class PostgreSQL
include Chef::Mixin::ShellOut
+ SCHEMA_PRIVILEGES = [
+ :create, :usage
+ ].freeze
+
TABLE_PRIVILEGES = [
:select, :insert, :update, :delete, :truncate, :references, :trigger
].freeze
+ SEQUENCE_PRIVILEGES = [
+ :usage, :select, :update
+ ].freeze
+
def initialize(cluster)
@cluster = cluster
end
end
def users
- @users ||= query("SELECT * FROM pg_user").each_with_object({}) do |user, users|
+ @users ||= query("SELECT *, ARRAY(SELECT groname FROM pg_group WHERE usesysid = ANY(grolist)) AS roles FROM pg_user").each_with_object({}) do |user, users|
users[user[:usename]] = {
:superuser => user[:usesuper] == "t",
:createdb => user[:usercreatedb] == "t",
:createrole => user[:usecatupd] == "t",
- :replication => user[:userepl] == "t"
+ :replication => user[:userepl] == "t",
+ :roles => parse_array(user[:roles] || "{}")
}
end
end
end
end
+ def schemas(database)
+ @schemas ||= {}
+ @schemas[database] ||= query("SELECT n.nspname, pg_catalog.pg_get_userbyid(n.nspowner) AS usename, n.nspacl FROM pg_namespace AS n WHERE n.nspname !~ '^pg_' AND n.nspname <> 'information_schema'", :database => database).each_with_object({}) do |schema, schemas|
+ name = "#{schema[:nspname]}"
+
+ schemas[name] = {
+ :owner => schema[:usename],
+ :permissions => parse_acl(schema[:nspacl] || "{}")
+ }
+ end
+ end
+
def tables(database)
@tables ||= {}
- @tables[database] ||= query("SELECT n.nspname, c.relname, u.usename, c.relacl FROM pg_class AS c INNER JOIN pg_user AS u ON c.relowner = u.usesysid INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid WHERE c.relkind = 'r'", :database => database).each_with_object({}) do |table, tables|
+ @tables[database] ||= query("SELECT n.nspname, c.relname, u.usename, c.relacl FROM pg_class AS c INNER JOIN pg_user AS u ON c.relowner = u.usesysid INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid WHERE n.nspname NOT IN ('pg_catalog', 'information_schema') AND c.relkind IN ('r', 'p')", :database => database).each_with_object({}) do |table, tables|
name = "#{table[:nspname]}.#{table[:relname]}"
tables[name] = {
end
end
+ def sequences(database)
+ @sequences ||= {}
+ @sequences[database] ||= query("SELECT n.nspname, c.relname, u.usename, c.relacl FROM pg_class AS c INNER JOIN pg_user AS u ON c.relowner = u.usesysid INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid WHERE n.nspname NOT IN ('pg_catalog', 'information_schema') AND c.relkind = 'S'", :database => database).each_with_object({}) do |sequence, sequences|
+ name = "#{sequence[:nspname]}.#{sequence[:relname]}"
+
+ sequences[name] = {
+ :owner => sequence[:usename],
+ :permissions => parse_acl(sequence[:relacl] || "{}")
+ }
+ end
+ end
+
private
+ def parse_array(array)
+ array.sub(/^\{(.*)\}$/, "\\1").split(",")
+ end
+
def parse_acl(acl)
- acl.sub(/^\{(.*)\}$/, "\\1").split(",").each_with_object({}) do |entry, permissions|
+ parse_array(acl).each_with_object({}) do |entry, permissions|
entry = entry.sub(/^"(.*)"$/) { Regexp.last_match[1].gsub(/\\"/, '"') }.sub(%r{/.*$}, "")
user, privileges = entry.split("=")
user = "public" if user == ""
permissions[user] = {
- "a" => :insert, "r" => :select, "w" => :update, "d" => :delete,
- "D" => :truncate, "x" => :references, "t" => :trigger
+ "r" => :select, "a" => :insert, "w" => :update, "d" => :delete,
+ "D" => :truncate, "x" => :references, "t" => :trigger,
+ "C" => :create, "c" => :connect, "T" => :temporary,
+ "X" => :execute, "U" => :usage, "s" => :set, "A" => :alter_system
}.values_at(*privileges.chars).compact
end
end
projects / chef.git / blobdiff