Describe the Bug
When using postgresql::server::default_privileges with object_type => 'TABLES' and privilege => 'ALL', ALL privileges are set in PostgreSQL, but the unless check failed because of an additional 'm' (MAINTAIN) privilege added by PostgreSQL 17.
A similar issue exists when granting TRIGGER. Here the $_check_privilege = 'd' matches for delete instead.
Expected Behavior
Puppet Agent recognizes, that "ALL" privileges are granted and does not apply the resource on every run.
Steps to Reproduce
What I did (some steps might be not necessary):
# create db
postgresql::server::database { 'testdb': }
# create roles
postgresql::server::database_grant { 'testrole_owner@testdb':
privilege => 'ALL',
db => 'testdb',
role => 'testrole_owner',
}
postgresql::server::database_grant { 'testrole_group@testdb':
privilege => 'ALL',
db => 'testdb',
role => 'testrole_group',
}
# create schema
postgresql::server::schema { 'testschema':
db => 'testdb',
owner => 'testrole_owner',
}
postgresql::server::default_privileges { 'testrole_group@testdb/testschema/*':
target_role => 'testrole_owner',
role => 'testrole_group',
db => 'testdb',
object_type => 'TABLES',
privilege => 'ALL',
schema => 'testschema',
require => Postgresql::Server::Database_grant['testrole_owner@testdb'],
}
Environment
- Platform: Debian Trixie
- PostgreSQL version: 17.10
- Module version: 10.6.1
Additional Context
- This needs to be
/^ALL$/: { $_check_privilege = 'arwdDxtm' } with PostgreSQL 17 (and above).
|
/^ALL$/: { $_check_privilege = 'arwdDxt' } |
- While looking at it, this is also wrong, it needs to be
't'. The letter 'd' means DELETE.
|
/^TRIGGER$/: { $_check_privilege = 'd' } |
Describe the Bug
When using
postgresql::server::default_privilegeswithobject_type => 'TABLES'andprivilege => 'ALL', ALL privileges are set in PostgreSQL, but the unless check failed because of an additional 'm' (MAINTAIN) privilege added by PostgreSQL 17.A similar issue exists when granting TRIGGER. Here the
$_check_privilege = 'd'matches for delete instead.Expected Behavior
Puppet Agent recognizes, that "ALL" privileges are granted and does not apply the resource on every run.
Steps to Reproduce
What I did (some steps might be not necessary):
Environment
Additional Context
/^ALL$/: { $_check_privilege = 'arwdDxtm' }with PostgreSQL 17 (and above).puppetlabs-postgresql/manifests/server/default_privileges.pp
Line 108 in 1bbeeb0
't'. The letter'd'meansDELETE.puppetlabs-postgresql/manifests/server/default_privileges.pp
Line 113 in 1bbeeb0