Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PostgreSQL: leaked pg privs #14817

Merged
merged 5 commits into from
May 31, 2017
Merged

PostgreSQL: leaked pg privs #14817

merged 5 commits into from
May 31, 2017

Conversation

sean-
Copy link
Contributor

@sean- sean- commented May 25, 2017

#11452 introduced a small credential leak when creating a new database with a delegated ROLE. When GRANTing a privilege, match the GRANT with a follow up REVOKE.

sean- added 5 commits May 24, 2017 01:14
@sean-
Fix doc bug. Spell collation like lc_collate.
b70eeba
@sean-
Whitespace nit in error message
ed3a561
@sean-
Use %q as the format verb for error messages in postgresql_database r…
1b55e4e 
…esource messages.
@sean-
REVOKE the GRANT given to the connection user when creating a datab…
12bd98d 
…ase.

For `ROLE`s who have been delegated `CREATEDB` privileges and are not a
superuser, in order for them to `CREATE DATABASE` they need to be a member
of the `ROLE` who will be `OWNER` for the new database.  Once the
`CREATE DATABASE` is complete, `REVOKE` the `GRANT` that was given to role
so that the user who ran the `CREATE DATABASE` looses all privileges to the
target database (unless of course they're a superuser).

Fixes a regression introduced in hashicorp#11452
@sean-
Delegated DBA ROLEs can now fix OWNER drift for PostgreSQL databases.
d30307a 
Uses the helper functions introduced in hashicorp#11452
@stack72
Copy link
Contributor

stack72 commented May 31, 2017

LGTM! thanks for this :)

% make testacc TEST=./builtin/providers/mysql                                                                                              ✹ ✭
==> Checking that code complies with gofmt requirements...
go generate $(go list ./... | grep -v /terraform/vendor/)
2017/05/31 20:03:16 Generated command/internal_plugin_list.go
TF_ACC=1 go test ./builtin/providers/mysql -v  -timeout 120m
=== RUN   TestProvider
--- PASS: TestProvider (0.00s)
=== RUN   TestProvider_impl
--- PASS: TestProvider_impl (0.00s)
=== RUN   TestAccDatabase
--- PASS: TestAccDatabase (0.03s)
=== RUN   TestAccGrant
--- PASS: TestAccGrant (0.04s)
=== RUN   TestAccUser
--- PASS: TestAccUser (0.05s)
PASS
ok  	github.com/hashicorp/terraform/builtin/providers/mysql	0.132s

@stack72 stack72 merged commit 2ebac52 into hashicorp:master May 31, 2017
@stack72
Copy link
Contributor

stack72 commented May 31, 2017

Ran the wrong tests - d'oh! But the provider still works as expected :)

@sean- sean- deleted the b-leaked-pg-privs branch May 31, 2017 18:11
@ghost
Copy link

ghost commented Apr 11, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@ghost ghost locked and limited conversation to collaborators Apr 11, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug provider/postgresql
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sean- @stack72 @tombuildsstuff