Fix an issue auto-provisioned PostgreSQL user may keep old roles indefinitely

[greedy52]

changelog: Fix an issue auto-provisioned PostgreSQL user may keep old roles indefinitely

Fixes https://github.com/gravitational/teleport-private/issues/998

change:

        -- If the user has active connections, make sure the provided roles
        -- match what the user currently has.
        IF EXISTS (SELECT usename FROM pg_stat_activity WHERE usename = username) THEN
            SELECT CAST(array_agg(rolname) as varchar[]) INTO cur_roles FROM pg_auth_members JOIN pg_roles ON roleid = oid WHERE member=(SELECT oid FROM pg_roles WHERE rolname = username) AND rolname != 'teleport-auto-user';
            -- "a <@ b" checks if all unique elements in "a" are contained by
            -- "b". Using length check plus "contains" check to avoid sorting.
            IF ARRAY_LENGTH(roles, 1) = ARRAY_LENGTH(cur_roles, 1) AND roles <@ cur_roles THEN
                RETURN;
            END IF;
            RAISE EXCEPTION SQLSTATE 'TP002' USING MESSAGE = 'TP002: User has active connections and roles have changed';
        END IF;

This PR also UPPERCASE the existing SQL scripts to be consistent, see discussion #33307 (comment)

Note that all new implementations of auto-user provisioning (MySQL/MariaDB/Redshift) already include similar fixes for this issue in their initial implementation.

[github-actions]

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

[gabrielcorado]

LGTM.

[public-teleport-github-review-bot]

@greedy52 See the table below for backport results.

Branch	Result
branch/v13	Failed
branch/v14	Create PR