Source postgres: fix schema permission issue

[sashaNeshcheret]

What

Based on issue, during sync user gets permission denied for schema. Need to void using tables from schemas where user don't have USAGE permissions

How

Updatde query that fetch metadata for tables with checking USAGE permissions for schema, it fixes case when user could pick up tables from schemas without permission during discovery. But in case when permission was revoked from user between discovery and sync, all not permitted tables will be skipped without any error, but as far as it happens silently
user can be confused that number tables after sync are less than picked during discovery.

Recommended reading order

1. x.java

🚨 User Impact 🚨

Are there any breaking changes? What is the end result perceived by the user? If yes, please merge this PR with the 🚨🚨 emoji so changelog authors can further highlight this if needed.

Pre-merge Checklist

Expand the relevant checklist and delete the others.

New Connector

Community member or Airbyter

• Community member? Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
  • docs/integrations/README.md
  • airbyte-integrations/builds.md
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• If new credentials are required for use in CI, add them to GSM. Instructions.
• /test connector=connectors/<name> command is passing
• New Connector version released on Dockerhub by running the /publish command described here
• After the connector is published, connector added to connector index as described here
• Seed specs have been re-generated by building the platform and committing the changes to the seed spec files, as described here

Updating a connector

Community member or Airbyter

• Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • Changelog updated in docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• If new credentials are required for use in CI, add them to GSM. Instructions.
• /test connector=connectors/<name> command is passing
• New Connector version released on Dockerhub and connector version bumped by running the /publish command described here

Connector Generator

• Issue acceptance criteria met
• PR name follows PR naming conventions
• If adding a new generator, add it to the list of scaffold modules being tested
• The generator test modules (all connectors with -scaffold in their name) have been updated with the latest scaffold by running ./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplates then checking in your changes
• Documentation which references the generator is updated as needed

Tests

Unit

Put your unit tests output here.

Integration

Put your integration tests output here.

Acceptance

Put your acceptance tests output here.

[github-actions]

Affected Connector Report

NOTE ⚠️ Changes in this PR affect the following connectors. Make sure to do the following as needed:

• Run integration tests
• Bump connector or module version
• Add changelog
• Publish the new version

⚠ Sources (3)

Connector	Version	Changelog	Publish
source-alloydb	1.0.17	✅	✅
source-alloydb-strict-encrypt	1.0.17	✅	⚠ (not in seed)
source-postgres-strict-encrypt	1.0.30	✅	⚠ (not in seed)

• See "Actionable Items" below for how to resolve warnings and errors.

✅ Destinations (0)

Connector	Version	Changelog	Publish

• See "Actionable Items" below for how to resolve warnings and errors.

✅ Other Modules (0)

Actionable Items

(click to expand)

Category	Status	Actionable Item
Version	❌ mismatch	The version of the connector is different from its normal variant. Please bump the version of the connector.
	⚠ doc not found	The connector does not seem to have a documentation file. This can be normal (e.g. basic connector like source-jdbc is not published or documented). Please double-check to make sure that it is not a bug.
Changelog	⚠ doc not found	The connector does not seem to have a documentation file. This can be normal (e.g. basic connector like source-jdbc is not published or documented). Please double-check to make sure that it is not a bug.
	❌ changelog missing	There is no chnagelog for the current version of the connector. If you are the author of the current version, please add a changelog.
Publish	⚠ not in seed	The connector is not in the seed file (e.g. source_definitions.yaml), so its publication status cannot be checked. This can be normal (e.g. some connectors are cloud-specific, and only listed in the cloud seed file). Please double-check to make sure that it is not a bug.
	❌ diff seed version	The connector exists in the seed file, but the latest version is not listed there. This usually means that the latest version is not published. Please use the /publish command to publish the latest version.

[sashaNeshcheret]

/test connector=connectors/source-postgres

🕑 connectors/source-postgres https://github.com/airbytehq/airbyte/actions/runs/3411017756
✅ connectors/source-postgres https://github.com/airbytehq/airbyte/actions/runs/3411017756
No Python unittests run

Build Passed

Test summary info:

All Passed

[sashaNeshcheret]

/test connector=connectors/source-postgres-strict-encrypt

🕑 connectors/source-postgres-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/3411017720
✅ connectors/source-postgres-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/3411017720
No Python unittests run

Build Passed

Test summary info:

All Passed

[sashaNeshcheret]

/test connector=connectors/source-postgres-strict-encrypt

🕑 connectors/source-postgres-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/3420841727
✅ connectors/source-postgres-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/3420841727
No Python unittests run

Build Passed

Test summary info:

All Passed

[sashaNeshcheret]

/test connector=connectors/source-postgres

🕑 connectors/source-postgres https://github.com/airbytehq/airbyte/actions/runs/3420843643
✅ connectors/source-postgres https://github.com/airbytehq/airbyte/actions/runs/3420843643
No Python unittests run

Build Passed

Test summary info:

All Passed

[sashaNeshcheret]

/test connector=connectors/source-alloydb-strict-encrypt

🕑 connectors/source-alloydb-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/3420856607
✅ connectors/source-alloydb-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/3420856607
No Python unittests run

Build Passed

Test summary info:

All Passed

[sashaNeshcheret]

/test connector=connectors/source-alloydb

🕑 connectors/source-alloydb https://github.com/airbytehq/airbyte/actions/runs/3420857495
✅ connectors/source-alloydb https://github.com/airbytehq/airbyte/actions/runs/3420857495
No Python unittests run

Build Passed

Test summary info:

All Passed

[akashkulk]

Looking at the issue, I'm not sure we want to silently fail as we're doing. If I understand correctly, in the case where:

• User configures streams assc with schema they have access to
• User then has access revoked from some of the schemas
• User runs a sync, which appears to run successfully but data from the schemas that they no longer have access to fail

In this case, the user might wonder why records from certain schemas might be missing? But looking at this, we see that the same issue holds for table privilege.

We may want to throw a ConfigErrorException here instead

[akashkulk]

Related to this - am I correct in understanding that today, while calling discover() the user is allowed to choose tables from schemas that they do not have access to?

[sashaNeshcheret]

Yes as answering on your last question. I started to work on issue that user gets permission denied exception during sync, but during investigation i found that user can choose tables from schemas without usage permissions during discovery. Pr is fixing root cause, and as far as we run this code before sync we will not catch such exception.

For not skipping schema without permission silently we should add additional step during discovery for verifying schema permissions for all schemas that user specified during creating source, wdyt?

[akashkulk]

I think that makes sense. Ideally, after this change, few people will get into the state as they will be unable to choose a schema during discovery that they do not have permissions for.

It seems like we silently fail syncs today if the current user loses select privileges for a table as well? This just adds a similar failure mode to that case.

Created https://github.com/airbytehq/airbyte-internal-issues/issues/2658 to track this partial sync scenario

[akashkulk]

Can you add a similar test for the discover() case too (discover shouldn't be returning tables assc with schemas user has no access to)

[bleonard]

👍

[sashaNeshcheret]

/publish connector=connectors/source-postgres-strict-encrypt

🕑 Publishing the following connectors:
connectors/source-postgres-strict-encrypt
https://github.com/airbytehq/airbyte/actions/runs/3575550584

Connector	Did it publish?	Were definitions generated?
connectors/source-postgres-strict-encrypt	✅	❌

if you have connectors that successfully published but failed definition generation, follow step 4 here ▶️

[sashaNeshcheret]

/publish connector=connectors/source-postgres

🕑 Publishing the following connectors:
connectors/source-postgres
https://github.com/airbytehq/airbyte/actions/runs/3575551797

Connector	Did it publish?	Were definitions generated?
connectors/source-postgres	✅	✅

if you have connectors that successfully published but failed definition generation, follow step 4 here ▶️

[rodireich]

I merged to master to get it to the latest published change.