Skip to content

Commit 8a2447f

Browse files
sechmannsechmann
authored
Merge pull request #316 from nais/pg15_allow_create_public
allow create in public schema when requesting all privileges
2 parents 42d7707 + 8bc786a commit 8a2447f

File tree

2 files changed

+26
-66
lines changed

2 files changed

+26
-66
lines changed

pkg/postgres/access.go

+26-47
Original file line numberDiff line numberDiff line change
@@ -3,63 +3,44 @@ package postgres
33
import (
44
"context"
55
"database/sql"
6-
"strings"
76
)
87

9-
var prepareDdlStatements = []string{
10-
"alter default privileges in schema public grant CHANGEME on tables to cloudsqliamuser;",
11-
"alter default privileges in schema public grant CHANGEME on sequences to cloudsqliamuser;",
12-
"grant CHANGEME on all tables in schema public to cloudsqliamuser;",
13-
"grant CHANGEME on all sequences in schema public to cloudsqliamuser;",
14-
}
15-
16-
func PrepareAccess(ctx context.Context, appName, namespace, cluster, database string, allPrivs bool) error {
17-
dbInfo, err := NewDBInfo(appName, namespace, cluster, database)
18-
if err != nil {
19-
return err
20-
}
21-
22-
connectionInfo, err := dbInfo.DBConnection(ctx)
23-
if err != nil {
24-
return err
25-
}
26-
27-
db, err := sql.Open("cloudsqlpostgres", connectionInfo.ConnectionString())
28-
if err != nil {
29-
return err
30-
}
31-
defer db.Close()
8+
var grantAllPrivs = `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO cloudsqliamuser;
9+
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO cloudsqliamuser;
10+
GRANT ALL ON ALL TABLES IN SCHEMA public TO cloudsqliamuser;
11+
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO cloudsqliamuser;
12+
GRANT CREATE ON SCHEMA public TO cloudsqliamuser;`
3213

33-
for _, ddl := range prepareDdlStatements {
34-
_, err = db.ExecContext(ctx, setGrant(ddl, allPrivs))
35-
if err != nil {
36-
return err
37-
}
38-
}
14+
var grantSelectPrivs = `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO cloudsqliamuser;
15+
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO cloudsqliamuser;
16+
GRANT SELECT ON ALL TABLES IN SCHEMA public TO cloudsqliamuser;
17+
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO cloudsqliamuser;`
3918

40-
return nil
41-
}
19+
// this is used for all privileges and select, as it covers both cases
20+
var revokeAllPrivs = `ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM cloudsqliamuser;
21+
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM cloudsqliamuser;
22+
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM cloudsqliamuser;
23+
REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM cloudsqliamuser;
24+
REVOKE CREATE ON SCHEMA public FROM cloudsqliamuser;`
4225

43-
func setGrant(sql string, allPrivs bool) string {
44-
sqlGrant := "SELECT"
26+
func PrepareAccess(ctx context.Context, appName, namespace, cluster, database string, allPrivs bool) error {
4527
if allPrivs {
46-
sqlGrant = "ALL"
28+
return sqlExecAsAppUser(ctx, appName, namespace, cluster, database, grantAllPrivs)
29+
} else {
30+
return sqlExecAsAppUser(ctx, appName, namespace, cluster, database, grantSelectPrivs)
4731
}
48-
return strings.Replace(sql, "CHANGEME", sqlGrant, 1)
4932
}
5033

51-
var revokeDdlStatements = []string{
52-
"alter default privileges in schema public revoke ALL on tables from cloudsqliamuser;",
53-
"alter default privileges in schema public revoke ALL on sequences from cloudsqliamuser;",
54-
"revoke ALL on all tables in schema public from cloudsqliamuser;",
55-
"revoke ALL on all sequences in schema public from cloudsqliamuser;",
34+
func RevokeAccess(ctx context.Context, appName, namespace, cluster, database string) error {
35+
return sqlExecAsAppUser(ctx, appName, namespace, cluster, database, revokeAllPrivs)
5636
}
5737

58-
func RevokeAccess(ctx context.Context, appName, namespace, cluster, database string) error {
38+
func sqlExecAsAppUser(ctx context.Context, appName, namespace, cluster, database, statement string) error {
5939
dbInfo, err := NewDBInfo(appName, namespace, cluster, database)
6040
if err != nil {
6141
return err
6242
}
43+
6344
connectionInfo, err := dbInfo.DBConnection(ctx)
6445
if err != nil {
6546
return err
@@ -71,11 +52,9 @@ func RevokeAccess(ctx context.Context, appName, namespace, cluster, database str
7152
}
7253
defer db.Close()
7354

74-
for _, ddl := range revokeDdlStatements {
75-
_, err = db.ExecContext(ctx, ddl)
76-
if err != nil {
77-
return formatInvalidGrantError(err)
78-
}
55+
_, err = db.ExecContext(ctx, statement)
56+
if err != nil {
57+
return formatInvalidGrantError(err)
7958
}
8059

8160
return nil

pkg/postgres/access_test.go

-19
This file was deleted.

0 commit comments

Comments
 (0)