puppetlabs-puppetdb icon indicating copy to clipboard operation
puppetlabs-puppetdb copied to clipboard

Published 20 hours ago verified publisher icon puppetlabs

fix unless clause when grant default permissions

Open igomura opened this issue 3 years ago • 7 comments

Please check out the suggested PR. It fixes the case when we need to have RO user for the database.

igomura avatar Nov 28 '21 19:11 igomura

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

CLAassistant avatar Nov 28 '21 19:11 CLAassistant

puppetdb::database::default_read_grant is a type

that may have no external impact to Forge modules.

This module is declared in 33 of 578 indexed public Puppetfiles.

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

puppet-community-rangefinder[bot] avatar Nov 28 '21 19:11 puppet-community-rangefinder[bot]

@Filipovici-Andrei please review

igomura avatar Nov 28 '21 22:11 igomura

@thde please hold on. I've realized my PR is for the corner case too. The regex expects doubled quotes around the usernames but it is not always the case. It only happens if username has dashes or any other non-alphabetical symbols. Without them there will be no quotes. So, I have to rework my regex to match both cases

igomura avatar Dec 01 '21 17:12 igomura

now it works for both cases. the PR is ready for review

igomura avatar Dec 01 '21 20:12 igomura

I am getting the error as mentioned in https://github.com/puppetlabs/puppetlabs-puppetdb/pull/330#issuecomment-935496488 when using

class { 'puppetdb':
        manage_dbserver        => false

Is there a workaround until this PR gets merged + released or do I need to downgrade the module to 7.8.0?

elkangaroo avatar May 05 '22 11:05 elkangaroo

Hmm, the patch as written leads Puppet to try change the permissions for me on every run. After looking at this for a while today, it seems to me it'd be simpler to convert the array to a string with Postgres' built-in function then match it, like this example in the WHERE clause of the "grant default select permission" section:

WHERE array_to_string(acl.defaclacl, ' + ') ~ '.*(\")?${database_read_only_username}(\")?=r/${database_username}.*'

The Postgres array_to_string() function changes the output we're trying to match in the acl.defaclacl column from looking like {"\"puppetdb-read\"=r/puppetdb"} to "puppetdb-read"=r/puppetdb, which means no pesky spare backslashes to match. That makes it more understandable and readable to my eyes at least.

jhunt-steds avatar Jun 22 '22 20:06 jhunt-steds

Hi all, may I check what's happening to this? Is it just waiting for @igomura to sign the CLA?

It seems a waste that all these effort went into coming up with a PR and reviews but it got stuck here. Any suggestions on how we can move this forward?

waipeng avatar Sep 01 '23 07:09 waipeng

Closing this one as @waipeng opened #371 to continue working on this using @jhunt-steds suggestion which improve readability.

smortex avatar Sep 30 '23 22:09 smortex