Add support for GRANT SCHEMA and ALL TABLES IN SCHEMA

Author: Benoît Marcelin

manifests/server/grant.pp

@@ -24,12 +24,14 @@
     #'FOREIGN DATA WRAPPER',
     #'FUNCTION',
     #'PROCEDURAL LANGUAGE',
-    #'SCHEMA',
+    'SCHEMA',
     #'SEQUENCE',
     'TABLE',
+    'ALL TABLES IN SCHEMA',
     #'TABLESPACE',
     #'VIEW',
   )
+  # You can use ALL TABLES IN SCHEMA by passing schema_name to object_name
 
   ## Validate that the object type's privilege is acceptable
   # TODO: this is a terrible hack; if they pass "ALL" as the desired privilege,
@@ -43,14 +45,25 @@
   case $_object_type {
     'DATABASE': {
       $unless_privilege = $_privilege ? {
-        'ALL'   => 'CREATE',
-        default => $_privilege,
+        'ALL'            => 'CREATE',
+        'ALL PRIVILEGES' => 'CREATE',
+        default          => $_privilege,
       }
       validate_string($unless_privilege,'CREATE','CONNECT','TEMPORARY','TEMP',
         'ALL','ALL PRIVILEGES')
       $unless_function = 'has_database_privilege'
       $on_db = $psql_db
     }
+    'SCHEMA': {
+      $unless_privilege = $_privilege ? {
+        'ALL'            => 'CREATE',
+        'ALL PRIVILEGES' => 'CREATE',
+        default          => $_privilege,
+      }
+      validate_string($_privilege, 'CREATE', 'USAGE', 'ALL', 'ALL PRIVILEGES')
+      $unless_function = 'has_schema_privilege'
+      $on_db = $db
+    }
     'TABLE': {
       $unless_privilege = $_privilege ? {
         'ALL'   => 'INSERT',
@@ -61,20 +74,50 @@
       $unless_function = 'has_table_privilege'
       $on_db = $db
     }
+    'ALL TABLES IN SCHEMA': {
+      validate_string($_privilege, 'SELECT', 'INSERT', 'UPDATE', 'REFERENCES',
+        'ALL', 'ALL PRIVILEGES')
+      $unless_function = false # There is no way to test it simply
+      $on_db = $db
+    }
     default: {
       fail("Missing privilege validation for object type ${_object_type}")
     }
   }
 
-  $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\""
+  # This is used to give grant to "schemaname"."tablename"
+  # If you need such grant, use:
+  # postgresql::grant { 'table:foo':
+  #   role        => 'joe',
+  #   …
+  #   object_type => 'TABLE',
+  #   object_name => [$schema, $table],
+  # }
+  if is_array($object_name) {
+    $_togrant_object = join($object_name, '"."')
+    # Never put double quotes into has_*_privilege function
+    $_granted_object = join($object_name, '.')
+  } else {
+    $_granted_object = $object_name
+    $_togrant_object = $object_name
+  }
+
+  $_unless = $unless_function ? {
+      false   => undef,
+      default => "SELECT 1 WHERE ${unless_function}('${role}',
+                  '${_granted_object}', '${unless_privilege}')",
+  }
+
+  $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${_togrant_object}\" TO
+      \"${role}\""
   postgresql_psql { "grant:${name}":
     command    => $grant_cmd,
     db         => $on_db,
     port       => $port,
     psql_user  => $psql_user,
     psql_group => $group,
     psql_path  => $psql_path,
-    unless     => "SELECT 1 WHERE ${unless_function}('${role}', '${object_name}', '${unless_privilege}')",
+    unless     => $_unless,
     require    => Class['postgresql::server']
   }