errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err))
// check if additional owners are misconfigured as members to a database owner // check if additional owners are misconfigured as members to a database owner (check #1862 for details)
// resolve it by revoking the database owner from the additional owner role // resolve it by revoking the database owner from the additional owner role
if request.User.IsDbOwner && len(strategy.AdditionalOwnerRoles) > 0 { if request.User.IsDbOwner && len(strategy.AdditionalOwnerRoles) > 0 {
if err := resolveOwnerMembership(request.User, strategy.AdditionalOwnerRoles, db); err != nil { if err := resolveOwnerMembership(request.User, strategy.AdditionalOwnerRoles, db); err != nil {
@ -160,13 +160,9 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
func resolveOwnerMembership(dbOwner spec.PgUser, additionalOwners []string, db *sql.DB) error { func resolveOwnerMembership(dbOwner spec.PgUser, additionalOwners []string, db *sql.DB) error {
errors := make([]string, 0) errors := make([]string, 0)
for _, groupRole := range dbOwner.MemberOf { for _, additionalOwner := range additionalOwners {
for _, additionalOwner := range additionalOwners { if err := revokeRole(dbOwner.Name, additionalOwner, db); err != nil {
if additionalOwner == groupRole { errors = append(errors, fmt.Sprintf("could not revoke %q from %q: %v", dbOwner.Name, additionalOwner, err))
if err := revokeRole(dbOwner.Name, additionalOwner, db); err != nil {
errors = append(errors, fmt.Sprintf("could not revoke %q from %q: %v", dbOwner.Name, additionalOwner, err))
}
}
} }
} }