Conversation
* Fix CustomRole grants not persisting by adding SET ROLE to table owner SyncDatabaseGrants and RevokeAllDatabaseGrants ran GRANT/REVOKE as iam_creator, which does not own the tables (service users do). PostgreSQL requires the table owner to issue grants. Added SET ROLE <owner> before each GRANT/REVOKE statement, matching the pattern used by the PostgreSQLDatabase controller's execAsf/prependSetRole. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Handle mixed-ownership schemas in RevokeAllDatabaseGrants Iterate over unique table owners per schema instead of only the schema owner, so bulk REVOKE covers tables regardless of which role owns them. Also fix revoke test to use INHERIT FALSE, matching production behavior. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
tmablunar
changed the title
mahlunar
approved these changes
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SyncDatabaseGrantsandRevokeAllDatabaseGrantsran GRANT/REVOKE asiam_creator, which does not own the tables (service users liketransactionrepodo). PostgreSQL requires the table owner to issue grants, so all grants silently failed.SET ROLE <owner>before each GRANT/REVOKE statement andRESET ROLEafter, matching the pattern used by the PostgreSQLDatabase controller'sexecAsf/prependSetRole.schemaOwnerMap()andtableOwnerMap()helpers to bulk-query object ownership frompg_namespaceandpg_tables.Test plan
TestSyncDatabaseGrants_grantsViaSetRoleToTableOwner— verifies GRANT and REVOKE succeed when connection user is a member of the table owner (SET only, no INHERIT)TestRevokeAllDatabaseGrants_viaSetRole— verifiesRevokeAllDatabaseGrantsworks via SET ROLEThe key to making the test realistic was
GRANT serviceUser TO controllerUser WITH SET TRUE, INHERIT FALSE. This mirrors production whereiam_creatorcan SET ROLE to service users (viards_superuser) but doesn't inherit their ownership privileges. WithoutINHERIT FALSE, PostgreSQL 18 lets members exercise all owner privileges including granting, which would mask the bug.🤖 Generated with Claude Code
Note
Medium Risk
Touches database privilege management logic and changes how SQL is executed (
SET ROLE), which can impact access control behavior if owner detection or role membership is misconfigured.Overview
Ensures
SyncDatabaseGrantsapplies and removes schema/table privileges by first resolving schema/table owners and wrapping each GRANT/REVOKE (including schema USAGE) inSET ROLE <owner> ... RESET ROLE, so the controller can manage privileges on objects it doesn’t directly own.Updates
RevokeAllDatabaseGrantsto revoke table privileges under all unique table owners in a schema (not just the schema owner), and adds integration tests coveringSET ROLEbehavior withINHERIT FALSEmembership to match production.Reviewed by Cursor Bugbot for commit 03332c8. Configure here.