From ef5cc6560f82015834e1bc52f2a2ef8359fe3bfe Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Tue, 28 Apr 2020 12:17:45 +0200
Subject: [PATCH] only change DB default privileges on creation

---
 pkg/cluster/sync.go | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index 05e9dfbb1..d2bf01531 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -109,9 +109,9 @@ func (c *Cluster) Sync(newSpec *acidv1.Postgresql) error {
 			err = fmt.Errorf("could not sync databases: %v", err)
 			return err
 		}
-		c.logger.Debugf("syncing database schemas")
+		c.logger.Debugf("syncing prepared databases with schemas")
 		if err = c.syncPreparedDatabases(); err != nil {
-			err = fmt.Errorf("could not sync database schemas: %v", err)
+			err = fmt.Errorf("could not sync prepared database: %v", err)
 			return err
 		}
 	}
@@ -534,6 +534,7 @@ func (c *Cluster) syncDatabases() error {
 
 	createDatabases := make(map[string]string)
 	alterOwnerDatabases := make(map[string]string)
+	preparedDatabases := make([]string, 0)
 
 	if err := c.initDbConn(); err != nil {
 		return fmt.Errorf("could not init database connection")
@@ -557,6 +558,7 @@ func (c *Cluster) syncDatabases() error {
 		_, exists := currentDatabases[preparedDatabaseName]
 		if !exists {
 			createDatabases[preparedDatabaseName] = preparedDatabaseName + constants.OwnerRoleNameSuffix
+			preparedDatabases = append(preparedDatabases, preparedDatabaseName)
 		}
 	}
 
@@ -584,6 +586,13 @@ func (c *Cluster) syncDatabases() error {
 		}
 	}
 
+	// set default privileges for prepared database
+	for _, preparedDatabase := range preparedDatabases {
+		if err = c.execAlterGlobalDefaultPrivileges(preparedDatabase+constants.OwnerRoleNameSuffix, preparedDatabase); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
@@ -599,9 +608,6 @@ func (c *Cluster) syncPreparedDatabases() error {
 			}
 		}()
 
-		// first, set default privileges for prepared database
-		c.execAlterGlobalDefaultPrivileges(preparedDbName+constants.OwnerRoleNameSuffix, preparedDbName)
-
 		// now, prepare defined schemas
 		preparedSchemas := preparedDB.PreparedSchemas
 		if len(preparedDB.PreparedSchemas) == 0 {