Grant/revoke for tables

Author: winglot

redshift/helpers.go

@@ -172,7 +172,7 @@ func validatePrivileges(privileges []string, objectType string) bool {
 			}
 		case "DATABASE":
 			switch strings.ToUpper(p) {
-			case "CREATE", "TEMPORARY", "TEMP":
+			case "CREATE", "TEMPORARY":
 				continue
 			default:
 				return false

redshift/resource_redshift_grant.go

@@ -169,6 +169,10 @@ func resourceRedshiftGrantReadImpl(db *DBConnection, d *schema.ResourceData) err
 	switch objectType {
 	case "database":
 		return readGroupDatabaseGrants(db, d)
+	case "schema":
+		return readGroupSchemaGrants(db, d)
+	case "table":
+		return readGroupTableGrants(db, d)
 	default:
 		return fmt.Errorf("Unsupported %s %s", grantObjectTypeAttr, objectType)
 	}
@@ -203,48 +207,99 @@ func readGroupDatabaseGrants(db *DBConnection, d *schema.ResourceData) error {
 	return nil
 }
 
-func readGroupGrantsForTables(tx *sql.Tx, groupName, schemaName string, tablesNames []string) ([]string, error) {
-	var tables, tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences int
+func readGroupSchemaGrants(db *DBConnection, d *schema.ResourceData) error {
+	groupName := d.Get(grantGroupAttr).(string)
+	schemaName := d.Get(grantSchemaAttr).(string)
+
+	var schemaCreate, schemaUsage bool
+
 	query := `
   SELECT
-    nvl(count(cl.relname), 0) tables,
-    nvl(sum(decode(charindex('r',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)), 0,0,1)), 0) as select,
-    nvl(sum(decode(charindex('w',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)), 0,0,1)), 0) as update,
-    nvl(sum(decode(charindex('a',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)), 0,0,1)), 0) as insert,
-    nvl(sum(decode(charindex('d',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)), 0,0,1)), 0) as delete,
-    nvl(sum(decode(charindex('x',split_part(split_part(array_to_string(relacl, '|'),pu.groname,2 ) ,'/',1)), 0,0,1)), 0) as references
-  FROM pg_class cl
-  JOIN pg_group gr ON array_to_string(cl.relacl, '|') LIKE '%group '||gr.groname||'=%'
-  JOIN pg_namespace nsp ON nsp.oid = cl.relnamespace
+    decode(charindex('C',split_part(split_part(array_to_string(ns.nspacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as create,
+    decode(charindex('U',split_part(split_part(array_to_string(ns.nspacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as usage
+  FROM pg_namespace ns, pg_group gr
   WHERE
-    cl.relkind = 'r'
-    AND gr.groname=$1
-    AND nsp.nspname=$2
+    ns.nspname=$1 
+    AND gr.groname=$2
 `
 
-	var err error = nil
-	if len(tablesNames) > 0 {
-		query = fmt.Sprintf("%s AND cl.relname = ANY($3)", query)
-		err = tx.QueryRow(query, groupName, schemaName, pq.Array(tablesNames)).Scan(tables, tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences)
-	} else {
-		err = tx.QueryRow(query, groupName, schemaName).Scan(tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences)
+	if err := db.QueryRow(query, schemaName, groupName).Scan(&schemaCreate, &schemaUsage); err != nil {
+		return err
 	}
 
+	privileges := []string{}
+	appendIfTrue(schemaCreate, "create", &privileges)
+	appendIfTrue(schemaUsage, "usage", &privileges)
+
+	log.Printf("[DEBUG] Collected schema '%s' privileges for group %s: %v", schemaName, groupName, privileges)
+
+	d.Set(grantPrivilegesAttr, privileges)
+
+	return nil
+}
+
+func readGroupTableGrants(db *DBConnection, d *schema.ResourceData) error {
+	query := `
+  SELECT
+    relname,
+    decode(charindex('r',split_part(split_part(array_to_string(relacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as select,
+    decode(charindex('w',split_part(split_part(array_to_string(relacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as update,
+    decode(charindex('a',split_part(split_part(array_to_string(relacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as insert,
+    decode(charindex('d',split_part(split_part(array_to_string(relacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as delete,
+    decode(charindex('x',split_part(split_part(array_to_string(relacl, '|'),gr.groname,2 ) ,'/',1)), 0,0,1) as references
+  FROM pg_group gr, pg_class cl
+  JOIN pg_namespace nsp ON nsp.oid = cl.relnamespace
+  WHERE
+    cl.relkind = $1
+    AND gr.groname=$2
+    AND nsp.nspname=$3
+`
+
+	groupName := d.Get(grantGroupAttr).(string)
+	schemaName := d.Get(grantSchemaAttr).(string)
+	objects := d.Get(grantObjectsAttr).(*schema.Set)
+
+	rows, err := db.Query(query, grantObjectTypesCodes["table"], groupName, schemaName)
 	if err != nil {
-		return []string{}, fmt.Errorf("failed to collect group privileges: %w", err)
+		return err
 	}
 
-	privileges := []string{}
-	expectedPrivileges := len(tablesNames)
-	appendIfTrue(tableSelect == expectedPrivileges, "select", &privileges)
-	appendIfTrue(tableUpdate == expectedPrivileges, "update", &privileges)
-	appendIfTrue(tableInsert == expectedPrivileges, "insert", &privileges)
-	appendIfTrue(tableDelete == expectedPrivileges, "delete", &privileges)
-	appendIfTrue(tableReferences == expectedPrivileges, "references", &privileges)
+	for rows.Next() {
+		var objName string
+		var tableSelect, tableUpdate, tableInsert, tableDelete, tableReferences bool
+
+		if err := rows.Scan(&objName, &tableSelect, &tableUpdate, &tableInsert, &tableDelete, &tableReferences); err != nil {
+			return err
+		}
+
+		if objects.Len() > 0 && !objects.Contains(objName) {
+			continue
+		}
+
+		privilegesSet := schema.NewSet(schema.HashString, nil)
+		if tableSelect {
+			privilegesSet.Add("select")
+		}
+		if tableUpdate {
+			privilegesSet.Add("update")
+		}
+		if tableInsert {
+			privilegesSet.Add("insert")
+		}
+		if tableDelete {
+			privilegesSet.Add("delete")
+		}
+		if tableReferences {
+			privilegesSet.Add("references")
+		}
 
-	log.Printf("[DEBUG] Collected privileges for group  %s: %v\n", groupName, privileges)
+		if !privilegesSet.Equal(d.Get(grantPrivilegesAttr).(*schema.Set)) {
+			d.Set(grantPrivilegesAttr, privilegesSet)
+			break
+		}
+	}
 
-	return privileges, nil
+	return nil
 }
 
 func revokeGroupGrants(tx *sql.Tx, databaseName string, d *schema.ResourceData) error {

redshift/resource_redshift_grant_test.go

@@ -12,8 +12,6 @@ import (
 
 func TestAccRedshiftGrant_BasicDatabase(t *testing.T) {
 	groupName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_group_basic"), "-", "_")
-	//dbName := os.Getenv("REDSHIFT_DATABASE")
-
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
 		Providers:    testAccProviders,
@@ -46,3 +44,96 @@ resource "redshift_grant" "grant" {
   privileges = ["create", "temporary"]
 }`, groupName)
 }
+
+func TestAccRedshiftGrant_BasicSchema(t *testing.T) {
+	userName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_user_basic"), "-", "_")
+	groupName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_group_basic"), "-", "_")
+	schemaName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_schema_basic"), "-", "_")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: func(s *terraform.State) error { return nil },
+		Steps: []resource.TestStep{
+			{
+				Config: testAccRedshiftGrantConfig_BasicSchema(userName, groupName, schemaName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("redshift_grant.grant", "id", fmt.Sprintf("%s_schema_%s", groupName, schemaName)),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "group", groupName),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "object_type", "schema"),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "privileges.#", "2"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "create"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "usage"),
+				),
+			},
+		},
+	})
+}
+
+func testAccRedshiftGrantConfig_BasicSchema(userName, groupName, schemaName string) string {
+	return fmt.Sprintf(`
+resource "redshift_user" "user" {
+  name = %[1]q
+}
+
+resource "redshift_group" "group" {
+  name = %[2]q
+}
+
+resource "redshift_schema" "schema" {
+  name = %[3]q
+
+  owner = redshift_user.user.name
+}
+
+resource "redshift_grant" "grant" {
+  group = redshift_group.group.name
+  schema = redshift_schema.schema.name
+
+  object_type = "schema"
+  privileges = ["create", "usage"]
+}
+`, userName, groupName, schemaName)
+}
+
+func TestAccRedshiftGrant_BasicTable(t *testing.T) {
+	groupName := strings.ReplaceAll(acctest.RandomWithPrefix("tf_acc_group_basic"), "-", "_")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: func(s *terraform.State) error { return nil },
+		Steps: []resource.TestStep{
+			{
+				Config: testAccRedshiftGrantConfig_BasicTable(groupName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("redshift_grant.grant", "id", fmt.Sprintf("%s_table_pg_catalog_pg_user_info", groupName)),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "group", groupName),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "schema", "pg_catalog"),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "object_type", "table"),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "objects.#", "1"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "objects.*", "pg_user_info"),
+					resource.TestCheckResourceAttr("redshift_grant.grant", "privileges.#", "1"),
+					resource.TestCheckTypeSetElemAttr("redshift_grant.grant", "privileges.*", "select"),
+				),
+			},
+		},
+	})
+}
+
+func testAccRedshiftGrantConfig_BasicTable(groupName string) string {
+	return fmt.Sprintf(`
+resource "redshift_group" "group" {
+  name = %[1]q
+}
+
+resource "redshift_grant" "grant" {
+  group = redshift_group.group.name
+  schema = "pg_catalog"
+
+  object_type = "table"
+  objects = ["pg_user_info"]
+  privileges = ["select"]
+}
+`, groupName)
+}