Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

provider/postgres grant role when creating database #11452

Merged
merged 2 commits into from
May 2, 2017
Merged

provider/postgres grant role when creating database #11452

merged 2 commits into from
May 2, 2017

Conversation

pbthorste
Copy link
Contributor

@pbthorste pbthorste commented Jan 27, 2017
edited
Loading

The code here is reintroduced from older commits. See:

2e52914

and

f3add9e

(the part related to grantRoleMembership).

Without this code - creating a new database with a terraform generated role as the owner will not work. You will get the error:

Error applying plan:

1 error(s) occurred:

* postgresql_database.my-db: Error creating database database1: pq: must be member of role "my-role"

@stack72 stack72 requested a review from sean- January 27, 2017 02:20
@pbthorste
Copy link
Contributor Author

Another issue that this commit fixes: Roles cannot be destroyed after they are created. Error is:

Error applying plan:

1 error(s) occurred:

* postgresql_role.my-role: Error deleting role: pq: permission denied to reassign objects

@pbthorste pbthorste mentioned this pull request Jan 29, 2017
Closed
@martynsmith
Copy link

This is definitely an issue with AWS RDS, any idea if/when it'll be merged?

@pbthorste
Copy link
Contributor Author

hopefully soon. There is a workaround - but then you have to manually log into the postgres instance and grant the role.

@mindw
Copy link
Contributor

mindw commented Feb 16, 2017

@pbthorste can it be done from provisioner? do you have a code example handy?

Thanks!

@pbthorste
Copy link
Contributor Author

@mindw No, it is a manual operation - I'll try to explain the steps :)

  1. Create db / use a provider
    If you create a postgres database with "aws_db_instance", you have a username
    which is usually the same one as the one used in the postgresql provider. Lets
    call that user: 'provider_user' (this user is not a superuser)

  2. Create a role
    Then you create a new role with 'postgresql_role' - lets call that 'new_role'.

  3. Create a database
    This will fail: you can't then create a database with postgresql_database where the owner is the 'new_role'.

That is until you log into your postgres instance and run:

GRANT new_role to provider_user;

after this granting has taken place, you can run terraform and the db will be created.

@FlorinAndrei
Copy link

Without this PR the Postgresql provider in Terraform is broken if you use RDS. Please merge.

@mindw
Copy link
Contributor

mindw commented Mar 23, 2017

Any news on this one?
Thanks!

grubernaut
grubernaut approved these changes May 2, 2017
View reviewed changes
Copy link
Contributor

@grubernaut grubernaut left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks

@grubernaut grubernaut merged commit 78955ef into hashicorp:master May 2, 2017
sean- added a commit to sean-/terraform that referenced this pull request May 25, 2017
@sean-
REVOKE the GRANT given to the connection user when creating a datab…
12bd98d 
…ase.

For `ROLE`s who have been delegated `CREATEDB` privileges and are not a
superuser, in order for them to `CREATE DATABASE` they need to be a member
of the `ROLE` who will be `OWNER` for the new database.  Once the
`CREATE DATABASE` is complete, `REVOKE` the `GRANT` that was given to role
so that the user who ran the `CREATE DATABASE` looses all privileges to the
target database (unless of course they're a superuser).

Fixes a regression introduced in hashicorp#11452
sean- added a commit to sean-/terraform that referenced this pull request May 25, 2017
@sean-
Delegated DBA ROLEs can now fix OWNER drift for PostgreSQL databases.
d30307a 
Uses the helper functions introduced in hashicorp#11452
@sean- sean- mentioned this pull request May 25, 2017
Merged
stack72 pushed a commit that referenced this pull request May 31, 2017
@sean- @stack72
PostgreSQL: leaked pg privs (#14817)
2ebac52 
* Fix doc bug. Spell `collation` like `lc_collate`.

* Whitespace nit in error message

* Use %q as the format verb for error messages in postgresql_database resource messages.

* REVOKE the `GRANT` given to the connection user when creating a database.

For `ROLE`s who have been delegated `CREATEDB` privileges and are not a
superuser, in order for them to `CREATE DATABASE` they need to be a member
of the `ROLE` who will be `OWNER` for the new database.  Once the
`CREATE DATABASE` is complete, `REVOKE` the `GRANT` that was given to role
so that the user who ran the `CREATE DATABASE` looses all privileges to the
target database (unless of course they're a superuser).

Fixes a regression introduced in #11452

* Delegated DBA ROLEs can now fix OWNER drift for PostgreSQL databases.

Uses the helper functions introduced in #11452
@boskiv boskiv mentioned this pull request May 9, 2018
Closed
This was referenced Apr 1, 2019
Merged
Closed
@ghost
Copy link

ghost commented Apr 13, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 13, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@grubernaut grubernaut grubernaut approved these changes

@sean- sean- Awaiting requested review from sean-

Assignees
No one assigned
Labels
bug provider/postgresql
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@pbthorste @martynsmith @mindw @FlorinAndrei @grubernaut @stack72