Skip to content
This repository was archived by the owner on Nov 14, 2020. It is now read-only.

add feature grant functions #144

Merged
merged 2 commits into from
Jun 19, 2020
Merged

add feature grant functions #144

merged 2 commits into from
Jun 19, 2020

Conversation

Tommi2Day
Copy link
Contributor

This extends both, postgresql_grant and postgresql_default_privileges to grant execute on functions in addition to the existing table and sequence object types. Test are updated as well documentations

cyrilgdn
cyrilgdn suggested changes Jun 1, 2020
View reviewed changes
Copy link
Contributor

@cyrilgdn cyrilgdn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Tommi2Day Thanks for opening this PR and for your work on that!

Unfortunately it's not that simple to fully implement the postgresql_grant resource for functions.
The first apply works great and grant the expected privileges but revoke is not working if you remove the resource.
Also if I don't remove the resource in the Terraform code but revoke manually the EXECUTE privilege, I expect Terraform to re-grant it on next apply but it's not the case.

I quickly check why it's not working; The postgresql_grant resource read the current granted privileges with this query by reading the pg_class table. It works for tables and sequences but not for functions (neither for database for which we already wrote another query).

We need another query to get the currently granted privileges for functions. It's actually stored in pg_proc table. I'm able to see this privileges with a query like:

SELECT proname, proacl FROM pg_proc 
JOIN pg_namespace ON pronamespace = pg_namespace.oid
WHERE nspname = 'test_schema';

I think we just need the specific query (which will parse proacl with aclexplode) but then use the same code to compare them with the current state.

Let me know if you need help on that or more explanations.

@ghost ghost added size/M and removed size/XS labels Jun 2, 2020
@Tommi2Day
Copy link
Contributor Author

@cyrilgdn : thanks for your review. I just added a second commit which addresses your remarks by adding such query on pg_proc. Hopefully it will do the revoke the right way . The use case you described (dropping the right in psql and apply terraform again) worked for me now
Apply complete! Resources: 0 added, 1 changed, 0 destroyed

@ghost ghost removed the waiting-response label Jun 2, 2020
@cyrilgdn cyrilgdn added this to the 1.7.0 milestone Jun 8, 2020
cyrilgdn
cyrilgdn approved these changes Jun 19, 2020
View reviewed changes
Copy link
Contributor

@cyrilgdn cyrilgdn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Tommi2Day Thanks a lot for your work.

I tested it and it works fine 👍

I rebased it on master and will merge it.

@cyrilgdn cyrilgdn merged commit 7d6a284 into hashicorp:master Jun 19, 2020
@Tommi2Day Tommi2Day deleted the feature/grant_function branch June 20, 2020 20:07
@cyrilgdn
Copy link
Contributor

FYI, this has just been released in v1.7.0.

@juanjbrown
Copy link

FYI a change in this PR breaks compatibility with Postgres versions older than 11. #159 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@cyrilgdn cyrilgdn cyrilgdn approved these changes

Assignees
No one assigned
Labels
documentation size/M
Projects
None yet
Milestone
1.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Tommi2Day @cyrilgdn @juanjbrown