K8SPG-571 grant user access to public schema (#1097)

nmarukovich · hors · web-flow · commit a794a94f7176 · 2025-04-14T15:22:33.000+03:00
* K8SPG-571 grant user access to public schema

* add test case

* update database condition

* fix unit tests

* fix names

* fix PR comments

* add validation and update new schema access

* fix PR comments

* delete force

* add import

* fix tests

* fix tests

* fix vars

* update vars

* fix test

* fix log level

---------

Co-authored-by: Viacheslav Sarzhan &lt;slava.sarzhan@percona.com&gt;
diff --git a/build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml b/build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -20451,6 +20451,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
diff --git a/build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml b/build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml
@@ -58,8 +58,8 @@ spec:
             properties:
               autoCreateUserSchema:
                 description: |-
-                  Whether or not the cluster has schemas automatically created for the user
-                  defined in `spec.users` for all of the databases listed for that user.
+                  Indicates whether schemas are automatically created for the user
+                  specified in `spec.users` across all databases associated with that user.
                 type: boolean
               backups:
                 description: PostgreSQL backup configuration
@@ -18252,6 +18252,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
@@ -18303,6 +18307,11 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
+                and is true
+              rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
+                !has(u.grantPublicSchemaAccess) || !u.grantPublicSchemaAccess)'
           status:
             properties:
               host:
diff --git a/config/crd/bases/pgv2.percona.com_perconapgclusters.yaml b/config/crd/bases/pgv2.percona.com_perconapgclusters.yaml
@@ -463,8 +463,8 @@ spec:
             properties:
               autoCreateUserSchema:
                 description: |-
-                  Whether or not the cluster has schemas automatically created for the user
-                  defined in `spec.users` for all of the databases listed for that user.
+                  Indicates whether schemas are automatically created for the user
+                  specified in `spec.users` across all databases associated with that user.
                 type: boolean
               backups:
                 description: PostgreSQL backup configuration
@@ -18657,6 +18657,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
@@ -18708,6 +18712,11 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
+                and is true
+              rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
+                !has(u.grantPublicSchemaAccess) || !u.grantPublicSchemaAccess)'
           status:
             properties:
               host:
diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -20349,6 +20349,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml
@@ -760,8 +760,8 @@ spec:
             properties:
               autoCreateUserSchema:
                 description: |-
-                  Whether or not the cluster has schemas automatically created for the user
-                  defined in `spec.users` for all of the databases listed for that user.
+                  Indicates whether schemas are automatically created for the user
+                  specified in `spec.users` across all databases associated with that user.
                 type: boolean
               backups:
                 description: PostgreSQL backup configuration
@@ -18954,6 +18954,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
@@ -19005,6 +19009,11 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
+                and is true
+              rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
+                !has(u.grantPublicSchemaAccess) || !u.grantPublicSchemaAccess)'
           status:
             properties:
               host:
@@ -46837,6 +46846,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
diff --git a/deploy/cr.yaml b/deploy/cr.yaml
@@ -72,6 +72,7 @@ spec:
 #      password:
 #        type: ASCII
 #      secretName: "rhino-credentials"
+#      grantPublicSchemaAccess: false
 
 #  databaseInitSQL:
 #    key: init.sql
diff --git a/deploy/crd.yaml b/deploy/crd.yaml
@@ -760,8 +760,8 @@ spec:
             properties:
               autoCreateUserSchema:
                 description: |-
-                  Whether or not the cluster has schemas automatically created for the user
-                  defined in `spec.users` for all of the databases listed for that user.
+                  Indicates whether schemas are automatically created for the user
+                  specified in `spec.users` across all databases associated with that user.
                 type: boolean
               backups:
                 description: PostgreSQL backup configuration
@@ -18954,6 +18954,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
@@ -19005,6 +19009,11 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
+                and is true
+              rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
+                !has(u.grantPublicSchemaAccess) || !u.grantPublicSchemaAccess)'
           status:
             properties:
               host:
@@ -46837,6 +46846,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml
@@ -760,8 +760,8 @@ spec:
             properties:
               autoCreateUserSchema:
                 description: |-
-                  Whether or not the cluster has schemas automatically created for the user
-                  defined in `spec.users` for all of the databases listed for that user.
+                  Indicates whether schemas are automatically created for the user
+                  specified in `spec.users` across all databases associated with that user.
                 type: boolean
               backups:
                 description: PostgreSQL backup configuration
@@ -18954,6 +18954,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
@@ -19005,6 +19009,11 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
+                and is true
+              rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
+                !has(u.grantPublicSchemaAccess) || !u.grantPublicSchemaAccess)'
           status:
             properties:
               host:
@@ -46837,6 +46846,10 @@ spec:
                         type: string
                       type: array
                       x-kubernetes-list-type: set
+                    grantPublicSchemaAccess:
+                      description: Grant the user access to the public schema in each
+                        database listed under `databases`.
+                      type: boolean
                     name:
                       description: |-
                         The name of this PostgreSQL user. The value may contain only lowercase
diff --git a/e2e-tests/tests/users/13-add-custom-user-with-public-schema-access.yaml b/e2e-tests/tests/users/13-add-custom-user-with-public-schema-access.yaml
@@ -0,0 +1,12 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 10
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      kubectl -n ${NAMESPACE} patch perconapgcluster/${test_name} --type=json -p '[{"op":"add", "path":"/spec/autoCreateUserSchema","value":true},{"op":"add", "path":"/spec/users","value":[{"name":"chico","databases":["spain"],"password":{"type":"ASCII"},"secretName":"chico-credentials", "grantPublicSchemaAccess": true}]}]'
+      sleep 10
diff --git a/e2e-tests/tests/users/13-assert.yaml b/e2e-tests/tests/users/13-assert.yaml
@@ -0,0 +1,49 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: users
+  ownerReferences:
+    - apiVersion: pgv2.percona.com/v2
+      kind: PerconaPGCluster
+      name: users
+      controller: true
+      blockOwnerDeletion: true
+  finalizers:
+    - postgres-operator.crunchydata.com/finalizer
+status:
+  instances:
+    - name: instance1
+      readyReplicas: 3
+      replicas: 3
+      updatedReplicas: 3
+  pgbackrest:
+    repoHost:
+      apiVersion: apps/v1
+      kind: StatefulSet
+      ready: true
+    repos:
+      - bound: true
+        name: repo1
+        replicaCreateBackupComplete: true
+        stanzaCreated: true
+  proxy:
+    pgBouncer:
+      readyReplicas: 3
+      replicas: 3
+---
+apiVersion: pgv2.percona.com/v2
+kind: PerconaPGCluster
+metadata:
+  name: users
+status:
+  pgbouncer:
+    ready: 3
+    size: 3
+  postgres:
+    instances:
+      - name: instance1
+        ready: 3
+        size: 3
+    ready: 3
+    size: 3
+  state: ready
diff --git a/e2e-tests/tests/users/14-write-data-to-custom-db.yaml b/e2e-tests/tests/users/14-write-data-to-custom-db.yaml
@@ -0,0 +1,23 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      password=$(get_psql_user_pass chico-credentials)
+      user='chico'
+      db_name='spain'
+      schema='public'
+      hostname=$(get_pgbouncer_host chico-credentials)
+
+
+      run_psql \
+        'SET search_path TO public;CREATE TABLE IF NOT EXISTS customApp (id int PRIMARY KEY);' \
+        "-h $hostname -U $user -d $db_name" "$password"
+      run_psql \
+        "INSERT INTO $schema.customApp (id) VALUES (100500)" \
+        "-h $hostname -U $user -d $db_name" "$password"
+        
diff --git a/e2e-tests/tests/users/15-assert.yaml b/e2e-tests/tests/users/15-assert.yaml
@@ -0,0 +1,10 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 30
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 10-read-from-primary-custom-db
+data:
+  data: ' 100500'
diff --git a/e2e-tests/tests/users/15-read-from-primary-custom-db.yaml b/e2e-tests/tests/users/15-read-from-primary-custom-db.yaml
@@ -0,0 +1,19 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+timeout: 30
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      password=$(get_psql_user_pass chico-credentials)
+      user='chico'
+      db_name='spain'
+      schema='public'
+      hostname=$(get_pgbouncer_host chico-credentials)
+
+      data=$(run_psql "SELECT * from $schema.customApp;" "-h $hostname -U $user -d $db_name" "$password")
+
+      kubectl create configmap -n "${NAMESPACE}" 10-read-from-primary-custom-db --from-literal=data="${data}"
diff --git a/internal/postgres/users.go b/internal/postgres/users.go
diff --git a/internal/postgres/users_test.go b/internal/postgres/users_test.go
diff --git a/percona/controller/pgcluster/controller_test.go b/percona/controller/pgcluster/controller_test.go
diff --git a/pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go b/pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go
