From: Tom Hughes <tom@compton.nu>
Date: Thu, 5 Oct 2023 13:29:21 +0000 (+0000)
Subject: Limit postgresql_table to acting on tables
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/39cdf50e6b0a3e7ae0b50a09fa380e3f0312b01d?hp=1a1f2aa40bec35e5c70011c60c3db8609f01357c

Limit postgresql_table to acting on tables
---

diff --git a/cookbooks/postgresql/libraries/postgresql.rb b/cookbooks/postgresql/libraries/postgresql.rb
index 62188795b..4f0d4a1fe 100644
--- a/cookbooks/postgresql/libraries/postgresql.rb
+++ b/cookbooks/postgresql/libraries/postgresql.rb
@@ -112,7 +112,7 @@ module OpenStreetMap
 
     def tables(database)
       @tables ||= {}
-      @tables[database] ||= query("SELECT n.nspname, c.relname, u.usename, c.relacl FROM pg_class AS c INNER JOIN pg_user AS u ON c.relowner = u.usesysid INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid", :database => database).each_with_object({}) do |table, tables|
+      @tables[database] ||= query("SELECT n.nspname, c.relname, u.usename, c.relacl FROM pg_class AS c INNER JOIN pg_user AS u ON c.relowner = u.usesysid INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid WHERE c.relkind = 'r'", :database => database).each_with_object({}) do |table, tables|
         name = "#{table[:nspname]}.#{table[:relname]}"
 
         tables[name] = {
diff --git a/cookbooks/postgresql/resources/table.rb b/cookbooks/postgresql/resources/table.rb
index f97417895..5970f4e0a 100644
--- a/cookbooks/postgresql/resources/table.rb
+++ b/cookbooks/postgresql/resources/table.rb
@@ -42,7 +42,7 @@ action :create do
 
       converge_by("revoke all for #{user} on #{new_resource}") do
         Chef::Log.info("Revoking all for #{user} on #{new_resource}")
-        cluster.execute(:command => "REVOKE ALL ON #{qualified_name} FROM \"#{user}\"", :database => new_resource.database)
+        cluster.execute(:command => "REVOKE ALL ON TABLE #{qualified_name} FROM \"#{user}\"", :database => new_resource.database)
       end
     end
 
@@ -59,13 +59,13 @@ action :create do
           unless current_privileges.include?(privilege)
             converge_by("grant #{privilege} for #{user} on #{new_resource}") do
               Chef::Log.info("Granting #{privilege} for #{user} on #{new_resource}")
-              cluster.execute(:command => "GRANT #{privilege.to_s.upcase} ON #{qualified_name} TO \"#{user}\"", :database => new_resource.database)
+              cluster.execute(:command => "GRANT #{privilege.to_s.upcase} ON TABLE #{qualified_name} TO \"#{user}\"", :database => new_resource.database)
             end
           end
         elsif current_privileges.include?(privilege)
           converge_by("revoke #{privilege} for #{user} on #{new_resource}") do
             Chef::Log.info("Revoking #{privilege} for #{user} on #{new_resource}")
-            cluster.execute(:command => "REVOKE #{privilege.to_s.upcase} ON #{qualified_name} FROM \"#{user}\"", :database => new_resource.database)
+            cluster.execute(:command => "REVOKE #{privilege.to_s.upcase} ON TABLE #{qualified_name} FROM \"#{user}\"", :database => new_resource.database)
           end
         end
       end