Skip to content

Follow up 235#345

Open
fernandezcuesta wants to merge 29 commits intomasterfrom
follow-up-235
Open

Follow up 235#345
fernandezcuesta wants to merge 29 commits intomasterfrom
follow-up-235

Conversation

@fernandezcuesta
Copy link
Copy Markdown
Collaborator

@fernandezcuesta fernandezcuesta commented Mar 18, 2026
edited
Loading

Description of your changes

This is a follow up of #235 with some minor issues found while merging from master.

I have:

  • Read and followed Crossplane's contribution process.
  • Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Added tests

Bastichou and others added 14 commits May 14, 2025 15:46
@Bastichou @Sabotaz
feat: add grant specs schema, objects, objectType
2c549b2 
Signed-off-by: Bastien CERIANI <bastien.ceriani@gmail.com>
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
feat: support full schema grants
c277254 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
feat: support table grants
2920f03 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
feat: support grants on sequences
a2ea718 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
feat: support grant on routines
ae2621c 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
feat: grant on columns
5fc07e4 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
feat: grants on foreign data wrappers and foreign servers
841c385 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz
ci: make reviewable
e0f9a4b 
Signed-off-by: Julien Christophe <julien.christophe@datanumia.com>
@Sabotaz @fernandezcuesta
fix: wrong sequence grants count
8e8cd5a 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@Sabotaz @fernandezcuesta
fix: table grants
2f9daf3 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@Sabotaz @fernandezcuesta
fix: grant columns privileges
da21ecf 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@Sabotaz @fernandezcuesta
feat: adds a different case in tests
bce5317 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
Merge remote-tracking branch 'upstream/master' into feat/extend-pgsql…
2239f1a 
…-grant-support-to-schema
@fernandezcuesta
Merge remote-tracking branch 'upstream/master' into feat/extend-pgsql…
5e49025 
…-grant-support-to-schema
@fernandezcuesta
fix(pgsql): quote object names in grant SQL and add nil guards
e9b0e9a 
Quote multiple parameters in GRANT/REVOKE statements to prevent SQL injection.
Qualify aclexplode ACL column references with their table aliases
(n.nspacl, db.datacl) for consistency.
Error instead of panic for Observe, Create, and Delete.
Add tests to assert generated SQL strings directly.

Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
fix: tests
b591b85 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta fernandezcuesta mentioned this pull request Mar 18, 2026
Open
2 tasks
@fernandezcuesta
fixup
072748d 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
baburciu
baburciu reviewed Mar 18, 2026
View reviewed changes
@baburciu
Copy link
Copy Markdown
Contributor

baburciu commented Mar 18, 2026

hey @fernandezcuesta, I think another issue stemming from the rebase and Crossplane v2 adjustment may be the fact that cluster variant of Grant reconciler is able to use the Database.spec.forProvider.database and only default to ProviderConfig.spec.defaultDatabase if not specified, here, but the namespaced variant is not, as it directly uses ProviderConfig's DefaultDatabase here.
For me I could only get

 apiVersion: postgresql.sql.crossplane.io/v1alpha1
  kind: Grant
  metadata:
    name: demo-application-staging-user-1
  spec:
    deletionPolicy: Delete
    forProvider:
      database: demo-application-staging-dedicated
      databaseRef:
        name: demo-application-staging-dedicated
      privileges:
        - SELECT
      role: demo-application-staging-user
      roleRef:
        name: demo-application-staging-user
      schema: public
      tables:
        - deployments
    managementPolicies:
      - '*'
    providerConfigRef:
      name: demo-application-staging-user-db-connection

to apply after adding the same behaviour to namespaced reconciler (this PR with these 2 commits)

demo-application-staging-dedicated=> SELECT table_schema, table_name, privilege_type
  FROM information_schema.table_privileges
  WHERE grantee = 'demo-application-staging-user';
 table_schema | table_name  | privilege_type
--------------+-------------+----------------
 public       | deployments | SELECT
(1 row)

demo-application-staging-dedicated=>

baburciu and others added 4 commits March 19, 2026 01:24
@baburciu @fernandezcuesta
fix: Have Grant database used when grant targets objects inside a spe…
add8af2 
…cific database — tables, schemas, sequences, columns, routines, fallback to provider config one's otherwise

Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@baburciu @fernandezcuesta
fix: use MRD databases.postgresql.sql.m.crossplane.io spec.scope: Nam…
899b56e 
…espaced

Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
fixup
d090b07 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
missing example
582048b 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
Copy link
Copy Markdown
Collaborator Author

fernandezcuesta commented Mar 19, 2026

hey @fernandezcuesta, I think another issue stemming from the rebase and Crossplane v2 adjustment may be the fact that cluster variant of Grant reconciler is able to use the Database.spec.forProvider.database and only default to ProviderConfig.spec.defaultDatabase if not specified, here, but the namespaced variant is not, as it directly uses ProviderConfig's DefaultDatabase here. For me I could only get

 apiVersion: postgresql.sql.crossplane.io/v1alpha1
  kind: Grant
  metadata:
    name: demo-application-staging-user-1
  spec:
    deletionPolicy: Delete
    forProvider:
      database: demo-application-staging-dedicated
      databaseRef:
        name: demo-application-staging-dedicated
      privileges:
        - SELECT
      role: demo-application-staging-user
      roleRef:
        name: demo-application-staging-user
      schema: public
      tables:
        - deployments
    managementPolicies:
      - '*'
    providerConfigRef:
      name: demo-application-staging-user-db-connection

to apply after adding the same behaviour to namespaced reconciler (this PR with these 2 commits)

demo-application-staging-dedicated=> SELECT table_schema, table_name, privilege_type
  FROM information_schema.table_privileges
  WHERE grantee = 'demo-application-staging-user';
 table_schema | table_name  | privilege_type
--------------+-------------+----------------
 public       | deployments | SELECT
(1 row)

demo-application-staging-dedicated=>

Thanks! added

@fernandezcuesta fernandezcuesta marked this pull request as ready for review March 19, 2026 16:32
chlunde
chlunde reviewed Mar 20, 2026
View reviewed changes
chlunde
chlunde reviewed Mar 20, 2026
View reviewed changes
chlunde
chlunde reviewed Mar 20, 2026
View reviewed changes
chlunde
chlunde reviewed Mar 20, 2026
View reviewed changes
apis/cluster/postgresql/v1alpha1/grant_types.go
},
RoleTable: {
"ALL": {"SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", "MAINTAIN"},
"ALL PRIVILEGES": {"SELECT", "INSERT", "UPDATE", "DELETE", "TRUNCATE", "REFERENCES", "TRIGGER", "MAINTAIN"},
Copy link
Copy Markdown
Collaborator

@chlunde chlunde Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this might break when new privs are added in the provider and running against an old server, or old provider-sql running against a new server. It would be nice to have e2e test coverage and also have a manual dispatch or env var override for e2e to run on a different major version of PostgreSQL?

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=ecb0fd337

Maybe try on PG 16 and it will fail if we have e2e coverage here. Or we should state the minimum version is PG 17

Copy link
Copy Markdown
Collaborator Author

@fernandezcuesta fernandezcuesta Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did a best effort but not 100% confident it's the right approach

@fernandezcuesta @chlunde
Update apis/cluster/postgresql/v1alpha1/grant_types.go
f6921fd 
Co-authored-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
@dawidmalina
Copy link
Copy Markdown

dawidmalina commented Mar 26, 2026

@fernandezcuesta thanks for the effort to follow up on this. Is it possible to test this new build somewhere?
Eventually when we can expect this change to be ready?

@fernandezcuesta
Copy link
Copy Markdown
Collaborator Author

fernandezcuesta commented Mar 26, 2026

yeah let me finish with the PR review and I'll let you know

fernandezcuesta and others added 5 commits March 27, 2026 00:08
@fernandezcuesta @chlunde
Update apis/cluster/postgresql/v1alpha1/grant_types.go
d0d3584 
Co-authored-by: Carl Henrik Lunde <chlunde@ifi.uio.no>
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
fix: peer review
58b11fc 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
fix: lint
53b6015 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
Merge branch 'follow-up-235' of https://github.com/crossplane-contrib…
3736900 
…/provider-sql into follow-up-235
@fernandezcuesta
fix: e2e
112696b 
Signed-off-by: Jesús Fernández <7312236+fernandezcuesta@users.noreply.github.com>
@fernandezcuesta
Copy link
Copy Markdown
Collaborator Author

fernandezcuesta commented Mar 27, 2026

@dawidmalina ghcr.io/crossplane-contrib/provider-sql:v0.15.0-rc.1

@dawidmalina
Copy link
Copy Markdown

dawidmalina commented Mar 27, 2026

@fernandezcuesta - no issues after switching to this version. Working as expected :) thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chlunde chlunde chlunde left review comments

+1 more reviewer

@baburciu baburciu baburciu left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@fernandezcuesta @baburciu @dawidmalina @chlunde @Bastichou @Sabotaz