Documentation ¶
Index ¶
- func Dump(ctx context.Context, conns *Connections) (string, error)
- func Escape(s string) string
- func FetchRoles(ctx context.Context, conn *pgx.Conn) (map[string]RoleAttributes, error)
- func MD5Password(username, password string) string
- func ScramSha256Password(password string) (string, error)
- func Sync(ctx context.Context, conns *Connections, desired []byte, ss SyncSink) error
- func SyncDatabases(ss SyncSink, wanted, tombstoned, actual []string)
- func SyncPrivileges(ss SyncSink, databases []string, actual, desired []GenericPrivilege)
- func SyncRoles(ss SyncSink, oldRoles, newRoles map[string]RoleAttributes, tombstoned []string)
- func SyncSchemas(ss SyncSink, wanted, tombstoned, actual []string)
- func ValidateConfig(c *Config) error
- type Config
- type Connections
- type GenericPrivilege
- type PasswordHasher
- type QueryForDatabase
- type Recorder
- type RoleAttributes
- type SyncSink
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Dump ¶
func Dump(ctx context.Context, conns *Connections) (string, error)
Dump all permissions from a running cluster and return a config yaml.
func Escape ¶
Escape a string for use in a query. I don't fully guarantee this is correct, but it'll probably do for strings from the configuration.
func FetchRoles ¶
func FetchRoles(ctx context.Context, conn *pgx.Conn) (map[string]RoleAttributes, error)
FetchRoles returns all roles and their attributes from a running PostgreSQL cluster.
func MD5Password ¶ added in v0.0.4
func ScramSha256Password ¶ added in v0.0.4
func Sync ¶
Sync the desired configuration to a running cluster. Queries to be executed are sent to the SyncSink, not executed on the given connections.
func SyncDatabases ¶
SyncDatabases tells the SyncSink which queries should be executed to create/delete the databases.
func SyncPrivileges ¶
func SyncPrivileges(ss SyncSink, databases []string, actual, desired []GenericPrivilege)
SyncPrivileges tells the SyncSink which queries to execute to get towards the desired privileges.
func SyncRoles ¶
func SyncRoles(ss SyncSink, oldRoles, newRoles map[string]RoleAttributes, tombstoned []string)
SyncRoles tells the SyncSink which queries should be executed to get to the desired state.
func SyncSchemas ¶
SyncSchemas tells the SyncSink which queries should be executed to create/delete the schemas.
func ValidateConfig ¶
ValidateConfig checks whether the given config is correct.
Types ¶
type Config ¶
type Config struct { IgnoreSuperuserGrants *bool `yaml:"ignore_superuser_grants,omitempty"` Roles map[string]RoleAttributes TombstonedRoles []string `yaml:"tombstoned_roles,omitempty"` Databases []string TombstonedDatabases []string `yaml:"tombstoned_databases,omitempty"` Schemas []string TombstonedSchemas []string `yaml:"tombstoned_schemas,omitempty"` DatabasePrivileges []GenericPrivilege `yaml:"database_privileges,omitempty"` SchemaPrivileges []GenericPrivilege `yaml:"schema_privileges,omitempty"` TablePrivileges []GenericPrivilege `yaml:"table_privileges,omitempty"` SequencePrivileges []GenericPrivilege `yaml:"sequence_privileges,omitempty"` // ColumnPrivileges []GenericPrivilege `yaml:"column_privileges,omitempty"` // ForeignDataWrapperPrivileges []GenericPrivilege `yaml:"foreign_data_wrapper_privileges,omitempty"` // ForeignServerPrivileges []GenericPrivilege `yaml:"foreign_server_privileges,omitempty"` // RoutinePrivileges []GenericPrivilege `yaml:"routine_privileges,omitempty"` LanguagePrivileges []GenericPrivilege `yaml:"language_privileges,omitempty"` // LargeObjectPrivileges []GenericPrivilege `yaml:"large_object_privileges,omitempty"` // TablespacePrivileges []GenericPrivilege `yaml:"tablespace_privileges,omitempty"` TypePrivileges []GenericPrivilege `yaml:"type_privileges,omitempty"` }
Config is the YAML format.
func Gather ¶
func Gather(ctx context.Context, conns *Connections, interestingRoles, interestingDatabases []string) (*Config, error)
Gather all permissions from a running cluster.
func (Config) GetIgnoreSuperuserGrants ¶
type Connections ¶
type Connections struct {
// contains filtered or unexported fields
}
Connections is a set of connections to the same cluster, but connected to different databases.
func NewConnections ¶
func NewConnections(ctx context.Context, primary *pgx.Conn) *Connections
NewConnections creates a new set of connections, starting with given connection as the primary connection. Other connections will be made based on its config.
func (*Connections) Close ¶
func (c *Connections) Close()
Close all connections except for the primary.
func (*Connections) DropCachedConnection ¶
func (c *Connections) DropCachedConnection(database string)
DropCachedConnection disconnects from the given database name if needed.
func (*Connections) Get ¶
func (c *Connections) Get(database string) (*pgx.Conn, func(), error)
Get (or create) a connection to a specific database. You need to call the returned function when done with the connection.
type GenericPrivilege ¶
type GenericPrivilege struct { Roles []string `yaml:"roles,flow"` Privileges []string `yaml:"privileges,flow"` Grantable bool `yaml:"grantable,omitempty"` Tables []string `yaml:"tables,omitempty"` Columns []string `yaml:"columns,omitempty"` Sequences []string `yaml:"sequences,omitempty"` Databases []string `yaml:"databases,omitempty"` Domains []string `yaml:"domains,omitempty"` ForeignDataWrappers []string `yaml:"foreign_data_wrappers,omitempty"` ForeignServers []string `yaml:"foreign_servers,omitempty"` Routines []string `yaml:"routines,omitempty"` Languages []string `yaml:"languages,omitempty"` LargeObjects []string `yaml:"large_objects,omitempty"` Schemas []string `yaml:"schemas,omitempty"` Tablespaces []string `yaml:"tablespaces,omitempty"` Types []string `yaml:"types,omitempty"` }
GenericPrivilege is a set of privileges for a set of roles on a set of targets.
type PasswordHasher ¶ added in v0.0.4
func SelectPasswordHasher ¶ added in v0.0.4
func SelectPasswordHasher(ctx context.Context, conn *pgx.Conn) (PasswordHasher, error)
type QueryForDatabase ¶ added in v0.0.3
func (QueryForDatabase) String ¶ added in v0.0.3
func (q QueryForDatabase) String() string
type Recorder ¶
type Recorder struct {
// contains filtered or unexported fields
}
Recorder is a SyncSink that simply records all the queries.
func NewRecorder ¶
func NewRecorder() *Recorder
func (*Recorder) AddBarrier ¶
func (r *Recorder) AddBarrier()
func (*Recorder) Apply ¶ added in v0.0.3
func (r *Recorder) Apply(ctx context.Context, conns *Connections) error
func (*Recorder) Get ¶
func (r *Recorder) Get() []QueryForDatabase
Get returns all queries recorded by this Recorder.
type RoleAttributes ¶
type RoleAttributes struct { Superuser bool `yaml:"superuser,omitempty"` CreateDB bool `yaml:"createdb,omitempty"` CreateRole bool `yaml:"createrole,omitempty"` Inherit *bool `yaml:"inherit,omitempty"` Login *bool `yaml:"login,omitempty"` Replication bool `yaml:"replication,omitempty"` BypassRLS bool `yaml:"bypassrls,omitempty"` ConnectionLimit *int `yaml:"connectionlimit,omitempty"` Password *string `yaml:"password,omitempty"` ValidUntil *time.Time `yaml:"validuntil,omitempty"` MemberOf []string `yaml:"member_of,omitempty"` // contains filtered or unexported fields }
RoleAttributes is a piece of configuration that describes which attributes a role should have.
func (RoleAttributes) CreateSQL ¶
func (r RoleAttributes) CreateSQL(username string) string
CreateSQL returns the SQL to create this role.
func (RoleAttributes) GetConnectionLimit ¶
func (r RoleAttributes) GetConnectionLimit() int
func (RoleAttributes) GetInherit ¶
func (r RoleAttributes) GetInherit() bool
func (RoleAttributes) GetLogin ¶
func (r RoleAttributes) GetLogin() bool
func (RoleAttributes) GetValidUntil ¶
func (r RoleAttributes) GetValidUntil() time.Time
type SyncSink ¶
type SyncSink interface { // Query is called when a query should be executed (in the given database) to get to the desired state. // Query can also be called with database "", indicating it can be run on any database. Query(database, query string) // AddBarrier is called between queries to indicate they can't be reordered across the barrier. // Implementations can safely ignore calls to AddBarrier, unless stable output is required (like the tests). AddBarrier() }
SyncSink will be called for every query that should be executed to get to the desired state.