Fix PgRBACPlugin and pg-introspection
understanding of owner permissions
#1801
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Previously a non-superuser table owner would only be seen as having permissions to a table if that user had an explicit GRANT or REVOKE against it; in the absense of this, Postgres does not add an ACL entry for them, and thus we did not correctly reflect their permissions.
I've attempted to address this issue by emulating more of the PostgreSQL permissions system, but I know there are still gaps (for example if your role has been granted the role that is the owner of the table, and that owner has not been granted or revoked any explicit privileges, then we still won't see you as having permissions). Nonetheless, this PR should at least handle the common case of not having privileges in this case:
Initially I overhauled the
resolvePermissions
API for this; but realising that this would both limit the ways that API could be used and also break existing users, I instead introduced anentityPermissions
API.Performance impact
Marginal during the gather phase.
Security impact
None known.
Checklist
yarn lint:fix
passes.I've added tests for the new feature, andyarn test
passes.I have detailed the new feature in the relevant documentation.I have added this feature to 'Pending' in theRELEASE_NOTES.md
file (if one exists).If this is a breaking change I've explained why.