What happened?
Creating a DefaultPrivileges resource with objectType: schema always fails. The provider generates an ALTER DEFAULT PRIVILEGES ... IN SCHEMA ... GRANT/REVOKE ON SCHEMAS statement, but PostgreSQL does not allow the IN SCHEMA clause when the object type is SCHEMAS.
Expected: the resource reconciles successfully, and the role is granted the privilege on the schema
Actual error from the controller:
cannot create default privileges: pq: cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMAS
The root cause is in createDefaultPrivilegesQuery and deleteDefaultPrivilegesQuery (pkg/controller/cluster/postgresql/default_privileges/reconciler.go, lines 193 and 210): inSchema() is called unconditionally regardless of objectType, but PostgreSQL only permits IN SCHEMA for table, sequence, function, and type - not for schema itself.
How can we reproduce it?
Apply the following manifest:
apiVersion: postgresql.sql.m.crossplane.io/v1alpha1
kind: DefaultPrivileges
metadata:
name: example-schema-usage
spec:
forProvider:
databaseRef:
name: my-database
objectType: schema
privileges:
- USAGE
roleRef:
name: my-role
schema: public
targetRole: my-target-role
providerConfigRef:
kind: ClusterProviderConfig
name: my-provider-configWhat environment did it happen in?
Crossplane version: v2.2.0
provider-sql version: v0.14.0
Suggested fix
Remove schema from the objectType enum in the DefaultPrivileges CRD spec.
This is technically a breaking change to the CRD, but since objectType: schema has never produced valid SQL, no working resources can exist that rely on it (as far as I can tell).
What happened?
Creating a
DefaultPrivilegesresource withobjectType: schemaalways fails. The provider generates anALTER DEFAULT PRIVILEGES ... IN SCHEMA ... GRANT/REVOKE ON SCHEMASstatement, but PostgreSQL does not allow theIN SCHEMAclause when the object type isSCHEMAS.Expected: the resource reconciles successfully, and the role is granted the privilege on the schema
Actual error from the controller:
cannot create default privileges: pq: cannot use IN SCHEMA clause when using GRANT/REVOKE ON SCHEMASThe root cause is in
createDefaultPrivilegesQueryanddeleteDefaultPrivilegesQuery(pkg/controller/cluster/postgresql/default_privileges/reconciler.go, lines 193 and 210):inSchema()is called unconditionally regardless of objectType, but PostgreSQL only permitsIN SCHEMAfor table, sequence, function, and type - not for schema itself.How can we reproduce it?
Apply the following manifest:
What environment did it happen in?
Crossplane version:
v2.2.0provider-sql version:
v0.14.0Suggested fix
Remove
schemafrom theobjectTypeenum in theDefaultPrivilegesCRD spec.This is technically a breaking change to the CRD, but since
objectType: schemahas never produced valid SQL, no working resources can exist that rely on it (as far as I can tell).