From 80ebbde7016dcc652092ef4ba256fcab4e752635 Mon Sep 17 00:00:00 2001 From: Azim Sonawalla Date: Sun, 11 Jan 2026 22:37:25 -0500 Subject: [PATCH 1/3] fix: include FOR ROLE in ALTER DEFAULT PRIVILEGES DDL When generating DDL for default privileges owned by a role other than the current user, pgschema was omitting the FOR ROLE clause. This caused PostgreSQL to apply the statement to the current user's defaults instead of the owning role's, resulting in an infinite plan loop where the same changes would be detected repeatedly. Changes: - Add OwnerRole field to DefaultPrivilege struct in IR - Update pg_default_acl query to extract defaclrole (owning role) - Include owner role in diff comparison key - Generate DDL with FOR ROLE clause: ALTER DEFAULT PRIVILEGES FOR ROLE IN SCHEMA ... - Add cross-role test case (drop_privilege) to verify the fix The fix always includes FOR ROLE in generated DDL, which is explicit and correct regardless of which user runs the migration. Co-Authored-By: Claude Opus 4.5 --- internal/diff/default_privilege.go | 36 ++++++++++--------- internal/diff/diff.go | 15 ++++++-- ir/inspector.go | 12 +++++-- ir/ir.go | 3 +- ir/queries/queries.sql | 4 ++- ir/queries/queries.sql.go | 6 +++- .../add_function_privilege/diff.sql | 2 +- .../add_privilege_with_grant_option/diff.sql | 2 +- .../add_sequence_privilege/diff.sql | 2 +- .../add_table_privilege/diff.sql | 4 +-- .../add_type_privilege/diff.sql | 2 +- .../alter_privilege/diff.sql | 4 +-- .../alter_privilege_and_grant_option/diff.sql | 6 ++-- .../default_privilege/drop_privilege/diff.sql | 4 +-- .../default_privilege/drop_privilege/new.sql | 9 +++++ .../default_privilege/drop_privilege/old.sql | 13 ++++++- 16 files changed, 85 insertions(+), 39 deletions(-) diff --git a/internal/diff/default_privilege.go b/internal/diff/default_privilege.go index 0ff36bfa..5341373f 100644 --- a/internal/diff/default_privilege.go +++ b/internal/diff/default_privilege.go @@ -16,7 +16,7 @@ func generateCreateDefaultPrivilegesSQL(privileges []*ir.DefaultPrivilege, targe context := &diffContext{ Type: DiffTypeDefaultPrivilege, Operation: DiffOperationCreate, - Path: fmt.Sprintf("default_privileges.%s.%s", dp.ObjectType, dp.Grantee), + Path: fmt.Sprintf("default_privileges.%s.%s.%s", dp.OwnerRole, dp.ObjectType, dp.Grantee), Source: dp, CanRunInTransaction: true, } @@ -33,7 +33,7 @@ func generateDropDefaultPrivilegesSQL(privileges []*ir.DefaultPrivilege, targetS context := &diffContext{ Type: DiffTypeDefaultPrivilege, Operation: DiffOperationDrop, - Path: fmt.Sprintf("default_privileges.%s.%s", dp.ObjectType, dp.Grantee), + Path: fmt.Sprintf("default_privileges.%s.%s.%s", dp.OwnerRole, dp.ObjectType, dp.Grantee), Source: dp, CanRunInTransaction: true, } @@ -50,7 +50,7 @@ func generateModifyDefaultPrivilegesSQL(diffs []*defaultPrivilegeDiff, targetSch context := &diffContext{ Type: DiffTypeDefaultPrivilege, Operation: DiffOperationAlter, - Path: fmt.Sprintf("default_privileges.%s.%s", diff.New.ObjectType, diff.New.Grantee), + Path: fmt.Sprintf("default_privileges.%s.%s.%s", diff.New.OwnerRole, diff.New.ObjectType, diff.New.Grantee), Source: diff, CanRunInTransaction: true, } @@ -76,8 +76,8 @@ func generateGrantDefaultPrivilegeSQL(dp *ir.DefaultPrivilege, targetSchema stri grantee = ir.QuoteIdentifier(grantee) } - sql := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON %s TO %s", - ir.QuoteIdentifier(targetSchema), privStr, dp.ObjectType, grantee) + sql := fmt.Sprintf("ALTER DEFAULT PRIVILEGES FOR ROLE %s IN SCHEMA %s GRANT %s ON %s TO %s", + ir.QuoteIdentifier(dp.OwnerRole), ir.QuoteIdentifier(targetSchema), privStr, dp.ObjectType, grantee) if dp.WithGrantOption { sql += " WITH GRANT OPTION" @@ -102,8 +102,8 @@ func generateRevokeDefaultPrivilegeSQL(dp *ir.DefaultPrivilege, targetSchema str grantee = ir.QuoteIdentifier(grantee) } - return fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s REVOKE %s ON %s FROM %s;", - ir.QuoteIdentifier(targetSchema), privStr, dp.ObjectType, grantee) + return fmt.Sprintf("ALTER DEFAULT PRIVILEGES FOR ROLE %s IN SCHEMA %s REVOKE %s ON %s FROM %s;", + ir.QuoteIdentifier(dp.OwnerRole), ir.QuoteIdentifier(targetSchema), privStr, dp.ObjectType, grantee) } // generateAlterDefaultPrivilegeStatements generates statements for privilege modifications @@ -141,20 +141,21 @@ func (d *defaultPrivilegeDiff) generateAlterDefaultPrivilegeStatements(targetSch } else { grantee = ir.QuoteIdentifier(grantee) } + quotedOwner := ir.QuoteIdentifier(d.New.OwnerRole) quotedSchema := ir.QuoteIdentifier(targetSchema) // Generate REVOKE for removed privileges if len(toRevoke) > 0 { sort.Strings(toRevoke) - statements = append(statements, fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s REVOKE %s ON %s FROM %s;", - quotedSchema, strings.Join(toRevoke, ", "), d.Old.ObjectType, grantee)) + statements = append(statements, fmt.Sprintf("ALTER DEFAULT PRIVILEGES FOR ROLE %s IN SCHEMA %s REVOKE %s ON %s FROM %s;", + quotedOwner, quotedSchema, strings.Join(toRevoke, ", "), d.Old.ObjectType, grantee)) } // Generate GRANT for added privileges if len(toGrant) > 0 { sort.Strings(toGrant) - sql := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON %s TO %s", - quotedSchema, strings.Join(toGrant, ", "), d.New.ObjectType, grantee) + sql := fmt.Sprintf("ALTER DEFAULT PRIVILEGES FOR ROLE %s IN SCHEMA %s GRANT %s ON %s TO %s", + quotedOwner, quotedSchema, strings.Join(toGrant, ", "), d.New.ObjectType, grantee) if d.New.WithGrantOption { sql += " WITH GRANT OPTION" } @@ -177,12 +178,12 @@ func (d *defaultPrivilegeDiff) generateAlterDefaultPrivilegeStatements(targetSch unchangedStr := strings.Join(unchanged, ", ") // Revoke unchanged privileges first - statements = append(statements, fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s REVOKE %s ON %s FROM %s;", - quotedSchema, unchangedStr, d.New.ObjectType, grantee)) + statements = append(statements, fmt.Sprintf("ALTER DEFAULT PRIVILEGES FOR ROLE %s IN SCHEMA %s REVOKE %s ON %s FROM %s;", + quotedOwner, quotedSchema, unchangedStr, d.New.ObjectType, grantee)) // Re-grant with correct option - sql := fmt.Sprintf("ALTER DEFAULT PRIVILEGES IN SCHEMA %s GRANT %s ON %s TO %s", - quotedSchema, unchangedStr, d.New.ObjectType, grantee) + sql := fmt.Sprintf("ALTER DEFAULT PRIVILEGES FOR ROLE %s IN SCHEMA %s GRANT %s ON %s TO %s", + quotedOwner, quotedSchema, unchangedStr, d.New.ObjectType, grantee) if d.New.WithGrantOption { sql += " WITH GRANT OPTION" } @@ -195,11 +196,14 @@ func (d *defaultPrivilegeDiff) generateAlterDefaultPrivilegeStatements(targetSch // GetObjectName returns a unique identifier for the default privilege diff func (d *defaultPrivilegeDiff) GetObjectName() string { - return string(d.New.ObjectType) + ":" + d.New.Grantee + return d.New.OwnerRole + ":" + string(d.New.ObjectType) + ":" + d.New.Grantee } // defaultPrivilegesEqual checks if two default privileges are structurally equal func defaultPrivilegesEqual(old, new *ir.DefaultPrivilege) bool { + if old.OwnerRole != new.OwnerRole { + return false + } if old.ObjectType != new.ObjectType { return false } diff --git a/internal/diff/diff.go b/internal/diff/diff.go index 10782a22..d3527b10 100644 --- a/internal/diff/diff.go +++ b/internal/diff/diff.go @@ -938,7 +938,7 @@ func GenerateMigration(oldIR, newIR *ir.IR, targetSchema string) []Diff { // Extract default privileges from all schemas in oldIR for _, dbSchema := range oldIR.Schemas { for _, dp := range dbSchema.DefaultPrivileges { - key := string(dp.ObjectType) + ":" + dp.Grantee + key := dp.OwnerRole + ":" + string(dp.ObjectType) + ":" + dp.Grantee oldDefaultPrivs[key] = dp } } @@ -946,7 +946,7 @@ func GenerateMigration(oldIR, newIR *ir.IR, targetSchema string) []Diff { // Extract default privileges from all schemas in newIR for _, dbSchema := range newIR.Schemas { for _, dp := range dbSchema.DefaultPrivileges { - key := string(dp.ObjectType) + ":" + dp.Grantee + key := dp.OwnerRole + ":" + string(dp.ObjectType) + ":" + dp.Grantee newDefaultPrivs[key] = dp } } @@ -977,20 +977,29 @@ func GenerateMigration(oldIR, newIR *ir.IR, targetSchema string) []Diff { } } - // Sort default privileges for deterministic output + // Sort default privileges for deterministic output (by owner_role, then object_type, then grantee) sort.Slice(diff.addedDefaultPrivileges, func(i, j int) bool { + if diff.addedDefaultPrivileges[i].OwnerRole != diff.addedDefaultPrivileges[j].OwnerRole { + return diff.addedDefaultPrivileges[i].OwnerRole < diff.addedDefaultPrivileges[j].OwnerRole + } if diff.addedDefaultPrivileges[i].ObjectType != diff.addedDefaultPrivileges[j].ObjectType { return diff.addedDefaultPrivileges[i].ObjectType < diff.addedDefaultPrivileges[j].ObjectType } return diff.addedDefaultPrivileges[i].Grantee < diff.addedDefaultPrivileges[j].Grantee }) sort.Slice(diff.droppedDefaultPrivileges, func(i, j int) bool { + if diff.droppedDefaultPrivileges[i].OwnerRole != diff.droppedDefaultPrivileges[j].OwnerRole { + return diff.droppedDefaultPrivileges[i].OwnerRole < diff.droppedDefaultPrivileges[j].OwnerRole + } if diff.droppedDefaultPrivileges[i].ObjectType != diff.droppedDefaultPrivileges[j].ObjectType { return diff.droppedDefaultPrivileges[i].ObjectType < diff.droppedDefaultPrivileges[j].ObjectType } return diff.droppedDefaultPrivileges[i].Grantee < diff.droppedDefaultPrivileges[j].Grantee }) sort.Slice(diff.modifiedDefaultPrivileges, func(i, j int) bool { + if diff.modifiedDefaultPrivileges[i].New.OwnerRole != diff.modifiedDefaultPrivileges[j].New.OwnerRole { + return diff.modifiedDefaultPrivileges[i].New.OwnerRole < diff.modifiedDefaultPrivileges[j].New.OwnerRole + } if diff.modifiedDefaultPrivileges[i].New.ObjectType != diff.modifiedDefaultPrivileges[j].New.ObjectType { return diff.modifiedDefaultPrivileges[i].New.ObjectType < diff.modifiedDefaultPrivileges[j].New.ObjectType } diff --git a/ir/inspector.go b/ir/inspector.go index 12b01ff2..c269b99e 100644 --- a/ir/inspector.go +++ b/ir/inspector.go @@ -2050,8 +2050,9 @@ func (i *Inspector) buildDefaultPrivileges(ctx context.Context, schema *IR, targ return nil } - // Group privileges by (object_type, grantee, is_grantable) + // Group privileges by (owner_role, object_type, grantee, is_grantable) type privKey struct { + OwnerRole string ObjectType string Grantee string WithGrantOption bool @@ -2059,11 +2060,12 @@ func (i *Inspector) buildDefaultPrivileges(ctx context.Context, schema *IR, targ grouped := make(map[privKey][]string) for _, p := range privileges { - if !p.ObjectType.Valid || !p.Grantee.Valid || !p.PrivilegeType.Valid { + if !p.OwnerRole.Valid || !p.ObjectType.Valid || !p.Grantee.Valid || !p.PrivilegeType.Valid { continue } key := privKey{ + OwnerRole: p.OwnerRole.String, ObjectType: p.ObjectType.String, Grantee: p.Grantee.String, WithGrantOption: p.IsGrantable.Valid && p.IsGrantable.Bool, @@ -2078,6 +2080,7 @@ func (i *Inspector) buildDefaultPrivileges(ctx context.Context, schema *IR, targ // Sort privileges for deterministic IR output sort.Strings(privs) dp := &DefaultPrivilege{ + OwnerRole: key.OwnerRole, ObjectType: DefaultPrivilegeObjectType(key.ObjectType), Grantee: key.Grantee, Privileges: privs, @@ -2086,8 +2089,11 @@ func (i *Inspector) buildDefaultPrivileges(ctx context.Context, schema *IR, targ defaultPrivileges = append(defaultPrivileges, dp) } - // Sort for deterministic output + // Sort for deterministic output (by owner_role, then object_type, then grantee) sort.Slice(defaultPrivileges, func(i, j int) bool { + if defaultPrivileges[i].OwnerRole != defaultPrivileges[j].OwnerRole { + return defaultPrivileges[i].OwnerRole < defaultPrivileges[j].OwnerRole + } if defaultPrivileges[i].ObjectType != defaultPrivileges[j].ObjectType { return defaultPrivileges[i].ObjectType < defaultPrivileges[j].ObjectType } diff --git a/ir/ir.go b/ir/ir.go index 2e1555a5..c2009df2 100644 --- a/ir/ir.go +++ b/ir/ir.go @@ -416,6 +416,7 @@ const ( // DefaultPrivilege represents an ALTER DEFAULT PRIVILEGES setting type DefaultPrivilege struct { + OwnerRole string `json:"owner_role"` // Role that owns the default privilege ObjectType DefaultPrivilegeObjectType `json:"object_type"` // TABLES, SEQUENCES, FUNCTIONS, TYPES Grantee string `json:"grantee"` // Role name or "PUBLIC" Privileges []string `json:"privileges"` // SELECT, INSERT, UPDATE, etc. @@ -424,7 +425,7 @@ type DefaultPrivilege struct { // GetObjectName returns a unique identifier for the default privilege func (d *DefaultPrivilege) GetObjectName() string { - return string(d.ObjectType) + ":" + d.Grantee + return d.OwnerRole + ":" + string(d.ObjectType) + ":" + d.Grantee } // PrivilegeObjectType represents the object type for explicit privilege grants diff --git a/ir/queries/queries.sql b/ir/queries/queries.sql index 33f6b587..318a7a61 100644 --- a/ir/queries/queries.sql +++ b/ir/queries/queries.sql @@ -1206,6 +1206,7 @@ ORDER BY n.nspname, t.typname, a.attnum; -- name: GetDefaultPrivilegesForSchema :many WITH acl_expanded AS ( SELECT + d.defaclrole, d.defaclobjtype, (aclexplode(d.defaclacl)).grantee AS grantee_oid, (aclexplode(d.defaclacl)).privilege_type AS privilege_type, @@ -1215,6 +1216,7 @@ WITH acl_expanded AS ( WHERE n.nspname = $1 ) SELECT + pg_get_userbyid(a.defaclrole) AS owner_role, CASE a.defaclobjtype WHEN 'r' THEN 'TABLES' WHEN 'S' THEN 'SEQUENCES' @@ -1227,7 +1229,7 @@ SELECT a.is_grantable FROM acl_expanded a LEFT JOIN pg_roles r ON a.grantee_oid = r.oid -ORDER BY object_type, grantee, privilege_type; +ORDER BY owner_role, object_type, grantee, privilege_type; -- GetPrivilegesForSchema retrieves explicit privilege grants for objects in a specific schema -- name: GetPrivilegesForSchema :many diff --git a/ir/queries/queries.sql.go b/ir/queries/queries.sql.go index 1d6a6e52..391001df 100644 --- a/ir/queries/queries.sql.go +++ b/ir/queries/queries.sql.go @@ -912,6 +912,7 @@ func (q *Queries) GetConstraintsForSchema(ctx context.Context, dollar_1 sql.Null const getDefaultPrivilegesForSchema = `-- name: GetDefaultPrivilegesForSchema :many WITH acl_expanded AS ( SELECT + d.defaclrole, d.defaclobjtype, (aclexplode(d.defaclacl)).grantee AS grantee_oid, (aclexplode(d.defaclacl)).privilege_type AS privilege_type, @@ -921,6 +922,7 @@ WITH acl_expanded AS ( WHERE n.nspname = $1 ) SELECT + pg_get_userbyid(a.defaclrole) AS owner_role, CASE a.defaclobjtype WHEN 'r' THEN 'TABLES' WHEN 'S' THEN 'SEQUENCES' @@ -933,10 +935,11 @@ SELECT a.is_grantable FROM acl_expanded a LEFT JOIN pg_roles r ON a.grantee_oid = r.oid -ORDER BY object_type, grantee, privilege_type +ORDER BY owner_role, object_type, grantee, privilege_type ` type GetDefaultPrivilegesForSchemaRow struct { + OwnerRole sql.NullString `db:"owner_role" json:"owner_role"` ObjectType sql.NullString `db:"object_type" json:"object_type"` Grantee sql.NullString `db:"grantee" json:"grantee"` PrivilegeType sql.NullString `db:"privilege_type" json:"privilege_type"` @@ -954,6 +957,7 @@ func (q *Queries) GetDefaultPrivilegesForSchema(ctx context.Context, dollar_1 sq for rows.Next() { var i GetDefaultPrivilegesForSchemaRow if err := rows.Scan( + &i.OwnerRole, &i.ObjectType, &i.Grantee, &i.PrivilegeType, diff --git a/testdata/diff/default_privilege/add_function_privilege/diff.sql b/testdata/diff/default_privilege/add_function_privilege/diff.sql index dc2c716d..84696bd2 100644 --- a/testdata/diff/default_privilege/add_function_privilege/diff.sql +++ b/testdata/diff/default_privilege/add_function_privilege/diff.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user; diff --git a/testdata/diff/default_privilege/add_privilege_with_grant_option/diff.sql b/testdata/diff/default_privilege/add_privilege_with_grant_option/diff.sql index e505eaca..4746a0af 100644 --- a/testdata/diff/default_privilege/add_privilege_with_grant_option/diff.sql +++ b/testdata/diff/default_privilege/add_privilege_with_grant_option/diff.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION; diff --git a/testdata/diff/default_privilege/add_sequence_privilege/diff.sql b/testdata/diff/default_privilege/add_sequence_privilege/diff.sql index 22f2a565..9c37a82b 100644 --- a/testdata/diff/default_privilege/add_sequence_privilege/diff.sql +++ b/testdata/diff/default_privilege/add_sequence_privilege/diff.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user; diff --git a/testdata/diff/default_privilege/add_table_privilege/diff.sql b/testdata/diff/default_privilege/add_table_privilege/diff.sql index ea1cc979..edc6c324 100644 --- a/testdata/diff/default_privilege/add_table_privilege/diff.sql +++ b/testdata/diff/default_privilege/add_table_privilege/diff.sql @@ -1,3 +1,3 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; diff --git a/testdata/diff/default_privilege/add_type_privilege/diff.sql b/testdata/diff/default_privilege/add_type_privilege/diff.sql index 6d2068f5..3183698d 100644 --- a/testdata/diff/default_privilege/add_type_privilege/diff.sql +++ b/testdata/diff/default_privilege/add_type_privilege/diff.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON TYPES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT USAGE ON TYPES TO app_user; diff --git a/testdata/diff/default_privilege/alter_privilege/diff.sql b/testdata/diff/default_privilege/alter_privilege/diff.sql index 652a2626..6f407259 100644 --- a/testdata/diff/default_privilege/alter_privilege/diff.sql +++ b/testdata/diff/default_privilege/alter_privilege/diff.sql @@ -1,3 +1,3 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; diff --git a/testdata/diff/default_privilege/alter_privilege_and_grant_option/diff.sql b/testdata/diff/default_privilege/alter_privilege_and_grant_option/diff.sql index 2dc364c1..858cc4b1 100644 --- a/testdata/diff/default_privilege/alter_privilege_and_grant_option/diff.sql +++ b/testdata/diff/default_privilege/alter_privilege_and_grant_option/diff.sql @@ -1,5 +1,5 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION; -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION; diff --git a/testdata/diff/default_privilege/drop_privilege/diff.sql b/testdata/diff/default_privilege/drop_privilege/diff.sql index e843a2b9..054e4b79 100644 --- a/testdata/diff/default_privilege/drop_privilege/diff.sql +++ b/testdata/diff/default_privilege/drop_privilege/diff.sql @@ -1,3 +1,3 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user; +ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user; diff --git a/testdata/diff/default_privilege/drop_privilege/new.sql b/testdata/diff/default_privilege/drop_privilege/new.sql index 11e96983..fdc4c118 100644 --- a/testdata/diff/default_privilege/drop_privilege/new.sql +++ b/testdata/diff/default_privilege/drop_privilege/new.sql @@ -1,6 +1,9 @@ -- Create roles for testing DO $$ BEGIN + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'test_admin') THEN + CREATE ROLE test_admin; + END IF; IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'readonly_user') THEN CREATE ROLE readonly_user; END IF; @@ -9,4 +12,10 @@ BEGIN END IF; END $$; +-- Grant membership so current user can set role (works with both testuser and postgres) +DO $$ +BEGIN + EXECUTE format('GRANT test_admin TO %I', current_user); +END $$; + -- Remove all default privileges diff --git a/testdata/diff/default_privilege/drop_privilege/old.sql b/testdata/diff/default_privilege/drop_privilege/old.sql index a122e565..891755e9 100644 --- a/testdata/diff/default_privilege/drop_privilege/old.sql +++ b/testdata/diff/default_privilege/drop_privilege/old.sql @@ -1,6 +1,9 @@ -- Create roles for testing DO $$ BEGIN + IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'test_admin') THEN + CREATE ROLE test_admin; + END IF; IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'readonly_user') THEN CREATE ROLE readonly_user; END IF; @@ -9,6 +12,14 @@ BEGIN END IF; END $$; --- Default privileges configured +-- Grant membership so current user can set role (works with both testuser and postgres) +DO $$ +BEGIN + EXECUTE format('GRANT test_admin TO %I', current_user); +END $$; + +-- Create default privileges AS test_admin (cross-role scenario) +SET ROLE test_admin; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readonly_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE, DELETE ON TABLES TO app_user; +RESET ROLE; From 078219eac783beee8e4073a15bda0bb4aaba11cd Mon Sep 17 00:00:00 2001 From: Azim Sonawalla Date: Sun, 11 Jan 2026 22:51:09 -0500 Subject: [PATCH 2/3] fix: update integration test expectations for FOR ROLE clause The integration tests (TestPlanAndApply) use plan.sql, plan.txt, and plan.json files as expected output, not the diff.sql files used by unit tests. This updates all default_privilege integration test expectations to include FOR ROLE in the generated DDL. Co-Authored-By: Claude Opus 4.5 --- .../add_function_privilege/plan.json | 4 ++-- .../add_function_privilege/plan.sql | 2 +- .../add_function_privilege/plan.txt | 2 +- .../add_privilege_with_grant_option/plan.json | 4 ++-- .../add_privilege_with_grant_option/plan.sql | 2 +- .../add_privilege_with_grant_option/plan.txt | 2 +- .../add_sequence_privilege/plan.json | 4 ++-- .../add_sequence_privilege/plan.sql | 2 +- .../add_sequence_privilege/plan.txt | 2 +- .../default_privilege/add_table_privilege/plan.json | 8 ++++---- .../default_privilege/add_table_privilege/plan.sql | 4 ++-- .../default_privilege/add_table_privilege/plan.txt | 4 ++-- .../default_privilege/add_type_privilege/plan.json | 4 ++-- .../default_privilege/add_type_privilege/plan.sql | 2 +- .../default_privilege/add_type_privilege/plan.txt | 2 +- .../diff/default_privilege/alter_privilege/plan.json | 8 ++++---- .../diff/default_privilege/alter_privilege/plan.sql | 4 ++-- .../diff/default_privilege/alter_privilege/plan.txt | 4 ++-- .../alter_privilege_and_grant_option/plan.json | 12 ++++++------ .../alter_privilege_and_grant_option/plan.sql | 6 +++--- .../alter_privilege_and_grant_option/plan.txt | 6 +++--- .../diff/default_privilege/drop_privilege/plan.json | 8 ++++---- .../diff/default_privilege/drop_privilege/plan.sql | 4 ++-- .../diff/default_privilege/drop_privilege/plan.txt | 4 ++-- 24 files changed, 52 insertions(+), 52 deletions(-) diff --git a/testdata/diff/default_privilege/add_function_privilege/plan.json b/testdata/diff/default_privilege/add_function_privilege/plan.json index 710dbf7f..b3d0a756 100644 --- a/testdata/diff/default_privilege/add_function_privilege/plan.json +++ b/testdata/diff/default_privilege/add_function_privilege/plan.json @@ -9,10 +9,10 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user;", "type": "default_privilege", "operation": "create", - "path": "default_privileges.FUNCTIONS.api_user" + "path": "default_privileges.testuser.FUNCTIONS.api_user" } ] } diff --git a/testdata/diff/default_privilege/add_function_privilege/plan.sql b/testdata/diff/default_privilege/add_function_privilege/plan.sql index dc2c716d..84696bd2 100644 --- a/testdata/diff/default_privilege/add_function_privilege/plan.sql +++ b/testdata/diff/default_privilege/add_function_privilege/plan.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user; diff --git a/testdata/diff/default_privilege/add_function_privilege/plan.txt b/testdata/diff/default_privilege/add_function_privilege/plan.txt index df3c1817..238ac034 100644 --- a/testdata/diff/default_privilege/add_function_privilege/plan.txt +++ b/testdata/diff/default_privilege/add_function_privilege/plan.txt @@ -9,4 +9,4 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO api_user; diff --git a/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.json b/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.json index b2058e24..c5a22fbe 100644 --- a/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.json +++ b/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.json @@ -9,10 +9,10 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION;", "type": "default_privilege", "operation": "create", - "path": "default_privileges.TABLES.admin_user" + "path": "default_privileges.testuser.TABLES.admin_user" } ] } diff --git a/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.sql b/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.sql index e505eaca..4746a0af 100644 --- a/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.sql +++ b/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION; diff --git a/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.txt b/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.txt index 2d711324..56b77ac4 100644 --- a/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.txt +++ b/testdata/diff/default_privilege/add_privilege_with_grant_option/plan.txt @@ -9,4 +9,4 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, SELECT ON TABLES TO admin_user WITH GRANT OPTION; diff --git a/testdata/diff/default_privilege/add_sequence_privilege/plan.json b/testdata/diff/default_privilege/add_sequence_privilege/plan.json index 549f9b23..d15a64de 100644 --- a/testdata/diff/default_privilege/add_sequence_privilege/plan.json +++ b/testdata/diff/default_privilege/add_sequence_privilege/plan.json @@ -9,10 +9,10 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user;", "type": "default_privilege", "operation": "create", - "path": "default_privileges.SEQUENCES.app_user" + "path": "default_privileges.testuser.SEQUENCES.app_user" } ] } diff --git a/testdata/diff/default_privilege/add_sequence_privilege/plan.sql b/testdata/diff/default_privilege/add_sequence_privilege/plan.sql index 22f2a565..9c37a82b 100644 --- a/testdata/diff/default_privilege/add_sequence_privilege/plan.sql +++ b/testdata/diff/default_privilege/add_sequence_privilege/plan.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user; diff --git a/testdata/diff/default_privilege/add_sequence_privilege/plan.txt b/testdata/diff/default_privilege/add_sequence_privilege/plan.txt index 60293988..dc831c68 100644 --- a/testdata/diff/default_privilege/add_sequence_privilege/plan.txt +++ b/testdata/diff/default_privilege/add_sequence_privilege/plan.txt @@ -9,4 +9,4 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT, USAGE ON SEQUENCES TO app_user; diff --git a/testdata/diff/default_privilege/add_table_privilege/plan.json b/testdata/diff/default_privilege/add_table_privilege/plan.json index 54839831..54681b41 100644 --- a/testdata/diff/default_privilege/add_table_privilege/plan.json +++ b/testdata/diff/default_privilege/add_table_privilege/plan.json @@ -9,16 +9,16 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC;", "type": "default_privilege", "operation": "create", - "path": "default_privileges.TABLES.PUBLIC" + "path": "default_privileges.testuser.TABLES.PUBLIC" }, { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user;", "type": "default_privilege", "operation": "create", - "path": "default_privileges.TABLES.app_user" + "path": "default_privileges.testuser.TABLES.app_user" } ] } diff --git a/testdata/diff/default_privilege/add_table_privilege/plan.sql b/testdata/diff/default_privilege/add_table_privilege/plan.sql index ea1cc979..edc6c324 100644 --- a/testdata/diff/default_privilege/add_table_privilege/plan.sql +++ b/testdata/diff/default_privilege/add_table_privilege/plan.sql @@ -1,3 +1,3 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; diff --git a/testdata/diff/default_privilege/add_table_privilege/plan.txt b/testdata/diff/default_privilege/add_table_privilege/plan.txt index ebc05f17..37c672b1 100644 --- a/testdata/diff/default_privilege/add_table_privilege/plan.txt +++ b/testdata/diff/default_privilege/add_table_privilege/plan.txt @@ -10,6 +10,6 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO PUBLIC; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; diff --git a/testdata/diff/default_privilege/add_type_privilege/plan.json b/testdata/diff/default_privilege/add_type_privilege/plan.json index a387171a..8744bdfe 100644 --- a/testdata/diff/default_privilege/add_type_privilege/plan.json +++ b/testdata/diff/default_privilege/add_type_privilege/plan.json @@ -9,10 +9,10 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON TYPES TO app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT USAGE ON TYPES TO app_user;", "type": "default_privilege", "operation": "create", - "path": "default_privileges.TYPES.app_user" + "path": "default_privileges.testuser.TYPES.app_user" } ] } diff --git a/testdata/diff/default_privilege/add_type_privilege/plan.sql b/testdata/diff/default_privilege/add_type_privilege/plan.sql index 6d2068f5..3183698d 100644 --- a/testdata/diff/default_privilege/add_type_privilege/plan.sql +++ b/testdata/diff/default_privilege/add_type_privilege/plan.sql @@ -1 +1 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON TYPES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT USAGE ON TYPES TO app_user; diff --git a/testdata/diff/default_privilege/add_type_privilege/plan.txt b/testdata/diff/default_privilege/add_type_privilege/plan.txt index 6badcaec..6e578022 100644 --- a/testdata/diff/default_privilege/add_type_privilege/plan.txt +++ b/testdata/diff/default_privilege/add_type_privilege/plan.txt @@ -9,4 +9,4 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON TYPES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT USAGE ON TYPES TO app_user; diff --git a/testdata/diff/default_privilege/alter_privilege/plan.json b/testdata/diff/default_privilege/alter_privilege/plan.json index 2e0cc4a2..370aeb40 100644 --- a/testdata/diff/default_privilege/alter_privilege/plan.json +++ b/testdata/diff/default_privilege/alter_privilege/plan.json @@ -9,16 +9,16 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user;", "type": "default_privilege", "operation": "drop", - "path": "default_privileges.SEQUENCES.app_user" + "path": "default_privileges.testuser.SEQUENCES.app_user" }, { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user;", "type": "default_privilege", "operation": "alter", - "path": "default_privileges.TABLES.app_user" + "path": "default_privileges.testuser.TABLES.app_user" } ] } diff --git a/testdata/diff/default_privilege/alter_privilege/plan.sql b/testdata/diff/default_privilege/alter_privilege/plan.sql index 652a2626..6f407259 100644 --- a/testdata/diff/default_privilege/alter_privilege/plan.sql +++ b/testdata/diff/default_privilege/alter_privilege/plan.sql @@ -1,3 +1,3 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; diff --git a/testdata/diff/default_privilege/alter_privilege/plan.txt b/testdata/diff/default_privilege/alter_privilege/plan.txt index 3e476230..3b041fc0 100644 --- a/testdata/diff/default_privilege/alter_privilege/plan.txt +++ b/testdata/diff/default_privilege/alter_privilege/plan.txt @@ -10,6 +10,6 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE USAGE ON SEQUENCES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user; diff --git a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json index 59542f77..38b7cae3 100644 --- a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json +++ b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json @@ -9,22 +9,22 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION;", "type": "default_privilege", "operation": "alter", - "path": "default_privileges.TABLES.app_user" + "path": "default_privileges.testuser.TABLES.app_user" }, { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user;", "type": "default_privilege", "operation": "alter", - "path": "default_privileges.TABLES.app_user" + "path": "default_privileges.testuser.TABLES.app_user" }, { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION;", "type": "default_privilege", "operation": "alter", - "path": "default_privileges.TABLES.app_user" + "path": "default_privileges.testuser.TABLES.app_user" } ] } diff --git a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.sql b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.sql index 2dc364c1..858cc4b1 100644 --- a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.sql +++ b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.sql @@ -1,5 +1,5 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION; -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION; diff --git a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.txt b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.txt index 81e1cf6c..532ac8e0 100644 --- a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.txt +++ b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.txt @@ -11,8 +11,8 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT INSERT, UPDATE ON TABLES TO app_user WITH GRANT OPTION; -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public REVOKE SELECT ON TABLES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION; +ALTER DEFAULT PRIVILEGES FOR ROLE testuser IN SCHEMA public GRANT SELECT ON TABLES TO app_user WITH GRANT OPTION; diff --git a/testdata/diff/default_privilege/drop_privilege/plan.json b/testdata/diff/default_privilege/drop_privilege/plan.json index b0c49e80..23736951 100644 --- a/testdata/diff/default_privilege/drop_privilege/plan.json +++ b/testdata/diff/default_privilege/drop_privilege/plan.json @@ -9,16 +9,16 @@ { "steps": [ { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user;", "type": "default_privilege", "operation": "drop", - "path": "default_privileges.TABLES.app_user" + "path": "default_privileges.test_admin.TABLES.app_user" }, { - "sql": "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user;", + "sql": "ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user;", "type": "default_privilege", "operation": "drop", - "path": "default_privileges.TABLES.readonly_user" + "path": "default_privileges.test_admin.TABLES.readonly_user" } ] } diff --git a/testdata/diff/default_privilege/drop_privilege/plan.sql b/testdata/diff/default_privilege/drop_privilege/plan.sql index e843a2b9..054e4b79 100644 --- a/testdata/diff/default_privilege/drop_privilege/plan.sql +++ b/testdata/diff/default_privilege/drop_privilege/plan.sql @@ -1,3 +1,3 @@ -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user; +ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user; diff --git a/testdata/diff/default_privilege/drop_privilege/plan.txt b/testdata/diff/default_privilege/drop_privilege/plan.txt index d1a66234..e2dd4155 100644 --- a/testdata/diff/default_privilege/drop_privilege/plan.txt +++ b/testdata/diff/default_privilege/drop_privilege/plan.txt @@ -10,6 +10,6 @@ Default privileges: DDL to be executed: -------------------------------------------------- -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user; +ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE DELETE, INSERT, UPDATE ON TABLES FROM app_user; -ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user; +ALTER DEFAULT PRIVILEGES FOR ROLE test_admin IN SCHEMA public REVOKE SELECT ON TABLES FROM readonly_user; From e09a277a6f949e707350aa8389d0bc75ace30a83 Mon Sep 17 00:00:00 2001 From: Azim Sonawalla Date: Sun, 11 Jan 2026 23:08:10 -0500 Subject: [PATCH 3/3] run TestPlanAndApply -generate --- testdata/diff/default_privilege/alter_privilege/plan.json | 2 +- .../alter_privilege_and_grant_option/plan.json | 2 +- testdata/diff/default_privilege/drop_privilege/plan.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/testdata/diff/default_privilege/alter_privilege/plan.json b/testdata/diff/default_privilege/alter_privilege/plan.json index 370aeb40..b0561e78 100644 --- a/testdata/diff/default_privilege/alter_privilege/plan.json +++ b/testdata/diff/default_privilege/alter_privilege/plan.json @@ -3,7 +3,7 @@ "pgschema_version": "1.6.0", "created_at": "1970-01-01T00:00:00Z", "source_fingerprint": { - "hash": "b20bb5302b7aedc8845129aab4ae49580d1b782b598c728ef14fb40cbbe086d2" + "hash": "e8f50b636ad809e723b6c4911b9af2cc6a9b55b2f63ef598aeeee7ba4dcc7167" }, "groups": [ { diff --git a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json index 38b7cae3..5f6b1a31 100644 --- a/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json +++ b/testdata/diff/default_privilege/alter_privilege_and_grant_option/plan.json @@ -3,7 +3,7 @@ "pgschema_version": "1.6.0", "created_at": "1970-01-01T00:00:00Z", "source_fingerprint": { - "hash": "322eb4edb321a94ee411ad523ff4c646892bd226d9d35fc08402de56707f127f" + "hash": "eecde391d3d75636f96f2f70fea8e5deb5804fd90aaa1c04be028b573c7ca11b" }, "groups": [ { diff --git a/testdata/diff/default_privilege/drop_privilege/plan.json b/testdata/diff/default_privilege/drop_privilege/plan.json index 23736951..ecf30174 100644 --- a/testdata/diff/default_privilege/drop_privilege/plan.json +++ b/testdata/diff/default_privilege/drop_privilege/plan.json @@ -3,7 +3,7 @@ "pgschema_version": "1.6.0", "created_at": "1970-01-01T00:00:00Z", "source_fingerprint": { - "hash": "b021448244eec7bd9b054c089ed49d612e39fe7517c356b0c220136059a36043" + "hash": "70ccd3a27b733e69da2235e2c444cd4c6b327eb2e75b4df82d4b8096f7b79194" }, "groups": [ {