Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Own Priviliges in Version 6.1 ? #664

Open
peteerwhite opened this issue Jul 31, 2024 · 5 comments
Open

Own Priviliges in Version 6.1 ? #664

peteerwhite opened this issue Jul 31, 2024 · 5 comments

Comments

@peteerwhite
Copy link

peteerwhite commented Jul 31, 2024
edited
Loading

Hello everyone,

is there a possibility to define own privileges in version 6.1 (like in version 5) ?

For example like this:

`privileges:
my_own_priv:

type: nspacl
grant: GRANT EXECUTE ON FUNCTION {schema}.myfunc TO {role};
revoke: REVOKE EXECUTE ON FUNCTION {schema}.myfunc TO {role};
inspect: |
  WITH grants AS (
    SELECT
      pronamespace, proname, 
      (aclexplode(proacl)).grantee,
      (aclexplode(proacl)).privilege_type
    FROM pg_proc
  )
  SELECT
    nspname,
    pg_catalog.pg_get_userbyid(grantee) AS grantee,
  FROM grants
  JOIN pg_namespace ON pg_namespace.oid = pronamespace
  WHERE proname = 'myfunc' AND privilege_type = 'EXECUTE';`

Thanks for help :)
@bersace
Copy link
Member

bersace commented Jul 31, 2024
edited
Loading

It's not possible yet. It's a known regression from v5.

However, it's likely to comme back like this:

acl:
  FUNCTION:
    inspect: ...
    grant: ...
    revoke: ...

privileges:
  ro:
    - type: EXECUTE
      on: FUNCTION

This new way of declaring acl allows to deduplicate execution of inspect.

@peteerwhite
Copy link
Author

All right, thank you very much :)

@peteerwhite
Copy link
Author

I have another question ... It is possible to specify a config for roles, such as the log_statement.

- roles:
  - name: my-db-writer
    config:
      log_statement: mod
      log_min_duration_sample: 100

However, this config only works for static roles and not for LDAP roles

How can I use this config for roles that are created with a ldapsearch command ?

This possibility does not work:

- description: "Search LDAP to create Superusers."
  ldapsearch:
    base: ...
  roles:
  - name: '{member.cn}'
    options: SUPERUSER LOGIN
    config:
      log_statement: all

@bersace
Copy link
Member

bersace commented Jul 31, 2024

I have another question ... It is possible to specify a config for roles, such as the log_statement.

- roles:
  - name: my-db-writer
    config:
      log_statement: mod
      log_min_duration_sample: 100

However, this config only works for static roles and not for LDAP roles

How can I use this config for roles that are created with a ldapsearch command ?

This possibility does not work:

- description: "Search LDAP to create Superusers."
  ldapsearch:
    base: ...
  roles:
  - name: '{member.cn}'
    options: SUPERUSER LOGIN
    config:
      log_statement: all

This may a bug, please open another issue with verbose logs.

@peteerwhite
Copy link
Author

I have already looked in the logs, but there is nothing to see.

When I run the config with a static role, I get the following:

10:04:42 CHANGE Would Set role config.                           role=test config=log_statement value=all database=postgres
10:04:42 DEBUG  Would Execute SQL query:
ALTER ROLE "test" SET "log_statement" TO 'all'

But when I link the config to the ldapsearch as in the config above, there is no log_statement anywhere in the log.

I don't know if this is the same for someone else

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bersace @peteerwhite