Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow create in public schema when requesting all privileges #316

Merged
merged 2 commits into from
Feb 29, 2024
Merged

allow create in public schema when requesting all privileges #316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c3dae10
allow create in public schema when requesting all privileges
sechmann Jan 10, 2024
8bc786a
Merge branch 'main' into pg15_allow_create_public
sechmann Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 26 additions & 47 deletions pkg/postgres/access.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,63 +3,44 @@ package postgres
import (
"context"
"database/sql"
"strings"
)

var prepareDdlStatements = []string{
"alter default privileges in schema public grant CHANGEME on tables to cloudsqliamuser;",
"alter default privileges in schema public grant CHANGEME on sequences to cloudsqliamuser;",
"grant CHANGEME on all tables in schema public to cloudsqliamuser;",
"grant CHANGEME on all sequences in schema public to cloudsqliamuser;",
}

func PrepareAccess(ctx context.Context, appName, namespace, cluster, database string, allPrivs bool) error {
dbInfo, err := NewDBInfo(appName, namespace, cluster, database)
if err != nil {
return err
}

connectionInfo, err := dbInfo.DBConnection(ctx)
if err != nil {
return err
}

db, err := sql.Open("cloudsqlpostgres", connectionInfo.ConnectionString())
if err != nil {
return err
}
defer db.Close()
var grantAllPrivs = `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO cloudsqliamuser;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO cloudsqliamuser;
GRANT ALL ON ALL TABLES IN SCHEMA public TO cloudsqliamuser;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO cloudsqliamuser;
GRANT CREATE ON SCHEMA public TO cloudsqliamuser;`

for _, ddl := range prepareDdlStatements {
_, err = db.ExecContext(ctx, setGrant(ddl, allPrivs))
if err != nil {
return err
}
}
var grantSelectPrivs = `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO cloudsqliamuser;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO cloudsqliamuser;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO cloudsqliamuser;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO cloudsqliamuser;`

return nil
}
// this is used for all privileges and select, as it covers both cases
var revokeAllPrivs = `ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM cloudsqliamuser;
ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM cloudsqliamuser;
REVOKE ALL ON ALL TABLES IN SCHEMA public FROM cloudsqliamuser;
REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM cloudsqliamuser;
REVOKE CREATE ON SCHEMA public FROM cloudsqliamuser;`

func setGrant(sql string, allPrivs bool) string {
sqlGrant := "SELECT"
func PrepareAccess(ctx context.Context, appName, namespace, cluster, database string, allPrivs bool) error {
if allPrivs {
sqlGrant = "ALL"
return sqlExecAsAppUser(ctx, appName, namespace, cluster, database, grantAllPrivs)
} else {
return sqlExecAsAppUser(ctx, appName, namespace, cluster, database, grantSelectPrivs)
}
return strings.Replace(sql, "CHANGEME", sqlGrant, 1)
}

var revokeDdlStatements = []string{
"alter default privileges in schema public revoke ALL on tables from cloudsqliamuser;",
"alter default privileges in schema public revoke ALL on sequences from cloudsqliamuser;",
"revoke ALL on all tables in schema public from cloudsqliamuser;",
"revoke ALL on all sequences in schema public from cloudsqliamuser;",
func RevokeAccess(ctx context.Context, appName, namespace, cluster, database string) error {
return sqlExecAsAppUser(ctx, appName, namespace, cluster, database, revokeAllPrivs)
}

func RevokeAccess(ctx context.Context, appName, namespace, cluster, database string) error {
func sqlExecAsAppUser(ctx context.Context, appName, namespace, cluster, database, statement string) error {
dbInfo, err := NewDBInfo(appName, namespace, cluster, database)
if err != nil {
return err
}

connectionInfo, err := dbInfo.DBConnection(ctx)
if err != nil {
return err
Expand All @@ -71,11 +52,9 @@ func RevokeAccess(ctx context.Context, appName, namespace, cluster, database str
}
defer db.Close()

for _, ddl := range revokeDdlStatements {
_, err = db.ExecContext(ctx, ddl)
if err != nil {
return formatInvalidGrantError(err)
}
_, err = db.ExecContext(ctx, statement)
if err != nil {
return formatInvalidGrantError(err)
}

return nil
Expand Down
19 changes: 0 additions & 19 deletions pkg/postgres/access_test.go
View file
Open in desktop

This file was deleted.