From a315c90e7156c19bf75bc50f7787c4b250eafa13 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix.kunde@zalando.de>
Date: Thu, 16 Jul 2020 17:15:06 +0200
Subject: [PATCH] set search_path for default roles

---
 manifests/postgres-operator.yaml |  2 +-
 pkg/cluster/cluster.go           | 41 ++++++++++++++++++++------------
 pkg/util/constants/roles.go      | 31 ++++++++++++------------
 pkg/util/users/users.go          | 16 +++++++++----
 4 files changed, 54 insertions(+), 36 deletions(-)

diff --git a/manifests/postgres-operator.yaml b/manifests/postgres-operator.yaml
index e7a604a2d..9be1e23c3 100644
--- a/manifests/postgres-operator.yaml
+++ b/manifests/postgres-operator.yaml
@@ -15,7 +15,7 @@ spec:
       serviceAccountName: postgres-operator
       containers:
       - name: postgres-operator
-        image: registry.opensource.zalan.do/acid/postgres-operator:v1.5.0
+        image: registry.opensource.zalan.do/acid/postgres-operator:v1.5.0-19-g37596342-dirty
         imagePullPolicy: IfNotPresent
         resources:
           requests:
diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index ef728a728..c095b0fec 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -955,32 +955,42 @@ func (c *Cluster) initPreparedDatabaseRoles() error {
 	}
 
 	for preparedDbName, preparedDB := range c.Spec.PreparedDatabases {
+		// get list of prepared schemas to set in search_path
+		preparedSchemas := preparedDB.PreparedSchemas
+		if len(preparedDB.PreparedSchemas) == 0 {
+			preparedSchemas = map[string]acidv1.PreparedSchema{"data": {DefaultRoles: util.True()}}
+		}
+
+		var searchPath strings.Builder
+		searchPath.WriteString(constants.DefaultSearchPath)
+		for preparedSchemaName := range preparedSchemas {
+			searchPath.WriteString(", " + preparedSchemaName)
+		}
+
 		// default roles per database
-		if err := c.initDefaultRoles(defaultRoles, "admin", preparedDbName); err != nil {
+		if err := c.initDefaultRoles(defaultRoles, "admin", preparedDbName, searchPath.String()); err != nil {
 			return fmt.Errorf("could not initialize default roles for database %s: %v", preparedDbName, err)
 		}
 		if preparedDB.DefaultUsers {
-			if err := c.initDefaultRoles(defaultUsers, "admin", preparedDbName); err != nil {
+			if err := c.initDefaultRoles(defaultUsers, "admin", preparedDbName, searchPath.String()); err != nil {
 				return fmt.Errorf("could not initialize default roles for database %s: %v", preparedDbName, err)
 			}
 		}
 
 		// default roles per database schema
-		preparedSchemas := preparedDB.PreparedSchemas
-		if len(preparedDB.PreparedSchemas) == 0 {
-			preparedSchemas = map[string]acidv1.PreparedSchema{"data": {DefaultRoles: util.True()}}
-		}
 		for preparedSchemaName, preparedSchema := range preparedSchemas {
 			if preparedSchema.DefaultRoles == nil || *preparedSchema.DefaultRoles {
 				if err := c.initDefaultRoles(defaultRoles,
 					preparedDbName+constants.OwnerRoleNameSuffix,
-					preparedDbName+"_"+preparedSchemaName); err != nil {
+					preparedDbName+"_"+preparedSchemaName,
+					constants.DefaultSearchPath+", "+preparedSchemaName); err != nil {
 					return fmt.Errorf("could not initialize default roles for database schema %s: %v", preparedSchemaName, err)
 				}
 				if preparedSchema.DefaultUsers {
 					if err := c.initDefaultRoles(defaultUsers,
 						preparedDbName+constants.OwnerRoleNameSuffix,
-						preparedDbName+"_"+preparedSchemaName); err != nil {
+						preparedDbName+"_"+preparedSchemaName,
+						constants.DefaultSearchPath+", "+preparedSchemaName); err != nil {
 						return fmt.Errorf("could not initialize default users for database schema %s: %v", preparedSchemaName, err)
 					}
 				}
@@ -990,7 +1000,7 @@ func (c *Cluster) initPreparedDatabaseRoles() error {
 	return nil
 }
 
-func (c *Cluster) initDefaultRoles(defaultRoles map[string]string, admin, prefix string) error {
+func (c *Cluster) initDefaultRoles(defaultRoles map[string]string, admin, prefix string, searchPath string) error {
 
 	for defaultRole, inherits := range defaultRoles {
 
@@ -1014,12 +1024,13 @@ func (c *Cluster) initDefaultRoles(defaultRoles map[string]string, admin, prefix
 		}
 
 		newRole := spec.PgUser{
-			Origin:    spec.RoleOriginBootstrap,
-			Name:      roleName,
-			Password:  util.RandomPassword(constants.PasswordLength),
-			Flags:     flags,
-			MemberOf:  memberOf,
-			AdminRole: adminRole,
+			Origin:     spec.RoleOriginBootstrap,
+			Name:       roleName,
+			Password:   util.RandomPassword(constants.PasswordLength),
+			Flags:      flags,
+			MemberOf:   memberOf,
+			Parameters: map[string]string{"search_path": searchPath},
+			AdminRole:  adminRole,
 		}
 		if currentRole, present := c.pgUsers[roleName]; present {
 			c.pgUsers[roleName] = c.resolveNameConflict(&currentRole, &newRole)
diff --git a/pkg/util/constants/roles.go b/pkg/util/constants/roles.go
index 87c9c51ce..dd906fe80 100644
--- a/pkg/util/constants/roles.go
+++ b/pkg/util/constants/roles.go
@@ -2,20 +2,21 @@ package constants
 
 // Roles specific constants
 const (
-	PasswordLength            = 64
-	SuperuserKeyName          = "superuser"
+	PasswordLength              = 64
+	SuperuserKeyName            = "superuser"
 	ConnectionPoolerUserKeyName = "pooler"
-	ReplicationUserKeyName    = "replication"
-	RoleFlagSuperuser         = "SUPERUSER"
-	RoleFlagInherit           = "INHERIT"
-	RoleFlagLogin             = "LOGIN"
-	RoleFlagNoLogin           = "NOLOGIN"
-	RoleFlagCreateRole        = "CREATEROLE"
-	RoleFlagCreateDB          = "CREATEDB"
-	RoleFlagReplication       = "REPLICATION"
-	RoleFlagByPassRLS         = "BYPASSRLS"
-	OwnerRoleNameSuffix       = "_owner"
-	ReaderRoleNameSuffix      = "_reader"
-	WriterRoleNameSuffix      = "_writer"
-	UserRoleNameSuffix        = "_user"
+	ReplicationUserKeyName      = "replication"
+	RoleFlagSuperuser           = "SUPERUSER"
+	RoleFlagInherit             = "INHERIT"
+	RoleFlagLogin               = "LOGIN"
+	RoleFlagNoLogin             = "NOLOGIN"
+	RoleFlagCreateRole          = "CREATEROLE"
+	RoleFlagCreateDB            = "CREATEDB"
+	RoleFlagReplication         = "REPLICATION"
+	RoleFlagByPassRLS           = "BYPASSRLS"
+	OwnerRoleNameSuffix         = "_owner"
+	ReaderRoleNameSuffix        = "_reader"
+	WriterRoleNameSuffix        = "_writer"
+	UserRoleNameSuffix          = "_user"
+	DefaultSearchPath           = "\"$user\""
 )
diff --git a/pkg/util/users/users.go b/pkg/util/users/users.go
index 345caa001..93a7d245a 100644
--- a/pkg/util/users/users.go
+++ b/pkg/util/users/users.go
@@ -113,14 +113,14 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
 
 	return nil
 }
-func (strategy DefaultUserSyncStrategy) alterPgUserSet(user spec.PgUser, db *sql.DB) (err error) {
+
+func (strategy DefaultUserSyncStrategy) alterPgUserSet(user spec.PgUser, db *sql.DB) error {
 	queries := produceAlterRoleSetStmts(user)
 	query := fmt.Sprintf(doBlockStmt, strings.Join(queries, ";"))
-	if _, err = db.Exec(query); err != nil {
-		err = fmt.Errorf("dB error: %v, query: %s", err, query)
-		return
+	if _, err := db.Exec(query); err != nil {
+		return fmt.Errorf("dB error: %v, query: %s", err, query)
 	}
-	return
+	return nil
 }
 
 func (strategy DefaultUserSyncStrategy) createPgUser(user spec.PgUser, db *sql.DB) error {
@@ -148,6 +148,12 @@ func (strategy DefaultUserSyncStrategy) createPgUser(user spec.PgUser, db *sql.D
 		return fmt.Errorf("dB error: %v, query: %s", err, query)
 	}
 
+	if len(user.Parameters) > 0 {
+		if err := strategy.alterPgUserSet(user, db); err != nil {
+			return fmt.Errorf("incomplete setup for user %s: %v", user.Name, err)
+		}
+	}
+
 	return nil
 }