provider-sql icon indicating copy to clipboard operation
provider-sql copied to clipboard
verified publisher icon crossplane-contrib

Support DefaultPrivileges

Open gogovan-vincentngai opened this issue 3 years ago • 2 comments

What problem are you facing?

I would like to grant permission for Postgresql database From my understard , if we only grant permission to the database without DefaultPrivileges new created table will not have the permission However when i check the doc ,it seems does not support this https://doc.crds.dev/github.com/crossplane-contrib/provider-sql/postgresql.sql.crossplane.io/Database/[email protected] For Terraform it does have this https://registry.terraform.io/providers/cyrilgdn/postgresql/latest/docs/resources/postgresql_default_privileges

螢幕截圖 2022-11-10 上午11 43 32

gogovan-vincentngai avatar Nov 10 '22 11:11 gogovan-vincentngai

@gogovan-vincentngai and Joaquín Fernández Campo, do we really need to define "object" privileges using the provider? As for my understanding, the provider could help us define the database and its owner (and schemas is a nice to have); From this point on, projects will rely on db management tools like liquibase as soon as you give them a database owner. Idk if you agree with me on this point? What would be the use case where the provider should also manage privileges on tables?

olikyr avatar Nov 13 '24 17:11 olikyr

@gogovan-vincentngai and Joaquín Fernández Campo, do we really need to define "object" privileges using the provider? As for my understanding, the provider could help us define the database and its owner (and schemas is a nice to have); From this point on, projects will rely on db management tools like liquibase as soon as you give them a database owner. Idk if you agree with me on this point? What would be the use case where the provider should also manage privileges on tables?

I think we do need this, the use case i currently need this for is the following:

"One team manages and provisions database users with some default roles, the application teams get access to a role for migrations and another role for application usage. The application role is the one that needs default permissions for the resources created by the migration user. There's others roles in the system that also require this default privilege system setup"

This same problem could be solved using a different approach (the one you mentioned), but in general it's a pattern we want so we don't have to make the applications aware of other roles like, for example, an analytics role.

The other argument for this is that default privileges (here) is not really related to specific table grants, i think having a way of crafting a policy about roles is good (role A can access all tables created by role B from now on)

xocasdashdash avatar May 03 '25 13:05 xocasdashdash