I am having difficulty creating users with read-only access to all tables in a schema.
I am using the following in the manifest
postgresql::server::grant {<Unique friendly name>:
db => <dbname>,
object_name => <schema_name>,
object_type => 'ALL TABLES IN SCHEMA',
privilege => 'SELECT',
role => <username>,
}
In the puppet run, I get the following error:Could not evaluate: Error evaluating 'unless' clause, returned pid 6933 exit 1: 'ERROR: unrecognized privilege type: "SELECT ON ALL TABLES"
Yet looking at the manifest:
postgresql::server::grant
Manages grant-based access privileges for roles. See PostgreSQL documentation for grant for more information.
db - Specifies the database to which you are granting access.
object_type - Specifies the type of object to which you are granting privileges. Valid options: DATABASE, SCHEMA, SEQUENCE, ALL SEQUENCES IN SCHEMA, TABLE or ALL TABLES IN SCHEMA.
object_name - Specifies name of object_type to which to grant access.
port - Port to use when connecting. Default: undef, which generally defaults to port 5432 depending on your PostgreSQL packaging.
privilege - Specifies the privilege to grant. Valid options: ALL, ALL PRIVILEGES or object_type dependent string.
psql_db - Specifies the database to execute the grant against. This should not ordinarily be changed from the default, which is postgres.
psql_user - Sets the OS user to run psql. Default: the default user for the module, usually postgres.
role - Specifies the role or user whom you are granting access to.
Hunting down the 'privilege type':privilege_type='${custom_privilege}'
$custom_privilege = $_privilege ? {
'ALL' => 'INSERT',
'ALL PRIVILEGES' => 'INSERT',
default => $_privilege,
}
And finally validate_string($_privilege,'SELECT','INSERT','UPDATE','DELETE','TRUNCATE','REFERENCES','TRIGGER','ALL','ALL PRIVILEGES')
Any ideas?
psql {"${unique_name}/tables":
db => $database,
command => "GRANT SELECT
ON ALL TABLES IN SCHEMA \"${schema}\"
TO \"${table_reader}\"",
onlyif => "SELECT *
FROM pg_tables
WHERE schemaname='${schema}'
AND has_table_privilege('${table_reader}', schemaname || '.' || tablename, 'SELECT')=false
)",
}
# Grant read permissions to table_reader by default, for new tables created by
# table_creator.
define default_read_grant(
String $database,
String $schema,
String $table_creator,
String $table_reader,
) {
psql {"${title}/sql":
db => $database,
command => "ALTER DEFAULT PRIVILEGES
FOR USER \"${table_creator}\"
IN SCHEMA \"${schema}\"
GRANT SELECT ON TABLES
TO \"${table_reader}\"",
unless => "SELECT *
FROM pg_default_acl acl
JOIN pg_namespace ns ON acl.defaclnamespace=ns.oid
WHERE acl.defaclacl::text ~ '.*\\\\\"${table_reader}\\\\\"=r/\\\\\"${table_creator}\\\\\".*'
AND ns.nspname = '${schema}'",
}
}