Skip to content
This repository was archived by the owner on Jan 17, 2025. It is now read-only.

Implement GRANT TO PUBLIC for all supported object types#106

Merged
winglot merged 5 commits intomasterfrom
feature/grant-to-public
Jan 30, 2023
Merged

Implement GRANT TO PUBLIC for all supported object types#106
winglot merged 5 commits intomasterfrom
feature/grant-to-public

Conversation

@winglot
Copy link
Copy Markdown
Member

@winglot winglot commented Jan 18, 2023
edited
Loading

The PR adds implementation of GRANT ... TO PUBLIC. Example usage in resource:

resource "redshift_grant" "public" {
  group = "public"

  schema      = "my_schema"
  object_type = "schema"
  privileges  = ["create", "usage"]
}

Fixes #61

@mtesch-um
Copy link
Copy Markdown
Contributor

mtesch-um commented Jan 18, 2023

Just some thoughts-

Based on the syntax of GRANT, would it make more sense to trigger on user = "PUBLIC" rather than have to write extra special-case code for group = "public".

Should the comparison for "public" be case-insensitive?

@robertomczak
Copy link
Copy Markdown

robertomczak commented Jan 19, 2023

https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html

PUBLIC
Grants the specified privileges to all users, including users created later. PUBLIC represents a group that always includes all users. An individual user's privileges consist of the sum of privileges granted to PUBLIC, privileges granted to any groups that the user belongs to, and any privileges granted to the user individually.

As it represents a group I think this implementation is correct and using USER=PUBLIC might be misleading and not consistent with PostgreSQL and Redshift implementation and naming.

With RBAC implementation in provider this will be also useful.

@mtesch-um
Copy link
Copy Markdown
Contributor

mtesch-um commented Jan 19, 2023

The postgresql provider does this as a part of the role resource - which seems to more or less approximate a user. I'm really not arguing for either way being right, just wanted to point it out - the code looked a little awkward.

@winglot
Copy link
Copy Markdown
Member Author

winglot commented Jan 19, 2023
edited
Loading

@mtesch-um thank you for the feedback.

I decided to use a group as the GRANT documentation for both PostgreSQL and Redshift says:

PUBLIC represents a group that always includes all users.

The code would not really change whether it will be a user or group. It's due to how the permissions for PUBLIC are represented in Redshift. If you take a look at pg_namespace, ACLs for schemas are:

  • group <name>=UC/rdsdb for groups,
  • <username>=UC/rdsdb for users,
  • =UC/rdsdb for PUBLIC (nothing before the equal sign)

I had to modify the query to avoid accidentally catching users/groups ACLs. I tried fitting it to existing queries but that was just causing more problems.

Vanilla PostgreSQL is different in this case as it does not have a separation for users and groups in newer versions, where a role combines both (can be given a password to imitate a user and can be assigned other roles to form "groups"). Redshift is slowly heading that way too with RBAC.

@winglot winglot marked this pull request as ready for review January 20, 2023 12:33
@winglot winglot merged commit 3288f24 into master Jan 30, 2023
@winglot winglot deleted the feature/grant-to-public branch January 17, 2025 10:13
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@robertomczak robertomczak robertomczak approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow GRANTs to PUBLIC

3 participants

@winglot @mtesch-um @robertomczak