From ad99fa5f0393e2679e5323df653c508ffa0ac072 Mon Sep 17 00:00:00 2001 From: Konstantin Knizhnik Date: Mon, 30 Oct 2023 17:29:25 +0200 Subject: [PATCH] Grant BYPASSRLS and REPLICATION to exited roles (#5657) ## Problem Role need to have REPLICATION privilege to be able to used for logical replication. New roles are created with this option. This PR tries to update existed roles. ## Summary of changes Update roles in `handle_roles` method ## Checklist before requesting a review - [ ] I have performed a self-review of my code. - [ ] If it is a core feature, I have added thorough tests. - [ ] Do we need to implement analytics? if so did you add the relevant metrics to the dashboard? - [ ] If this PR requires public announcement, mark it with /release-notes label and add several sentences in this section. ## Checklist before merging - [ ] Do not forget to reformat commit message to not include the above checklist --------- Co-authored-by: Konstantin Knizhnik --- compute_tools/src/pg_helpers.rs | 7 ++++++- compute_tools/src/spec.rs | 5 ++++- libs/compute_api/src/spec.rs | 2 ++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/compute_tools/src/pg_helpers.rs b/compute_tools/src/pg_helpers.rs index b79e516650..8722822f5e 100644 --- a/compute_tools/src/pg_helpers.rs +++ b/compute_tools/src/pg_helpers.rs @@ -193,11 +193,16 @@ impl Escaping for PgIdent { /// Build a list of existing Postgres roles pub fn get_existing_roles(xact: &mut Transaction<'_>) -> Result> { let postgres_roles = xact - .query("SELECT rolname, rolpassword FROM pg_catalog.pg_authid", &[])? + .query( + "SELECT rolname, rolpassword, rolreplication, rolbypassrls FROM pg_catalog.pg_authid", + &[], + )? .iter() .map(|row| Role { name: row.get("rolname"), encrypted_password: row.get("rolpassword"), + replication: Some(row.get("rolreplication")), + bypassrls: Some(row.get("rolbypassrls")), options: None, }) .collect(); diff --git a/compute_tools/src/spec.rs b/compute_tools/src/spec.rs index f7ca2eb33c..6e4d4ccf49 100644 --- a/compute_tools/src/spec.rs +++ b/compute_tools/src/spec.rs @@ -265,6 +265,8 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> { let action = if let Some(r) = pg_role { if (r.encrypted_password.is_none() && role.encrypted_password.is_some()) || (r.encrypted_password.is_some() && role.encrypted_password.is_none()) + || !r.bypassrls.unwrap_or(false) + || !r.replication.unwrap_or(false) { RoleAction::Update } else if let Some(pg_pwd) = &r.encrypted_password { @@ -296,7 +298,8 @@ pub fn handle_roles(spec: &ComputeSpec, client: &mut Client) -> Result<()> { match action { RoleAction::None => {} RoleAction::Update => { - let mut query: String = format!("ALTER ROLE {} ", name.pg_quote()); + let mut query: String = + format!("ALTER ROLE {} BYPASSRLS REPLICATION", name.pg_quote()); query.push_str(&role.to_pg_options()); xact.execute(query.as_str(), &[])?; } diff --git a/libs/compute_api/src/spec.rs b/libs/compute_api/src/spec.rs index cfbd50d38a..c16deceebb 100644 --- a/libs/compute_api/src/spec.rs +++ b/libs/compute_api/src/spec.rs @@ -190,6 +190,8 @@ pub struct DeltaOp { pub struct Role { pub name: PgIdent, pub encrypted_password: Option, + pub replication: Option, + pub bypassrls: Option, pub options: GenericOptions, }