set search_path for default roles

[FxKu]

fixes #1014

When creating databases through the preparedDatabases feature the search_path is not configured hence all created roles need to put schema qualifiers in their queries. But, the existing PgUser user type already has a field Parameters to allow for setting search_path individually. Even code for altering the role has already been there, although it wasn't used probably.

This PR defines a default search_path: "$user" for each role (note public is not included) and then appends all schemas, if it's a <dbname>_[owner|reader|writer] role or only one schema when it's a <dbname>_<schema>_[owner|reader|writer] role.

Adding databases with two schemas will have the following settings:

  preparedDatabases:
    bar:
      schemas:
        prod: {}
        audit: {}

SELECT r.rolname, d.datname, rs.setconfig
  FROM pg_db_role_setting rs
  LEFT JOIN pg_roles r ON r.oid = rs.setrole
  LEFT JOIN pg_database d ON d.oid = rs.setdatabase
  ORDER BY rolname;

     rolname      | datname |               setconfig                
------------------+---------+----------------------------------------
 bar_audit_owner  |         | {"search_path=\"$user\", audit"}
 bar_audit_reader |         | {"search_path=\"$user\", audit"}
 bar_audit_writer |         | {"search_path=\"$user\", audit"}
 bar_owner        |         | {"search_path=\"$user\", audit, prod"}
 bar_prod_owner   |         | {"search_path=\"$user\", prod"}
 bar_prod_reader  |         | {"search_path=\"$user\", prod"}
 bar_prod_writer  |         | {"search_path=\"$user\", prod"}
 bar_reader       |         | {"search_path=\"$user\", audit, prod"}
 bar_writer       |         | {"search_path=\"$user\", audit, prod"}

Open question 1:
If the database already contains roles that follow the naming pattern and existing databases and schemas are moved under the preparedDatabases key, existing search_path settings will be overwritten. Other example: The minimal cluster defines no schemas which would create a default schema data. At one point somebody defines new schemas under preparedDatabases and only these schemas are put into the search_path for the <dbname>_[owner|reader|writer] roles. data is lost. Solution: Get the current search_path and merge / concat it with the new one.

Open question 2:
Should the ALTER ROLE command be enriched with the IN DATABASE term? Probably, it's already fine because of default access privileges.

Open question 3:
Should there be an option to add public to the default search_path even if it's not that safe.

Open question 4:
In case the user is called like the schema, the default "$user" is good enough. Should we still append the schema name in case the role is renamed at some point in the future.

[Jan-M]

👍

[FxKu]

👍