subzero integration WIP1

proxy/subzero/sql/include/pgrst.sql

@@ -2,14 +2,20 @@
 -- code to monitor the last schema update
 CREATE SCHEMA IF NOT EXISTS pgrst;
 
-ALTER ROLE authenticator SET pgrst.last_schema_updated = now()::text;
+ALTER ROLE authenticator SET pgrst.last_schema_updated = '';
 -- Create an event trigger function
 CREATE OR REPLACE FUNCTION pgrst.pgrst_watch() RETURNS event_trigger
-  LANGUAGE sql
-  AS $$
-  ALTER ROLE authenticator SET pgrst.last_schema_updated = now()::text;
+LANGUAGE plpgsql
+AS $$
+DECLARE
+  current_timestamp_text TEXT;
+BEGIN
+  current_timestamp_text := now()::text;
+  EXECUTE 'ALTER ROLE authenticator SET pgrst.last_schema_updated = ' || quote_literal(current_timestamp_text);
+END;
 $$;
 
+
 CREATE OR REPLACE FUNCTION pgrst.last_schema_updated() RETURNS text
   LANGUAGE sql
   AS $$
@@ -17,6 +23,6 @@ CREATE OR REPLACE FUNCTION pgrst.last_schema_updated() RETURNS text
 $$;
 
 -- This event trigger will fire after every ddl_command_end event
-CREATE EVENT TRIGGER pgrst.pgrst_watch
+CREATE EVENT TRIGGER pgrst_watch
   ON ddl_command_end
   EXECUTE PROCEDURE pgrst.pgrst_watch();

proxy/subzero/sql/include/roles.sql

@@ -1,11 +1,11 @@
-CREATE ROLE authenticator LOGIN NOINHERIT;
-CREATE ROLE anonymous noinherit;
-GRANT ROLE anonymous TO authenticator;
+CREATE ROLE authenticator LOGIN NOINHERIT NOCREATEDB NOCREATEROLE NOSUPERUSER;
+CREATE ROLE anon NOLOGIN;
+GRANT anon TO authenticator;
 
 -- reloadable config options
 -- these settings will override the values in configs/no-defaults.config, so they must be different
 -- ALTER ROLE authenticator SET pgrst.db_aggregates_enabled = 'false';
-ALTER ROLE authenticator SET pgrst.db_anon_role = 'anonymous';
+ALTER ROLE authenticator SET pgrst.db_anon_role = 'anon';
 ALTER ROLE authenticator SET pgrst.db_extra_search_path = 'public, extensions';
 ALTER ROLE authenticator SET pgrst.db_max_rows = '500';
 -- ALTER ROLE authenticator SET pgrst.db_plan_enabled = 'false';

proxy/subzero/sql/include/tenant1.sql

@@ -11,8 +11,8 @@ INSERT INTO tenant1.items (name) VALUES
     ('tenant1 item 3');
 
 
-CREATE ROLE tenant1_role NOINHERIT;
-GRANT ROLE tenant1_role TO authenticator;
+CREATE ROLE tenant1_role NOLOGIN;
+GRANT tenant1_role TO authenticator;
 
 GRANT USAGE ON SCHEMA tenant1 TO tenant1_role;
 GRANT ALL ON ALL TABLES IN SCHEMA tenant1 TO tenant1_role;

proxy/subzero/sql/include/tenant2.sql

@@ -11,8 +11,8 @@ INSERT INTO tenant2.items (name) VALUES
     ('tenant2 item 3');
 
 
-CREATE ROLE tenant2_role NOINHERIT;
-GRANT ROLE tenant2_role TO authenticator;
+CREATE ROLE tenant2_role NOLOGIN;
+GRANT tenant2_role TO authenticator;
 
 GRANT USAGE ON SCHEMA tenant2 TO tenant2_role;
 GRANT ALL ON ALL TABLES IN SCHEMA tenant2 TO tenant2_role;

proxy/subzero/sql/include/test.sql

@@ -10,8 +10,8 @@ INSERT INTO test.items (name) VALUES
     ('test item 2'),
     ('test item 3');
 
-CREATE ROLE test_role NOINHERIT;
-GRANT ROLE test_role TO authenticator;
+CREATE ROLE test_role NOLOGIN;
+GRANT test_role TO authenticator;
 
 GRANT USAGE ON SCHEMA test TO test_role;
 GRANT ALL ON ALL TABLES IN SCHEMA test TO test_role;