Skip to content

feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)#1

Open
matthewgreenwaldagility wants to merge 3 commits into
masterfrom
feat/psql-inheritance
Open

feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)#1
matthewgreenwaldagility wants to merge 3 commits into
masterfrom
feat/psql-inheritance

Conversation

@matthewgreenwaldagility
Copy link
Copy Markdown
Owner

@matthewgreenwaldagility matthewgreenwaldagility commented Apr 24, 2026

Closes crossplane-contrib#359

What this does

Adds a withInherit boolean field to spec.forProvider on the PostgreSQL Grant resource, enabling WITH INHERIT FALSE on role membership grants — a feature introduced in PostgreSQL 16.

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
spec:
  forProvider:
    withInherit: false   # emits: GRANT admin TO master_user WITH INHERIT FALSE
    roleRef:
      name: master-user
    memberOfRef:
      name: admin-role

When withInherit is omitted, behaviour is unchanged. When combined with withOption: ADMIN, the emitted SQL is WITH ADMIN OPTION, INHERIT FALSE.

The field is only valid on memberOf grants — setting it on a privilege grant (privileges field) returns a validation error.

Motivation

The primary use case is RDS PostgreSQL with IAM database authentication. Without this field, granting a master user membership in an admin role that holds rds_iam creates a transitive chain (master_user → admin → rds_iam), which causes RDS to route all connections for that user through PAM/IAM token verification, breaking password authentication. WITH INHERIT FALSE grants membership (satisfying ALTER DEFAULT PRIVILEGES FOR ROLE admin) without inheriting rds_iam.

Changes

File Change
apis/cluster/postgresql/v1alpha1/grant_types.go Add WithInherit *bool field to GrantParameters
apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go Regenerated
package/crds/postgresql.sql.crossplane.io_grants.yaml Regenerated — CRD schema updated
pkg/controller/cluster/postgresql/grant/reconciler.go New membershipWithClauses helper; selectGrantQuery filters pg_auth_members.inherit_option when set; createGrantQueries uses new helper; validation rejects withInherit on privilege grants
pkg/controller/cluster/postgresql/grant/reconciler_test.go 7 new test cases covering WithInherit nil/true/false for both Observe and Create
examples/cluster/postgresql/grant-with-inherit-false.yaml New example illustrating the RDS IAM pattern
Makefile Bump GOLANGCILINT_VERSION from 2.1.22.10.1 to match CI and support Go 1.26
README.md Fix stale Go version (1.18→1.26.1), add mise recommendation, fix copy-paste "Developing locally" section (was provider-helm content), add Schema to PostgreSQL resource list, fix example paths

Testing

make reviewable passes (generate + lint + all 26 test packages).

The inherit_option column on pg_auth_members was added in PostgreSQL 16. Setting withInherit on an older cluster will result in a SQL error, which is the expected and documented behaviour.

@matthewgreenwaldagility
feat: adding support for psql inherit
b24c089 
Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>
@matthewgreenwaldagility
docs: updating docs for other contributors
fda1947 
Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>
@matthewgreenwaldagility
addressing comments and rebasing from master
c1ea143 
Signed-off-by: Matthew Greenwald <matthew.greenwald@agilityrobotics.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)

1 participant

@matthewgreenwaldagility