Description
hi,
I'm not a postgres expert, but I think I found an issue with the unless check for grants with ALL SEQUENCES IN SCHEMA.
Describe the Bug
I wanted to have otherwise unprivileged user that can dump a database:
postgresql::server::database_grant { "GRANT ${u} - CONNECT - ${d}":
privilege => 'CONNECT',
db => $d,
role => $u
}
postgresql::server::grant{ "GRANT ${u} - SELECT - all tables ${d}":
object_type => 'ALL TABLES IN SCHEMA',
object_name => 'public',
privilege => 'SELECT',
db => $d,
role => $u
}
postgresql::server::grant{ "GRANT ${u} - SELECT - all sequences ${d}":
object_type => 'ALL SEQUENCES IN SCHEMA',
object_name => 'public',
privilege => 'SELECT',
db => $d,
role => $u
}
This worked on one server, but would fail on others with a permission denied on a sequence.
While debugging the puppet run, I found the unless clause and discovered that it is using information_schema.sequences. This is a view that excludes pg_depend.deptype = 'i'::"char". This leads to the grant query never running if the database is only using identity sequences.
Expected Behavior
I would expect the postgresql::server::grant runs and grants the select permission on the sequence.
Steps to Reproduce
Puppet code from above with a database that has a table with something like id INT GENERATED ALWAYS AS IDENTITY.
Environment
- postgres 15
- puppetlabs-postgresql 9.1.1
- openvox 8.14.0
- Debian 11