define default access privileges for default users too (zalando#1512)

FxKu · web-flow · commit 54e506c00bc6 · 2021-06-22T16:45:28.000+02:00
* define default access privileges for default users too
* extend docs on defaultUsers
diff --git a/docs/user.md b/docs/user.md
@@ -522,7 +522,8 @@ The roles described in the previous paragraph can be granted to LOGIN roles from
 the `users` section in the manifest. Optionally, the Postgres Operator can also
 create default LOGIN roles for the database an each schema individually. These
 roles will get the `_user` suffix and they inherit all rights from their NOLOGIN
-counterparts.
+counterparts. Therefore, you cannot have `defaultRoles` set to `false` and enable
+`defaultUsers` at the same time.
 
 | Role name           | Member of      | Admin         |
 | ------------------- | -------------- | ------------- |
@@ -545,6 +546,10 @@ spec:
           defaultUsers: true
 ```
 
+Default access privileges are also defined for LOGIN roles on database and
+schema creation. This means they are currently not set when `defaultUsers`
+(or `defaultRoles` for schemas) are enabled at a later point in time.
+
 ### Schema `search_path` for default roles
 
 The schema [`search_path`](https://www.postgresql.org/docs/13/ddl-schemas.html#DDL-SCHEMAS-PATH)
diff --git a/pkg/cluster/database.go b/pkg/cluster/database.go
@@ -351,10 +351,30 @@ func (c *Cluster) execCreateDatabaseSchema(databaseName, schemaName, dbOwner, sc
 	}
 
 	// set default privileges for schema
+	// the schemaOwner defines them for global database roles
 	c.execAlterSchemaDefaultPrivileges(schemaName, schemaOwner, databaseName)
+
+	// if schemaOwner and dbOwner differ we know that <databaseName>_<schemaName> default roles were created
 	if schemaOwner != dbOwner {
-		c.execAlterSchemaDefaultPrivileges(schemaName, dbOwner, databaseName+"_"+schemaName)
-		c.execAlterSchemaDefaultPrivileges(schemaName, schemaOwner, databaseName+"_"+schemaName)
+		defaultUsers := c.Spec.PreparedDatabases[databaseName].PreparedSchemas[schemaName].DefaultUsers
+
+		// define schema privileges of <databaseName>_<schemaName>_owner_user for global roles, too
+		if defaultUsers {
+			c.execAlterSchemaDefaultPrivileges(schemaName, schemaOwner+constants.UserRoleNameSuffix, databaseName)
+		}
+
+		// collect all possible owner roles and define default schema privileges
+		// for <databaseName>_<schemaName>_reader/writer roles
+		owners := c.getOwnerRoles(databaseName, c.Spec.PreparedDatabases[databaseName].DefaultUsers)
+		owners = append(owners, c.getOwnerRoles(databaseName+"_"+schemaName, defaultUsers)...)
+		for _, owner := range owners {
+			c.execAlterSchemaDefaultPrivileges(schemaName, owner, databaseName+"_"+schemaName)
+		}
+	} else {
+		// define schema privileges of <databaseName>_owner_user for global roles, too
+		if c.Spec.PreparedDatabases[databaseName].DefaultUsers {
+			c.execAlterSchemaDefaultPrivileges(schemaName, schemaOwner+constants.UserRoleNameSuffix, databaseName)
+		}
 	}
 
 	return nil
@@ -418,6 +438,15 @@ func makeUserFlags(rolsuper, rolinherit, rolcreaterole, rolcreatedb, rolcanlogin
 	return result
 }
 
+func (c *Cluster) getOwnerRoles(dbObjPath string, withUser bool) (owners []string) {
+	owners = append(owners, dbObjPath+constants.OwnerRoleNameSuffix)
+	if withUser {
+		owners = append(owners, dbObjPath+constants.OwnerRoleNameSuffix+constants.UserRoleNameSuffix)
+	}
+
+	return owners
+}
+
 // getExtension returns the list of current database extensions
 // The caller is responsible for opening and closing the database connection
 func (c *Cluster) getExtensions() (dbExtensions map[string]string, err error) {
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
@@ -740,8 +740,11 @@ func (c *Cluster) syncDatabases() error {
 		if err := c.initDbConnWithName(preparedDatabase); err != nil {
 			return fmt.Errorf("could not init database connection to %s", preparedDatabase)
 		}
-		if err = c.execAlterGlobalDefaultPrivileges(preparedDatabase+constants.OwnerRoleNameSuffix, preparedDatabase); err != nil {
-			return err
+
+		for _, owner := range c.getOwnerRoles(preparedDatabase, c.Spec.PreparedDatabases[preparedDatabase].DefaultUsers) {
+			if err = c.execAlterGlobalDefaultPrivileges(owner, preparedDatabase); err != nil {
+				return err
+			}
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -740,8 +740,11 @@ func (c *Cluster) syncDatabases() error {`
`740`	`740`	`if err := c.initDbConnWithName(preparedDatabase); err != nil {`
`741`	`741`	`return fmt.Errorf("could not init database connection to %s", preparedDatabase)`
`742`	`742`	`}`
`743`		`- if err = c.execAlterGlobalDefaultPrivileges(preparedDatabase+constants.OwnerRoleNameSuffix, preparedDatabase); err != nil {`
`744`		`- return err`
	`743`	`+`
	`744`	`+ for _, owner := range c.getOwnerRoles(preparedDatabase, c.Spec.PreparedDatabases[preparedDatabase].DefaultUsers) {`
	`745`	`+ if err = c.execAlterGlobalDefaultPrivileges(owner, preparedDatabase); err != nil {`
	`746`	`+ return err`
	`747`	`+ }`
`745`	`748`	`}`
`746`	`749`	`}`
`747`	`750`