Commit graph

35 commits

Author SHA1 Message Date
Will Thames
47cb92f74f Ensure TEMP privilege gets removed when expanding ALL.
ALL gets expanded to the list of VALID_PRIVS which includes
TEMPORARY and TEMP
The code that replaced TEMP with TEMPORARY didn't work with the
expansion
2015-07-22 13:34:52 +10:00
Will Thames
2a0f6c1cb3 Correct handling of empty role_attr_flags
role_attr_flags is the empty string by default, not None.
2015-07-22 12:05:21 +10:00
ToBeReplaced
5e82f7e11e Make ALL_IN_SCHEMA for tables affect views
ALL TABLES is considered to include views, so we must check for reltypes
'r' and 'v', not just 'r'. This bug was introduced due to using a
custom, backwards-compatible version of "ALL TABLES IN SCHEMA".
2015-06-27 11:41:01 -06:00
Greg DeKoenigsberg
2a5f0bde87 Proper author info for all remaining modules 2015-06-15 15:53:30 -04:00
Toshio Kuratomi
c700993dd5 Fix a problem introduced with #1101 and optimize privilege handling
* If a db user belonged to a role which had a privilege, the user would
  not have the privilege added as the role gave the appearance that the
  user already had it.  Fixed to always check the privileges specific to
  the user.
* Make fewer db queries to determine if privileges need to be changed
  and change them (was four for each privilege.  Now two for each object
  that has a set of privileges changed).
2015-06-01 15:59:26 -07:00
Will Thames
167e7c2b81 Perform privilege grants/revokes only when required
Use `has_table_privileges` and `has_database_privileges`
to test whether a user already has a privilege before
granting it, or whether a user doesn't have  a privilege
before revoking it.
2015-06-01 15:15:22 -07:00
Toshio Kuratomi
c9b17136e4 Fix a problem introduced with #1101 and optimize privilege handling
* If a db user belonged to a role which had a privilege, the user would
  not have the privilege added as the role gave the appearance that the
  user already had it.  Fixed to always check the privileges specific to
  the user.
* Make fewer db queries to determine if privileges need to be changed
  and change them (was four for each privilege.  Now two for each object
  that has a set of privileges changed).
2015-05-19 12:57:06 -07:00
Toshio Kuratomi
7dd9f57e16 Fix splitting of role_attrs 2015-05-18 12:45:47 -07:00
Will Thames
c956c65731 Usage is not a valid database or table privilege
Remove `USAGE` from the `VALID_PRIVS` dict for both database and
table because it is not a valid privilege for either (and
breaks the implementation of `has_table_privilege` and
`has_database_privilege`

See http://www.postgresql.org/docs/9.0/static/sql-grant.html
2015-04-08 13:00:50 +10:00
Will Thames
7d66da35a7 Perform privilege grants/revokes only when required
Use `has_table_privileges` and `has_database_privileges`
to test whether a user already has a privilege before
granting it, or whether a user doesn't have  a privilege
before revoking it.
2015-04-08 12:48:45 +10:00
Will Thames
b4515c8909 Update postgresql users only when necessary
For read-only databases, users should not change when no changes
are required.

Don't issue ALTER ROLE when role attribute flags, users password
or expiry time is not changing.

In certain cases (hashed passwords in the DB, but the password
argument is not hashed) passlib.hash is required to avoid
running ALTER ROLE.
2015-04-08 11:17:11 +10:00
tedder
bffd137edd code review fixes per #957 2015-03-30 15:51:54 -07:00
tedder
472331a53b skip password changes so pg_authid isn't needed
Some places ([AWS RDS](https://forums.aws.amazon.com/thread.jspa?threadID=151248)) don't have, or don't allow, access to the `pg_authid` table. The only reason that is necessary is to check for a password change.

This flag is a workaround so passwords can only be set at creation time. It isn't as elegant as changing the password down the line, but it fixes the longstanding issue #297 that prevented this from being useful on AWS RDS.
2015-03-30 13:35:54 -07:00
Brian Coca
02af66d232 Merge pull request #559 from mjschultz/postgres-db-fix
Build the db connection on `"postgres"` instead of `"template1"`
2015-02-11 17:38:34 -05:00
Johannes Steger
34aa98a99c Fix function identifier quoting 2015-01-26 17:47:03 +01:00
Michael J. Schultz
b894bc2b77 Build the db connection on "postgres" instead of "template1"
According to the postgresql docs[1], you should not have a connection with
`"template1"` when copying multiple databases.

[1]: http://www.postgresql.org/docs/9.1/static/manage-ag-templatedbs.html
2014-12-23 14:16:29 -06:00
Toshio Kuratomi
b0c94cd6f6 Merge pull request #281 from kustodian/postgresql_db_fix_for_python_24_checkmode
Fixed postgresql_db failing on Python 2.4 with --check
2014-12-14 13:43:44 -08:00
kustodian
07b98c45df Fixed postgresql_db failing on Python 2.4 with --check
This reverts commit 81cbdb6c8c and adds ignoring of the SystemExit exception because of Python 2.4.
2014-12-13 17:24:10 +01:00
Toshio Kuratomi
b766390ae2 Add USAGE as a valid privilege 2014-12-03 14:43:20 -08:00
Toshio Kuratomi
5af4463823 Gixes to doc formatting 2014-12-03 08:17:15 -08:00
Toshio Kuratomi
dda6d89060 Fix typo so docs will build 2014-12-03 07:09:10 -08:00
Dan
084ccf5a64 Adds a login_unix_socket option to the postgresql_privs module. 2014-12-01 12:27:12 -05:00
Dan
3a3ff1f0e4 Adds a unix_socket/login_unix_socket option to the postgresql_user module. 2014-12-01 12:23:33 -05:00
Dan
bf36697a55 Adds a login_unix_socket option to the postgresql_db module. 2014-12-01 12:23:33 -05:00
Toshio Kuratomi
2a794fa776 Fix for single role_attr 2014-11-26 14:43:56 -08:00
Devin Christensen
06f1c1a97e Fix user_alter in postgresql_user 2014-11-25 12:04:47 -07:00
Devin Christensen
c77ab67274 Fix user_add in postgresql_user 2014-11-25 11:46:41 -07:00
Devin Christensen
4a3d7473fd Fix syntax error 2014-11-25 10:44:04 -07:00
Toshio Kuratomi
06ac459fc5 Correct new function name 2014-11-25 01:42:33 -08:00
Toshio Kuratomi
c84ae54294 Normalize privs and flags to uppercase so comparisons against allowed names will work 2014-11-25 00:44:18 -08:00
Toshio Kuratomi
fbc4ed7a88 Make sure we quote or confirm good all user provided identifiers 2014-11-24 22:56:51 -08:00
Toshio Kuratomi
51910a1a33 Audit escaping of identifiers in the postgresql_user module 2014-11-24 22:30:10 -08:00
Toshio Kuratomi
1b0afb137c More robust quoting of database identifiers
Note: These aren't database values, those are already using the
appropriate Pyhton DB API method for quoting.
2014-11-24 20:51:27 -08:00
kustodian
81cbdb6c8c Fixed postgresql_db failing on Python 2.4 with --check 2014-11-06 09:46:54 +01:00
Michael DeHaan
3ed1378067 Some more module categorization. 2014-11-04 17:23:22 -05:00