feat(documentdb): Grant permissions on DocumentDB schemas to app owner

P-Louw · P-Louw · commit 0f6d22cae013 · 2025-11-04T22:48:39.000+01:00
This adds comprehensive permission grants to the DocumentDB extension schemas (documentdb_api, documentdb_core, documentdb_api_catalog, documentdb_api_internal, documentdb_data) for the
 app owner during bootstrap initialization.

Signed-off-by: P-Louw &lt;pfwlouw@gmail.com&gt;
diff --git a/charts/cluster/templates/_bootstrap.tpl b/charts/cluster/templates/_bootstrap.tpl
@@ -20,8 +20,36 @@ bootstrap:
       {{- else if eq .Values.type "timescaledb" }}
       - CREATE EXTENSION IF NOT EXISTS timescaledb;
       {{- else if eq .Values.type "documentdb" }}
+      {{- $owner := .Values.cluster.initdb.owner | default .Values.cluster.initdb.database | default "app" }}
       - CREATE EXTENSION IF NOT EXISTS pg_cron CASCADE;
       - CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;
+      - GRANT documentdb_admin_role TO {{ $owner }};
+      - GRANT USAGE ON SCHEMA documentdb_api TO {{ $owner }};
+      - GRANT USAGE ON SCHEMA documentdb_core TO {{ $owner }};
+      - GRANT USAGE ON SCHEMA documentdb_api_catalog TO {{ $owner }};
+      - GRANT USAGE ON SCHEMA documentdb_api_internal TO {{ $owner }};
+      - GRANT USAGE ON SCHEMA documentdb_data TO {{ $owner }};
+      - GRANT ALL ON ALL TABLES IN SCHEMA documentdb_api TO {{ $owner }};
+      - GRANT ALL ON ALL SEQUENCES IN SCHEMA documentdb_api TO {{ $owner }};
+      - GRANT ALL ON ALL TABLES IN SCHEMA documentdb_core TO {{ $owner }};
+      - GRANT ALL ON ALL SEQUENCES IN SCHEMA documentdb_core TO {{ $owner }};
+      - GRANT ALL ON ALL TABLES IN SCHEMA documentdb_api_catalog TO {{ $owner }};
+      - GRANT ALL ON ALL SEQUENCES IN SCHEMA documentdb_api_catalog TO {{ $owner }};
+      - GRANT ALL ON ALL TABLES IN SCHEMA documentdb_api_internal TO {{ $owner }};
+      - GRANT ALL ON ALL SEQUENCES IN SCHEMA documentdb_api_internal TO {{ $owner }};
+      - GRANT ALL ON ALL TABLES IN SCHEMA documentdb_data TO {{ $owner }};
+      - GRANT ALL ON ALL SEQUENCES IN SCHEMA documentdb_data TO {{ $owner }};
+      - GRANT CREATE ON SCHEMA documentdb_data TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_api GRANT ALL ON TABLES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_api GRANT ALL ON SEQUENCES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_core GRANT ALL ON TABLES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_core GRANT ALL ON SEQUENCES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_api_catalog GRANT ALL ON TABLES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_api_catalog GRANT ALL ON SEQUENCES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_api_internal GRANT ALL ON TABLES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_api_internal GRANT ALL ON SEQUENCES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_data GRANT ALL ON TABLES TO {{ $owner }};
+      - ALTER DEFAULT PRIVILEGES IN SCHEMA documentdb_data GRANT ALL ON SEQUENCES TO {{ $owner }};
       {{- end }}
       {{- with .Values.cluster.initdb }}
           {{- range .postInitApplicationSQL }}
