Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement GRANT TO PUBLIC for all supported object types #106

Merged
merged 5 commits into from
Jan 30, 2023
Merged

Implement GRANT TO PUBLIC for all supported object types #106

merged 5 commits into from
Jan 30, 2023

Conversation

winglot
Copy link
Member

@winglot winglot commented Jan 18, 2023
edited
Loading

The PR adds implementation of GRANT ... TO PUBLIC. Example usage in resource:

resource "redshift_grant" "public" {
  group = "public"

  schema      = "my_schema"
  object_type = "schema"
  privileges  = ["create", "usage"]
}

Fixes #61

@mtesch-um
Copy link
Contributor

Just some thoughts-

Based on the syntax of GRANT, would it make more sense to trigger on user = "PUBLIC" rather than have to write extra special-case code for group = "public".

Should the comparison for "public" be case-insensitive?

@robertomczak
Copy link
Contributor

https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html

PUBLIC
Grants the specified privileges to all users, including users created later. PUBLIC represents a group that always includes all users. An individual user's privileges consist of the sum of privileges granted to PUBLIC, privileges granted to any groups that the user belongs to, and any privileges granted to the user individually.

As it represents a group I think this implementation is correct and using USER=PUBLIC might be misleading and not consistent with PostgreSQL and Redshift implementation and naming.

With RBAC implementation in provider this will be also useful.

@mtesch-um
Copy link
Contributor

The postgresql provider does this as a part of the role resource - which seems to more or less approximate a user. I'm really not arguing for either way being right, just wanted to point it out - the code looked a little awkward.

@winglot
Copy link
Member Author

winglot commented Jan 19, 2023
edited
Loading

@mtesch-um thank you for the feedback.

I decided to use a group as the GRANT documentation for both PostgreSQL and Redshift says:

PUBLIC represents a group that always includes all users.

The code would not really change whether it will be a user or group. It's due to how the permissions for PUBLIC are represented in Redshift. If you take a look at pg_namespace, ACLs for schemas are:

  • group <name>=UC/rdsdb for groups,
  • <username>=UC/rdsdb for users,
  • =UC/rdsdb for PUBLIC (nothing before the equal sign)

I had to modify the query to avoid accidentally catching users/groups ACLs. I tried fitting it to existing queries but that was just causing more problems.

Vanilla PostgreSQL is different in this case as it does not have a separation for users and groups in newer versions, where a role combines both (can be given a password to imitate a user and can be assigned other roles to form "groups"). Redshift is slowly heading that way too with RBAC.

@winglot winglot marked this pull request as ready for review January 20, 2023 12:33
@winglot winglot merged commit 3288f24 into master Jan 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robertomczak robertomczak robertomczak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow GRANTs to PUBLIC
3 participants
@winglot @mtesch-um @robertomczak