public_git
/
postgres-operator
mirror of https://github.com/zalando/postgres-operator.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

add grants after creating extensions

This commit is contained in:
Felix Kunde 2021-06-22 18:11:18 +02:00
parent 54e506c00b
commit 71f1e97306
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/cluster/database.go
View File

@ -56,6 +56,13 @@ const (
ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT EXECUTE ON FUNCTIONS TO "%s","%s";
ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT USAGE ON TYPES TO "%s","%s";`
extensionPostCreateSQL = `
GRANT SELECT ON ALL TABLES IN SCHEMA "%s" TO "%s","%s";
GRANT SELECT ON ALL SEQUENCES IN SCHEMA "%s" TO "%s","%s";
GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA "%s" TO "%s","%s";
GRANT USAGE, UPDATE ON ALL SEQUENCES IN SCHEMA "%s" TO "%s","%s";
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA "%s" TO "%s","%s","%s";`
connectionPoolerLookup = `
CREATE SCHEMA IF NOT EXISTS {{.pooler_schema}};
@ -418,6 +425,19 @@ func (c *Cluster) execAlterGlobalDefaultPrivileges(owner, rolePrefix string) err
return nil
}
func (c *Cluster) execExtensionPostCreatePrivileges(schemaName, rolePrefix string) error {
if _, err := c.pgDb.Exec(fmt.Sprintf(extensionPostCreateSQL,
schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.ReaderRoleNameSuffix, // tables
schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.ReaderRoleNameSuffix, // sequences
schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.WriterRoleNameSuffix, // tables
schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.WriterRoleNameSuffix, // sequences
schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.ReaderRoleNameSuffix, rolePrefix+constants.WriterRoleNameSuffix)); err != nil { // functions
return fmt.Errorf("could not set privileges in schema %s: %v", schemaName, err)
}
return nil
}
func makeUserFlags(rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin bool) (result []string) {
if rolsuper {
result = append(result, constants.RoleFlagSuperuser)

13
pkg/cluster/sync.go
View File

@ -386,7 +386,6 @@ func (c *Cluster) syncStatefulSet() error {
return fmt.Errorf("could not set cluster-wide PostgreSQL configuration options: %v", err)
}
if instancesRestartRequired {
c.logger.Debugln("restarting Postgres server within pods")
c.eventRecorder.Event(c.GetReference(), v1.EventTypeNormal, "Update", "restarting Postgres server within pods")
@ -769,7 +768,7 @@ func (c *Cluster) syncPreparedDatabases() error {
}
// install extensions
if err := c.syncExtensions(preparedDB.Extensions); err != nil {
if err := c.syncExtensions(preparedDbName, preparedDB.Extensions); err != nil {
return err
}
@ -813,7 +812,7 @@ func (c *Cluster) syncPreparedSchemas(databaseName string, preparedSchemas map[s
return nil
}
func (c *Cluster) syncExtensions(extensions map[string]string) error {
func (c *Cluster) syncExtensions(databaseName string, extensions map[string]string) error {
c.setProcessName("syncing database extensions")
createExtensions := make(map[string]string)
@ -837,6 +836,14 @@ func (c *Cluster) syncExtensions(extensions map[string]string) error {
if err = c.executeCreateExtension(extName, schema); err != nil {
return err
}
// grant privileges on objects created by the extension to default database roles
if err = c.execExtensionPostCreatePrivileges(schema, databaseName); err != nil {
return err
}
// try to grant to default schema roles, too, but defaultRoles could be false for schema
if err = c.execExtensionPostCreatePrivileges(schema, databaseName+"_"+schema); err != nil {
c.logger.Debugf("no privileges assigned to schema roles: %v", err)
}
}
for extName, schema := range alterExtensions {
if err = c.executeAlterExtension(extName, schema); err != nil {