add grants after creating extensions

pkg/cluster/database.go

@@ -56,6 +56,13 @@ const (
 			ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT EXECUTE ON FUNCTIONS TO "%s","%s";
 			ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT USAGE ON TYPES TO "%s","%s";`
 
+	extensionPostCreateSQL = `
+			GRANT SELECT ON ALL TABLES IN SCHEMA "%s" TO "%s","%s";
+			GRANT SELECT ON ALL SEQUENCES IN SCHEMA "%s" TO "%s","%s";
+			GRANT INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA "%s" TO "%s","%s";
+			GRANT USAGE, UPDATE ON ALL SEQUENCES IN SCHEMA "%s" TO "%s","%s";
+			GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA "%s" TO "%s","%s","%s";`
+
 	connectionPoolerLookup = `
 		CREATE SCHEMA IF NOT EXISTS {{.pooler_schema}};
 
@@ -418,6 +425,19 @@ func (c *Cluster) execAlterGlobalDefaultPrivileges(owner, rolePrefix string) err
 	return nil
 }
 
+func (c *Cluster) execExtensionPostCreatePrivileges(schemaName, rolePrefix string) error {
+	if _, err := c.pgDb.Exec(fmt.Sprintf(extensionPostCreateSQL,
+		schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.ReaderRoleNameSuffix, // tables
+		schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.ReaderRoleNameSuffix, // sequences
+		schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.WriterRoleNameSuffix, // tables
+		schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.WriterRoleNameSuffix, // sequences
+		schemaName, rolePrefix+constants.OwnerRoleNameSuffix, rolePrefix+constants.ReaderRoleNameSuffix, rolePrefix+constants.WriterRoleNameSuffix)); err != nil { // functions
+		return fmt.Errorf("could not set privileges in schema %s: %v", schemaName, err)
+	}
+
+	return nil
+}
+
 func makeUserFlags(rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin bool) (result []string) {
 	if rolsuper {
 		result = append(result, constants.RoleFlagSuperuser)

pkg/cluster/sync.go

@@ -386,7 +386,6 @@ func (c *Cluster) syncStatefulSet() error {
 		return fmt.Errorf("could not set cluster-wide PostgreSQL configuration options: %v", err)
 	}
 
-
 	if instancesRestartRequired {
 		c.logger.Debugln("restarting Postgres server within pods")
 		c.eventRecorder.Event(c.GetReference(), v1.EventTypeNormal, "Update", "restarting Postgres server within pods")
@@ -769,7 +768,7 @@ func (c *Cluster) syncPreparedDatabases() error {
 		}
 
 		// install extensions
-		if err := c.syncExtensions(preparedDB.Extensions); err != nil {
+		if err := c.syncExtensions(preparedDbName, preparedDB.Extensions); err != nil {
 			return err
 		}
 
@@ -813,7 +812,7 @@ func (c *Cluster) syncPreparedSchemas(databaseName string, preparedSchemas map[s
 	return nil
 }
 
-func (c *Cluster) syncExtensions(extensions map[string]string) error {
+func (c *Cluster) syncExtensions(databaseName string, extensions map[string]string) error {
 	c.setProcessName("syncing database extensions")
 
 	createExtensions := make(map[string]string)
@@ -837,6 +836,14 @@ func (c *Cluster) syncExtensions(extensions map[string]string) error {
 		if err = c.executeCreateExtension(extName, schema); err != nil {
 			return err
 		}
+		// grant privileges on objects created by the extension to default database roles
+		if err = c.execExtensionPostCreatePrivileges(schema, databaseName); err != nil {
+			return err
+		}
+		// try to grant to default schema roles, too, but defaultRoles could be false for schema
+		if err = c.execExtensionPostCreatePrivileges(schema, databaseName+"_"+schema); err != nil {
+			c.logger.Debugf("no privileges assigned to schema roles: %v", err)
+		}
 	}
 	for extName, schema := range alterExtensions {
 		if err = c.executeAlterExtension(extName, schema); err != nil {