Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(pgsql): extend Grant kind specification with schema, objects, objectType, colums. #218

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

feat(pgsql): extend Grant kind specification with schema, objects, objectType, colums. #218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,4 @@
.work
_output
__debug_bin
.tool-versions
45 changes: 45 additions & 0 deletions apis/postgresql/v1alpha1/grant_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ type GrantPrivileges []GrantPrivilege
// happen internally inside postgresql when making grants. When we query the
// privileges back, we need to look for the expanded set.
// https://www.postgresql.org/docs/15/ddl-priv.html
// TODO: Grand ALL ON SCHEMA should be expanded to GRANT USAGE, CREATE ON SCHEMA
var grantReplacements = map[GrantPrivilege]GrantPrivileges{
"ALL": {"CREATE", "TEMPORARY", "CONNECT"},
"ALL PRIVILEGES": {"CREATE", "TEMPORARY", "CONNECT"},
Expand Down Expand Up @@ -141,6 +142,20 @@ type GrantParameters struct {
// +optional
DatabaseSelector *xpv1.Selector `json:"databaseSelector,omitempty"`

// Schema this grant is for.
// +optional
Schema *string `json:"schema,omitempty"`

// SchemaRef references the schema object this grant it for.
// +immutable
// +optional
SchemaRef *xpv1.Reference `json:"schemaRef,omitempty"`

// SchemaSelector selects a reference to a Schema this grant is for.
// +immutable
// +optional
SchemaSelector *xpv1.Selector `json:"schemaSelector,omitempty"`

// MemberOf is the Role that this grant makes Role a member of.
// +optional
MemberOf *string `json:"memberOf,omitempty"`
Expand All @@ -158,6 +173,22 @@ type GrantParameters struct {
// RevokePublicOnDb apply the statement "REVOKE ALL ON DATABASE %s FROM PUBLIC" to make database unreachable from public
// +optional
RevokePublicOnDb *bool `json:"revokePublicOnDb,omitempty" default:"false"`

// ObjectType is the PostgreSQL object type to grant the privileges on.
// +kubebuilder:validation:Enum=database;schema;table;sequence;function;procedure;routine;foreign_data_wrapper;foreign_server;column
ObjectType string `json:"objectType" default:"database"`

// Objects are the objects upon which to grant the privileges.
// An empty list (the default) means to grant permissions on all objects of the specified type.
// You cannot specify this option if the objectType is database or schema.
// When objectType is column, only one value is allowed.
// +optional
Objects []string `json:"objects,omitempty"`

// The columns upon which to grant the privileges.
// Required when object_type is column. You cannot specify this option if the object_type is not column
// +optional
Columns []string `json:"columns,omitempty"`
}

// A GrantStatus represents the observed state of a Grant.
Expand Down Expand Up @@ -212,6 +243,20 @@ func (mg *Grant) ResolveReferences(ctx context.Context, c client.Reader) error {
mg.Spec.ForProvider.Database = reference.ToPtrValue(rsp.ResolvedValue)
mg.Spec.ForProvider.DatabaseRef = rsp.ResolvedReference

// Resolve spec.forProvider.schema
rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Schema),
Reference: mg.Spec.ForProvider.SchemaRef,
Selector: mg.Spec.ForProvider.SchemaSelector,
To: reference.To{Managed: &Schema{}, List: &SchemaList{}},
Extract: reference.ExternalName(),
})
if err != nil {
return errors.Wrap(err, "spec.forProvider.schema")
}
mg.Spec.ForProvider.Schema = reference.ToPtrValue(rsp.ResolvedValue)
mg.Spec.ForProvider.SchemaRef = rsp.ResolvedReference

// Resolve spec.forProvider.role
rsp, err = r.Resolve(ctx, reference.ResolutionRequest{
CurrentValue: reference.FromPtrValue(mg.Spec.ForProvider.Role),
Expand Down
25 changes: 25 additions & 0 deletions apis/postgresql/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion build
Open in desktop
Submodule build updated 7 files
+4 −4 README.md
+5 −3 makelib/controlplane.mk
+6 −1 makelib/golang.mk
+3 −3 makelib/imagelight.mk
+20 −4 makelib/k8s_tools.mk
+190 −0 makelib/uptest.mk
+18 −4 makelib/xpkg.mk
112 changes: 112 additions & 0 deletions package/crds/postgresql.sql.crossplane.io_grants.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,13 @@ spec:
description: GrantParameters define the desired state of a PostgreSQL
grant instance.
properties:
columns:
description: |-
The columns upon which to grant the privileges.
Required when object_type is column. You cannot specify this option if the object_type is not column
items:
type: string
type: array
database:
description: Database this grant is for.
type: string
Expand Down Expand Up @@ -242,6 +249,30 @@ spec:
type: string
type: object
type: object
objectType:
description: ObjectType is the PostgreSQL object type to grant
the privileges on.
enum:
- database
- schema
- table
- sequence
- function
- procedure
- routine
- foreign_data_wrapper
- foreign_server
- column
type: string
objects:
description: |-
Objects are the objects upon which to grant the privileges.
An empty list (the default) means to grant permissions on all objects of the specified type.
You cannot specify this option if the objectType is database or schema.
When objectType is column, only one value is allowed.
items:
type: string
type: array
privileges:
description: |-
Privileges to be granted.
Expand Down Expand Up @@ -336,6 +367,85 @@ spec:
type: string
type: object
type: object
schema:
description: Schema this grant is for.
type: string
schemaRef:
description: SchemaRef references the schema object this grant
it for.
properties:
name:
description: Name of the referenced object.
type: string
policy:
description: Policies for referencing.
properties:
resolution:
default: Required
description: |-
Resolution specifies whether resolution of this reference is required.
The default is 'Required', which means the reconcile will fail if the
reference cannot be resolved. 'Optional' means this reference will be
a no-op if it cannot be resolved.
enum:
- Required
- Optional
type: string
resolve:
description: |-
Resolve specifies when this reference should be resolved. The default
is 'IfNotPresent', which will attempt to resolve the reference only when
the corresponding field is not present. Use 'Always' to resolve the
reference on every reconcile.
enum:
- Always
- IfNotPresent
type: string
type: object
required:
- name
type: object
schemaSelector:
description: SchemaSelector selects a reference to a Schema this
grant is for.
properties:
matchControllerRef:
description: |-
MatchControllerRef ensures an object with the same controller reference
as the selecting object is selected.
type: boolean
matchLabels:
additionalProperties:
type: string
description: MatchLabels ensures an object with matching labels
is selected.
type: object
policy:
description: Policies for selection.
properties:
resolution:
default: Required
description: |-
Resolution specifies whether resolution of this reference is required.
The default is 'Required', which means the reconcile will fail if the
reference cannot be resolved. 'Optional' means this reference will be
a no-op if it cannot be resolved.
enum:
- Required
- Optional
type: string
resolve:
description: |-
Resolve specifies when this reference should be resolved. The default
is 'IfNotPresent', which will attempt to resolve the reference only when
the corresponding field is not present. Use 'Always' to resolve the
reference on every reconcile.
enum:
- Always
- IfNotPresent
type: string
type: object
type: object
withOption:
description: |-
WithOption allows an option to be set on the grant.
Expand All @@ -345,6 +455,8 @@ spec:
- ADMIN
- GRANT
type: string
required:
- objectType
type: object
managementPolicies:
default:
Expand Down
Loading
Loading