mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-01-22 12:53:54 +00:00
nixos/postgresql: restore ensurePermissions
and strong-deprecate it
As it is technically a breaking change, we should at least make a strong deprecation of `ensurePermissions` and leave it in the broken state it is, for out of tree users. We give them a 6 months notice to migrate away by doing so, which is honest. In the meantime, we forbid usage of `ensurePermissions` inside of nixpkgs.
This commit is contained in:
parent
48459567ae
commit
12797a6a39
@ -165,6 +165,33 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
ensurePermissions = mkOption {
|
||||
type = types.attrsOf types.str;
|
||||
default = {};
|
||||
visible = false; # This option has been deprecated.
|
||||
description = lib.mdDoc ''
|
||||
This option is DEPRECATED and should not be used in nixpkgs anymore,
|
||||
use `ensureDBOwnership` instead. It can also break with newer
|
||||
versions of PostgreSQL (≥ 15).
|
||||
|
||||
Permissions to ensure for the user, specified as an attribute set.
|
||||
The attribute names specify the database and tables to grant the permissions for.
|
||||
The attribute values specify the permissions to grant. You may specify one or
|
||||
multiple comma-separated SQL privileges here.
|
||||
|
||||
For more information on how to specify the target
|
||||
and on which privileges exist, see the
|
||||
[GRANT syntax](https://www.postgresql.org/docs/current/sql-grant.html).
|
||||
The attributes are used as `GRANT ''${attrValue} ON ''${attrName}`.
|
||||
'';
|
||||
example = literalExpression ''
|
||||
{
|
||||
"DATABASE \"nextcloud\"" = "ALL PRIVILEGES";
|
||||
"ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
|
||||
}
|
||||
'';
|
||||
};
|
||||
|
||||
ensureDBOwnership = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
@ -441,6 +468,17 @@ in
|
||||
}
|
||||
];
|
||||
|
||||
# `ensurePermissions` is now deprecated, let's avoid it.
|
||||
warnings = lib.optional (any ({ ensurePermissions, ... }: ensurePermissions != {}) cfg.ensureUsers) "
|
||||
`services.postgresql.*.ensurePermissions` is used in your expressions,
|
||||
this option is known to be broken with newer PostgreSQL versions,
|
||||
consider migrating to `services.postgresql.*.ensureDBOwnership` or
|
||||
consult the release notes or manual for more migration guidelines.
|
||||
|
||||
This option will be removed in NixOS 24.05 unless it sees significant
|
||||
maintenance improvements.
|
||||
";
|
||||
|
||||
services.postgresql.settings =
|
||||
{
|
||||
hba_file = "${pkgs.writeText "pg_hba.conf" cfg.authentication}";
|
||||
@ -552,7 +590,12 @@ in
|
||||
${
|
||||
concatMapStrings
|
||||
(user:
|
||||
let
|
||||
let
|
||||
userPermissions = concatStringsSep "\n"
|
||||
(mapAttrsToList
|
||||
(database: permission: ''$PSQL -tAc 'GRANT ${permission} ON ${database} TO "${user.name}"' '')
|
||||
user.ensurePermissions
|
||||
);
|
||||
dbOwnershipStmt = optionalString
|
||||
user.ensureDBOwnership
|
||||
''$PSQL -tAc 'ALTER DATABASE "${user.name}" OWNER TO "${user.name}";' '';
|
||||
@ -564,6 +607,7 @@ in
|
||||
userClauses = ''$PSQL -tAc 'ALTER ROLE "${user.name}" ${concatStringsSep " " clauseSqlStatements}' '';
|
||||
in ''
|
||||
$PSQL -tAc "SELECT 1 FROM pg_roles WHERE rolname='${user.name}'" | grep -q 1 || $PSQL -tAc 'CREATE USER "${user.name}"'
|
||||
${userPermissions}
|
||||
${userClauses}
|
||||
|
||||
${dbOwnershipStmt}
|
||||
|
Loading…
Reference in New Issue
Block a user