WARNING: THIS SITE IS A MIRROR OF GITHUB.COM / IT CANNOT LOGIN OR REGISTER ACCOUNTS / THE CONTENTS ARE PROVIDED AS-IS / THIS SITE ASSUMES NO RESPONSIBILITY FOR ANY DISPLAYED CONTENT OR LINKS / IF YOU FOUND SOMETHING MAY NOT GOOD FOR EVERYONE, CONTACT ADMIN AT ilovescratch@foxmail.com
Skip to content

Commit a08ffa2

Browse files
ulrich-giraudulrich-giraud
authored
Merge pull request #3 from Evaneos/feat/support-grant-all-tables
fix: check only required grants on all tables
2 parents 4d53041 + fd5218a commit a08ffa2

File tree

1 file changed

+23
-26
lines changed

1 file changed

+23
-26
lines changed

pkg/controller/postgresql/grant/reconciler.go

Lines changed: 23 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -337,44 +337,41 @@ func selectSequenceGrantQuery(gp v1alpha1.GrantParameters, q *xsql.Query) error
337337
}
338338

339339
func selectTableGrantQuery(gp v1alpha1.GrantParameters, q *xsql.Query) error {
340+
341+
gro := gp.WithOption != nil && *gp.WithOption == v1alpha1.GrantOptionGrant
342+
343+
ep := gp.ExpandPrivileges()
344+
sp := ep.ToStringSlice()
345+
340346
if gp.IsAllTables() {
341-
q.String = `WITH tables_in_schema AS (
342-
SELECT table_name FROM information_schema.tables
343-
WHERE table_schema = $1 AND table_type = 'BASE TABLE'
347+
q.String = `
348+
WITH tables_in_schema AS (
349+
SELECT table_name FROM information_schema.tables
350+
WHERE table_schema = $1 AND table_type = 'BASE TABLE'
344351
),
345352
grants_per_table AS (
346-
SELECT table_name, privilege_type FROM information_schema.role_table_grants
347-
WHERE grantee = $2 AND table_schema = $1
348-
)
353+
SELECT table_name, privilege_type, is_grantable FROM information_schema.role_table_grants
354+
WHERE grantee = $2 AND table_schema = $1
355+
),
356+
required_privileges AS (SELECT unnest($3::text[]) AS privilege)
349357
SELECT NOT EXISTS (
350-
SELECT 1 FROM tables_in_schema t
351-
WHERE EXISTS (
352-
SELECT 1
353-
FROM (
354-
SELECT 'SELECT' AS privilege
355-
UNION SELECT 'INSERT'
356-
UNION SELECT 'UPDATE'
357-
UNION SELECT 'DELETE'
358-
UNION SELECT 'TRUNCATE'
359-
UNION SELECT 'REFERENCES'
360-
UNION SELECT 'TRIGGER'
361-
) p
358+
SELECT 1 FROM tables_in_schema t, required_privileges p
362359
WHERE NOT EXISTS (
363-
SELECT 1 FROM grants_per_table g
364-
WHERE g.table_name = t.table_name
360+
SELECT 1
361+
FROM grants_per_table g
362+
WHERE g.table_name = t.table_name
365363
AND g.privilege_type = p.privilege
366-
))) AS has_all_grants;`
364+
AND g.is_grantable = $4
365+
)
366+
) AS has_all_grants;`
367367

368368
q.Parameters = []interface{}{
369369
gp.Schema,
370370
gp.Role,
371+
pq.Array(sp),
372+
yesOrNo(gro),
371373
}
372374
} else {
373-
gro := gp.WithOption != nil && *gp.WithOption == v1alpha1.GrantOptionGrant
374-
375-
ep := gp.ExpandPrivileges()
376-
sp := ep.ToStringSlice()
377-
378375
// Join grantee. Filter by schema name, table name and grantee name.
379376
// Finally, perform a permission comparison against expected
380377
// permissions.

0 commit comments

Comments
 (0)