Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/postgresql: drop ensurePermissions option #287602

Merged
merged 1 commit into from
Mar 7, 2024

Conversation

Ma27
Copy link
Member

@Ma27 Ma27 commented Feb 9, 2024

Description of changes

...effectively what was planned already in #266270, but it was too late because the branches were restricted and didn't allow any breaking changes anymore.

It also suffers from the same issue that we already had when discussing this the last time[1] when ensureDBOwnership was ultimately introduced as band-aid fix: newly created users don't get CREATE permission on the public schema anymore (since psql 15), even with ALL PRIVILEGES.

If one's use-case is more sophisticated than having a single owner, it's questionable anyways if this module is the correct tool since permissions aren't dropped on a change to this option or a removal which is pretty surprising in the context of NixOS.

[1] #266270

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@Ma27 Ma27 requested a review from RaitoBezarius February 9, 2024 22:53
@Ma27 Ma27 requested a review from thoughtpolice as a code owner February 9, 2024 22:53
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: documentation This PR adds or changes documentation 8.has: changelog 8.has: module (update) This PR changes an existing module in `nixos/` labels Feb 9, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Feb 9, 2024
@delroth delroth added the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Feb 10, 2024
nixos/doc/manual/release-notes/rl-2405.section.md Outdated Show resolved Hide resolved
@@ -161,33 +161,6 @@ in
'';
};

ensurePermissions = mkOption {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we have a mkRemovedOption?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SuperSandro2000 do you know how to reasonably implement this for submodules? I'm not aware of any way sadly.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't just place mkRemovedOptionModule in the submodule? 😅

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It generates a config.assertions block next to the options.option_that_is_removed and this won't work in a submodule.

...effectively what was planned already in NixOS#266270, but it was too late
because the branches were restricted and didn't allow any breaking
changes anymore.

It also suffers from the same issue that we already had when discussing
this the last time[1] when `ensureDBOwnership` was ultimately introduced
as band-aid fix: newly created users don't get CREATE permission on
the `public` schema anymore (since psql 15), even with `ALL PRIVILEGES`.

If one's use-case is more sophisticated than having a single owner, it's
questionable anyways if this module is the correct tool since
permissions aren't dropped on a change to this option or a removal which
is pretty surprising in the context of NixOS.

[1] NixOS#266270
@Ma27 Ma27 force-pushed the drop-postgres-ensurePermissions branch from 0a6d0b5 to d363f52 Compare February 12, 2024 20:10
@delroth delroth removed the 12.approvals: 1 This PR was reviewed and approved by one reputable person label Feb 12, 2024
@Ma27 Ma27 merged commit 3c8f4e0 into NixOS:master Mar 7, 2024
20 checks passed
@Ma27 Ma27 deleted the drop-postgres-ensurePermissions branch March 7, 2024 19:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants