Commit Graph

17 Commits (5f1d88a8299ca11bc9d1cf64f22eaa03fd8e4565)

Author SHA1 Message Date
Toshio Kuratomi c9b17136e4 Fix a problem introduced with #1101 and optimize privilege handling
* If a db user belonged to a role which had a privilege, the user would
  not have the privilege added as the role gave the appearance that the
  user already had it.  Fixed to always check the privileges specific to
  the user.
* Make fewer db queries to determine if privileges need to be changed
  and change them (was four for each privilege.  Now two for each object
  that has a set of privileges changed).
10 years ago
Toshio Kuratomi 7dd9f57e16 Fix splitting of role_attrs 10 years ago
Will Thames c956c65731 Usage is not a valid database or table privilege
Remove `USAGE` from the `VALID_PRIVS` dict for both database and
table because it is not a valid privilege for either (and
breaks the implementation of `has_table_privilege` and
`has_database_privilege`

See http://www.postgresql.org/docs/9.0/static/sql-grant.html
10 years ago
Will Thames 7d66da35a7 Perform privilege grants/revokes only when required
Use `has_table_privileges` and `has_database_privileges`
to test whether a user already has a privilege before
granting it, or whether a user doesn't have  a privilege
before revoking it.
10 years ago
Will Thames b4515c8909 Update postgresql users only when necessary
For read-only databases, users should not change when no changes
are required.

Don't issue ALTER ROLE when role attribute flags, users password
or expiry time is not changing.

In certain cases (hashed passwords in the DB, but the password
argument is not hashed) passlib.hash is required to avoid
running ALTER ROLE.
10 years ago
tedder bffd137edd code review fixes per #957 10 years ago
tedder 472331a53b skip password changes so pg_authid isn't needed
Some places ([AWS RDS](https://forums.aws.amazon.com/thread.jspa?threadID=151248)) don't have, or don't allow, access to the `pg_authid` table. The only reason that is necessary is to check for a password change.

This flag is a workaround so passwords can only be set at creation time. It isn't as elegant as changing the password down the line, but it fixes the longstanding issue #297 that prevented this from being useful on AWS RDS.
10 years ago
Toshio Kuratomi b766390ae2 Add USAGE as a valid privilege 10 years ago
Toshio Kuratomi 5af4463823 Gixes to doc formatting 10 years ago
Dan 3a3ff1f0e4 Adds a unix_socket/login_unix_socket option to the postgresql_user module. 10 years ago
Toshio Kuratomi 2a794fa776 Fix for single role_attr 10 years ago
Devin Christensen 06f1c1a97e Fix user_alter in postgresql_user 10 years ago
Devin Christensen c77ab67274 Fix user_add in postgresql_user 10 years ago
Devin Christensen 4a3d7473fd Fix syntax error 10 years ago
Toshio Kuratomi c84ae54294 Normalize privs and flags to uppercase so comparisons against allowed names will work 10 years ago
Toshio Kuratomi 51910a1a33 Audit escaping of identifiers in the postgresql_user module 10 years ago
Michael DeHaan 3ed1378067 Some more module categorization. 10 years ago