Skip to content
This repository was archived by the owner on Nov 14, 2020. It is now read-only.

Temporarily add role membership when managing permissions #70

Closed
zytek opened this issue Apr 1, 2019 · 2 comments · Fixed by #71
Closed

Temporarily add role membership when managing permissions #70

zytek opened this issue Apr 1, 2019 · 2 comments · Fixed by #71
Labels
bug rds

Comments

@zytek
Copy link
Contributor

zytek commented Apr 1, 2019
edited
Loading

Add GRANT $owner TO $connected_user when managing permissions.

Notice: we should probably remove this grant afterward to not leak permissions BUT only if it wasn't granted before we did it/checked for it. So, as far as I understand, provider should check if this membership is added, add it if not and later remove it.

Mentioned in #53
Related hashicorp/terraform#11452

when using this on RDS:

resource "postgresql_default_privileges" "priv-sequence-for-user" {
  database    = "${var.db}"
  owner       = "${var.owner}"
  role        = "${var.user}"
  schema      = "public"
  object_type = "sequence"
  privileges  = ["ALL"]
  depends_on  = ["postgresql_database.db"]
}

we need to first run `GRANT ${var.owner} to ${provider.username}"
@zytek zytek changed the title @zytek Temporarily add role membership when managing permissions Apr 1, 2019
@zytek
Copy link
Contributor Author

zytek commented Apr 1, 2019

If anyone has this in progress please mention me, if not I will try to submit PR this week

@cyrilgdn
Copy link
Contributor

cyrilgdn commented Apr 2, 2019

@zytek Thanks, for opening the issue.

Notice: we should probably remove this grant afterward to not leak permissions BUT only if it wasn't granted before we did it/checked for it. So, as far as I understand, provider should check if this membership is added, add it if not and later remove it.

True ! And if you give it a try, note that I already had to do something similar here: https://github.com/terraform-providers/terraform-provider-postgresql/blob/master/postgresql/resource_postgresql_database.go#L132-L142
So helpers already exist for that. (Unfortunately I added them after creating the PR for grant & default privileges :) )

zytek added a commit to zytek/terraform-provider-postgresql that referenced this issue Apr 2, 2019
@zytek
Grant owner role to connected user
3e6c1b5 
Make sure connected user has proper permissions to manage default
privileges.

Fixed hashicorp#70

Signed-off-by: Jakub Paweł Głazik <[email protected]>
@zytek zytek mentioned this issue Apr 2, 2019
Merged
cyrilgdn referenced this issue in cyrilgdn/terraform-provider-postgresql Jul 3, 2019
@zytek @cyrilgdn
Grant owner role to connected user
7ea3b20 
Make sure connected user has proper permissions to manage default
privileges.

Fixed #70

Signed-off-by: Jakub Paweł Głazik <[email protected]>
cyrilgdn pushed a commit that referenced this issue Aug 2, 2019
@zytek @cyrilgdn
Grant owner role to connected user for default privileges management (
a64fd42 
…#71)

* Update resource description in line with PostgreSQL docs

Signed-off-by: Jakub Paweł Głazik <[email protected]>

* Grant owner role to connected user

Make sure connected user has proper permissions to manage default
privileges.

Fixed #70

Signed-off-by: Jakub Paweł Głazik <[email protected]>

* default privileges: grant & revoke the owner in the transaction.

So in this way this temporary grant is not even seen outside the transaction.
This also adds a test to verify that owner is correctly revoked.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug rds
Projects
None yet
Milestone
No milestone
2 participants
@zytek @cyrilgdn