DRAFT VERIFY: PG matrix should fail without #135 grant fix#153
Closed
peter-svensson wants to merge 2 commits into
Closed
DRAFT VERIFY: PG matrix should fail without #135 grant fix#153peter-svensson wants to merge 2 commits into
peter-svensson wants to merge 2 commits into
Conversation
Deploy 5 versioned PostgreSQL instances (postgres-14 through postgres-18) in the kind cluster and run a focused matrix test exercising the CREATE USER + GRANT + CREATE DATABASE OWNER path for each version. PG 16+ tightened GRANT defaults to NOINHERIT, NOSET, NOADMIN. A regression in the operator's admin-grant statement that omits WITH INHERIT TRUE, SET TRUE will now fail loudly on PG 16/17/18 while still passing on PG 14/15. The matrix is light — one Database CR per version, asserting Ready phase and secret presence — so it stays cheap (~1 GB RAM, ~30-60s extra CI time) while pinning behaviour across the supported version range.
Connecting as the built-in 'postgres' superuser bypasses the SET ROLE check entirely (superusers can become any role unconditionally), so the original matrix passed even on PG 16/17/18 where the bug class is supposed to bite. Bootstrap each PG instance with a non-superuser 'dbuo_admin' role (LOGIN, CREATEDB, CREATEROLE, NOSUPERUSER, NOINHERIT) via a ConfigMap-mounted /docker-entrypoint-initdb.d/init.sql. Repoint the per-version connection-string Secrets at this admin. This mirrors managed-PG providers (Scaleway managed RDB, self-hosted PG 16+ without RDS-style event triggers) where the admin is not a superuser, so the operator's GRANT path is actually exercised.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Verification PR. Branch is pre-#135 main + non-superuser PG matrix. Expect Integration Tests to fail on PG 16/17/18 with 'must be able to SET ROLE' (42501). Will close once verified — do not merge.