-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Optional revoke on postgresql_grant_role #384
base: main
Are you sure you want to change the base?
Conversation
bfa51f0
to
0dd7039
Compare
Hi, could we had a quick review and feedback on this one please ? A few of our teams are starting their upgrades to PG16 and they start experiencing errors due to the systematic revoke. |
Hi, I would like some view on when this PR could be checked (if it ever could be). Thank you very much :) |
Hi, Thank you for opening this PR and sorry for the response delay. Actually I wonder why it revokes the role before granting him again 🤔 I know in As it's possible to grant the same role twice, it will just print a NOTICE log saying that the role is already a member, I think we could get rid of this revoke. I'll just quickly check if it's the same behavior in all supported versions. |
Hi, thank you very much for your feedback 😄 I also had the same feeling about this potentially-useless revoke, but I was not confident enough in my DBA skills to assume it in the first place. Thank you for comforting this point of view. I'm waiting for your feedback then. Have a nice day/evening |
Hi, any news ? We're being sollicitated on this issue, we have a work-around to provide (we built a custom version of the provider, and we tell people to change the version temporarily) but it's not easy to understand for our colleagues. |
0dd7039
to
1b99a50
Compare
Hi, I did a small change to disable the REVOKE query by default. For me it makes more sense since its usage is not trivial in all cases, but I do get that it could be useful for some. Hence it should be opt-in for me. |
f2c2e47
to
dea1401
Compare
1b99a50
to
9b5db60
Compare
Hi, is it possible for you to review/merge this soon ? Thanks in advance |
Hi @faymard ,
Do you have some examples on some use case it could be useful. Otherwise you can simply remove the revoke I think. |
Hi,
Well, I don't but I was just making assumptions 😅 Maybe it's just useful in case the role was granted outside of Terraform to avoid conflicts, but IMHO this should be resolved by imports. If you're ok with simply removing the revoke part, I'll do it ASAP, no problems. Maybe even tomorrow so it's done quick. |
I'm totally ok 👍 (it's the same than having the revoke disable by default, in the worse case of someone complain I'll do a small patch like you did here) |
I made the change this morning. I still need to test it though |
@faymard Is it ok for you, can we merge it ? |
Yes, it's good for us and working as intended. Thanks :) |
any update ? |
Since PostgreSQL 16.0, there is a dependency check made when revoking grants on roles.
Specifically, if role A has a grant with admin rights on role B, and uses these rights to grant role B to role C, then it can't be revoked without cascading.
This PR allows to use
postgresql_grant_role
without doing an initialREVOKE
query. Our use case for this feature is applying two different DB stacks (one for development and one for unit testing) which share grants on common roles.