feat: Gratn Additional Access for Sequences and Functions

Author: tkcontiant

cmd/main.go

@@ -47,15 +47,15 @@ func main() {
 	var secureMetrics bool
 	var enableHTTP2 bool
 	var tlsOpts []func(*tls.Config)
-	flag.StringVar(&metricsAddr, "metrics-bind-address", "0", "The address the metrics endpoint binds to. "+
+	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metrics endpoint binds to. "+
 		"Use :8443 for HTTPS or :8080 for HTTP, or leave as 0 to disable the metrics service.")
 	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
+	flag.BoolVar(&enableLeaderElection, "leader-elect", true,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&secureMetrics, "metrics-secure", true,
+	flag.BoolVar(&secureMetrics, "metrics-secure", false,
 		"If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
-	flag.BoolVar(&enableHTTP2, "enable-http2", false,
+	flag.BoolVar(&enableHTTP2, "enable-http2", true,
 		"If set, HTTP/2 will be enabled for the metrics and webhook servers")
 	opts := zap.Options{
 		Development: true,

internal/controller/postgres_controller.go

@@ -184,12 +184,17 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 	}
 	// create schemas
 	var (
-		database    = instance.Spec.Database
-		owner       = instance.Status.Roles.Owner
-		reader      = instance.Status.Roles.Reader
-		writer      = instance.Status.Roles.Writer
-		readerPrivs = "SELECT"
-		writerPrivs = "SELECT,INSERT,DELETE,UPDATE"
+		database            = instance.Spec.Database
+		owner               = instance.Status.Roles.Owner
+		reader              = instance.Status.Roles.Reader
+		writer              = instance.Status.Roles.Writer
+		readerPrivs         = "SELECT"
+		writerPrivs         = "SELECT,INSERT,DELETE,UPDATE"
+		writerSequencePrivs = "USAGE,SELECT"
+		writerFunctionPrivs = "EXECUTE"
+		ownerPrivs          = "ALL"
+		ownerFunctionPrivs  = "ALL"
+		ownerSequencePrivs  = "ALL"
 	)
 	for _, schema := range instance.Spec.Schemas {
 		// Schema was previously created
@@ -218,27 +223,31 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 			continue
 		}
 		schemaPrivilegesWriter := postgres.PostgresSchemaPrivileges{
-			DB:           database,
-			Role:         writer,
-			Schema:       schema,
-			Privs:        writerPrivs,
-			CreateSchema: true,
+			DB:            database,
+			Role:          writer,
+			Schema:        schema,
+			Privs:         writerPrivs,
+			SequencePrivs: writerSequencePrivs,
+			FunctionPrivs: writerFunctionPrivs,
+			CreateSchema:  true,
 		}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesWriter, reqLogger)
 		if err != nil {
-			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs))
+			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\", sequence privileges \"%s\", and function privileges \"%s\"", writer, writerPrivs, writerSequencePrivs, writerFunctionPrivs))
 			continue
 		}
 		schemaPrivilegesOwner := postgres.PostgresSchemaPrivileges{
-			DB:           database,
-			Role:         owner,
-			Schema:       schema,
-			Privs:        writerPrivs,
-			CreateSchema: true,
+			DB:            database,
+			Role:          owner,
+			Schema:        schema,
+			Privs:         ownerPrivs,
+			SequencePrivs: ownerSequencePrivs,
+			FunctionPrivs: ownerFunctionPrivs,
+			CreateSchema:  true,
 		}
 		err = r.pg.SetSchemaPrivileges(schemaPrivilegesOwner, reqLogger)
 		if err != nil {
-			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\"", writer, writerPrivs))
+			reqLogger.Error(err, fmt.Sprintf("Could not give %s permissions \"%s\", sequence privileges \"%s\", and function privileges \"%s\"", owner, ownerPrivs, ownerSequencePrivs, ownerFunctionPrivs))
 			continue
 		}
 

pkg/postgres/database.go

@@ -8,19 +8,23 @@ import (
 )
 
 const (
-	CREATE_DB            = `CREATE DATABASE "%s"`
-	CREATE_SCHEMA        = `CREATE SCHEMA IF NOT EXISTS "%s" AUTHORIZATION "%s"`
-	CREATE_EXTENSION     = `CREATE EXTENSION IF NOT EXISTS "%s"`
-	ALTER_DB_OWNER       = `ALTER DATABASE "%s" OWNER TO "%s"`
-	DROP_DATABASE        = `DROP DATABASE "%s"`
-	GRANT_USAGE_SCHEMA   = `GRANT USAGE ON SCHEMA "%s" TO "%s"`
-	GRANT_CREATE_TABLE   = `GRANT CREATE ON SCHEMA "%s" TO "%s"`
-	GRANT_ALL_TABLES     = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"`
-	DEFAULT_PRIVS_SCHEMA = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"`
-	REVOKE_CONNECT       = `REVOKE CONNECT ON DATABASE "%s" FROM public`
-	TERMINATE_BACKEND    = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity	WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()`
-	GET_DB_OWNER         = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'`
-	GRANT_CREATE_SCHEMA  = `GRANT CREATE ON DATABASE "%s" TO "%s"`
+	CREATE_DB               = `CREATE DATABASE "%s"`
+	CREATE_SCHEMA           = `CREATE SCHEMA IF NOT EXISTS "%s" AUTHORIZATION "%s"`
+	CREATE_EXTENSION        = `CREATE EXTENSION IF NOT EXISTS "%s"`
+	ALTER_DB_OWNER          = `ALTER DATABASE "%s" OWNER TO "%s"`
+	DROP_DATABASE           = `DROP DATABASE "%s"`
+	GRANT_USAGE_SCHEMA      = `GRANT USAGE ON SCHEMA "%s" TO "%s"`
+	GRANT_CREATE_TABLE      = `GRANT CREATE ON SCHEMA "%s" TO "%s"`
+	GRANT_ALL_TABLES        = `GRANT %s ON ALL TABLES IN SCHEMA "%s" TO "%s"`
+	DEFAULT_PRIVS_SCHEMA    = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON TABLES TO "%s"`
+	GRANT_ALL_FUNCTIONS     = `GRANT %s ON ALL FUNCTIONS IN SCHEMA "%s" TO "%s"`
+	DEFAULT_PRIVS_FUNCTIONS = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON FUNCTIONS TO "%s"`
+	GRANT_ALL_SEQUENCES     = `GRANT %s ON ALL SEQUENCES IN SCHEMA "%s" TO "%s"`
+	DEFAULT_PRIVS_SEQUENCES = `ALTER DEFAULT PRIVILEGES IN SCHEMA "%s" GRANT %s ON SEQUENCES TO "%s"`
+	REVOKE_CONNECT          = `REVOKE CONNECT ON DATABASE "%s" FROM public`
+	TERMINATE_BACKEND       = `SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity	WHERE pg_stat_activity.datname = '%s' AND pid <> pg_backend_pid()`
+	GET_DB_OWNER            = `SELECT pg_catalog.pg_get_userbyid(d.datdba) FROM pg_catalog.pg_database d WHERE d.datname = '%s'`
+	GRANT_CREATE_SCHEMA     = `GRANT CREATE ON DATABASE "%s" TO "%s"`
 )
 
 func (c *pg) CreateDB(dbname, role string) error {
@@ -120,6 +124,34 @@ func (c *pg) SetSchemaPrivileges(schemaPrivileges PostgresSchemaPrivileges, logg
 		return err
 	}
 
+	if schemaPrivileges.SequencePrivs != "" {
+		// Grant role privs on existing sequences in schema
+		_, err = tmpDb.Exec(fmt.Sprintf(GRANT_ALL_SEQUENCES, schemaPrivileges.SequencePrivs, schemaPrivileges.Schema, schemaPrivileges.Role))
+		if err != nil {
+			return err
+		}
+
+		// Grant role privs on future sequences in schema
+		_, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_SEQUENCES, schemaPrivileges.Schema, schemaPrivileges.SequencePrivs, schemaPrivileges.Role))
+		if err != nil {
+			return err
+		}
+	}
+
+	if schemaPrivileges.FunctionPrivs != "" {
+		// Grant role privs on existing functions in schema
+		_, err = tmpDb.Exec(fmt.Sprintf(GRANT_ALL_FUNCTIONS, schemaPrivileges.FunctionPrivs, schemaPrivileges.Schema, schemaPrivileges.Role))
+		if err != nil {
+			return err
+		}
+
+		// Grant role privs on future functions in schema
+		_, err = tmpDb.Exec(fmt.Sprintf(DEFAULT_PRIVS_FUNCTIONS, schemaPrivileges.Schema, schemaPrivileges.FunctionPrivs, schemaPrivileges.Role))
+		if err != nil {
+			return err
+		}
+	}
+
 	// Grant role usage on schema if createSchema
 	if schemaPrivileges.CreateSchema {
 		_, err = tmpDb.Exec(fmt.Sprintf(GRANT_CREATE_TABLE, schemaPrivileges.Schema, schemaPrivileges.Role))

pkg/postgres/postgres.go

@@ -37,11 +37,13 @@ type pg struct {
 }
 
 type PostgresSchemaPrivileges struct {
-	DB           string
-	Role         string
-	Schema       string
-	Privs        string
-	CreateSchema bool
+	DB            string
+	Role          string
+	Schema        string
+	Privs         string
+	SequencePrivs string
+	FunctionPrivs string
+	CreateSchema  bool
 }
 
 func NewPG(cfg *config.Cfg, logger logr.Logger) (PG, error) {