Use role-based permissions for source-postgres

[radostyle]

Modify permissions query to add recursive lookup of role-based
permissions. This solves problems users are having with not being able
to list tables for postgres souces.

Fixes #10649

What

This solves problems users are having with not being able to list tables using the source-postgres connector.
The current implementation requires tables to be granted individually to a user.
Using roles is often a better way to manage permissions in postgres and should be supported.
This patch adds support for determining the tables a user has access to based on his role.

How

The accessible table are currently determined using a postgres query over the roles tables. This patch adds one more UNION condition to the existing query with a recursive role based query so that the roles work as expected by users.

Recommended reading order

1. airbyte-integrations/connectors/source-postgres/src/main/java/io/airbyte/integrations/source/postgres/PostgresSource.java

🚨 User Impact 🚨

When the user has created a postgres source and any target. The user then goes to create the connection. When listing the tables to sync under the Replication tab.

Pre-merge Checklist

Expand the relevant checklist and delete the others.

New Connector

Community member or Airbyter

• Community member? Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • docs/SUMMARY.md
  • docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
  • docs/integrations/README.md
  • airbyte-integrations/builds.md
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• If new credentials are required for use in CI, add them to GSM. Instructions.
• /test connector=connectors/<name> command is passing
• New Connector version released on Dockerhub by running the /publish command described here
• After the connector is published, connector added to connector index as described here
• Seed specs have been re-generated by building the platform and committing the changes to the seed spec files, as described here

Updating a connector

Community member or Airbyter

• Grant edit access to maintainers (instructions)
• Secrets in the connector's spec are annotated with airbyte_secret
• Unit & integration tests added and passing. Community members, please provide proof of success locally e.g: screenshot or copy-paste unit, integration, and acceptance test output. To run acceptance tests for a Python connector, follow instructions in the README. For java connectors run ./gradlew :airbyte-integrations:connectors:<name>:integrationTest.
• Code reviews completed
• Documentation updated
  • Connector's README.md
  • Connector's bootstrap.md. See description and examples
  • Changelog updated in docs/integrations/<source or destination>/<name>.md including changelog. See changelog example
• PR name follows PR naming conventions

Airbyter

If this is a community PR, the Airbyte engineer reviewing this PR is responsible for the below items.

• Create a non-forked branch based on this PR and test the below items on it
• Build is successful
• If new credentials are required for use in CI, add them to GSM. Instructions.
• /test connector=connectors/<name> command is passing
• New Connector version released on Dockerhub and connector version bumped by running the /publish command described here

Connector Generator

• Issue acceptance criteria met
• PR name follows PR naming conventions
• If adding a new generator, add it to the list of scaffold modules being tested
• The generator test modules (all connectors with -scaffold in their name) have been updated with the latest scaffold by running ./gradlew :airbyte-integrations:connector-templates:generator:testScaffoldTemplates then checking in your changes
• Documentation which references the generator is updated as needed

Tests

Unit

Put your unit tests output here.

Integration

Put your integration tests output here.

Acceptance

Put your acceptance tests output here.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[marcosmarxm]

Thanks for the contribution @radostyle, can you sign the CLA?

[marcosmarxm]

Waiting user to sign the CLA. @radostyle ping

[radostyle]

I just signed it, but it is not showing signed on the ticket.

…

On Tue, Apr 19, 2022, 1:40 PM Marcos Marx ***@***.***> wrote: Waiting user to sign the CLA. @radostyle <https://github.com/radostyle> ping — Reply to this email directly, view it on GitHub <#11938 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AABFCZIJYMB6VIW54LSNEELVF34X7ANCNFSM5TIEVMTQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[radostyle]

There was an issue with the email used for the commit, but I fixed it. It is showing signed now.

[tuliren]

Thank you for the contribution!

Would you mind adding some unit tests? One example is testUserDoesntHasPrivilegesToSelectTable in PostgresSourceTest.java. Ideally the tests should verify that:

• When the user has SELECT privilege on a table, getPrivilegesTableForCurrentUser will include that that table in the returned result.
• When the user has no SELECT privilege on a table, that table won't be included in the return result.

It's also fine though if you don't have bandwidth to work on the unit test.

[radostyle]

I included a unit test that tests the discovery logic. testUserDoesntHasPrivilegesToSelectTable seems to test that you can get the changes when you've already configured the table.

[tuliren]

Confirmed that this PR fixed the bug. Thanks a lot!

I will merge and publish a new version in a separate PR.

[tuliren]

/test connector=connectors/source-postgres

🕑 connectors/source-postgres https://github.com/airbytehq/airbyte/actions/runs/2288477548
✅ connectors/source-postgres https://github.com/airbytehq/airbyte/actions/runs/2288477548
No Python unittests run

[tuliren]

/test connector=connectors/source-postgres-strict-encrypt

🕑 connectors/source-postgres-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/2288477890
✅ connectors/source-postgres-strict-encrypt https://github.com/airbytehq/airbyte/actions/runs/2288477890
No Python unittests run