feat: column privileges

[soedirgo]

Add /column-privileges endpoint to list, grant, revoke column privileges.

Modified from information_schema.column_privileges. We try to be as close as possible to the view definition, obtained from:

select pg_get_viewdef('information_schema.column_privileges');              

The main differences are:

• we include column privileges for materialized views
  (reason for exclusion in information_schema.column_privileges:
  https://www.postgresql.org/message-id/9136.1502740844%40sss.pgh.pa.us)
• we query a.attrelid and a.attnum to generate column_id
• table_catalog is omitted
• table_schema -> relation_schema, table_name -> relation_name

Caveat: column privileges are intertwined with table privileges in that table privileges override column privileges. E.g. if we do:

grant all on mytable to myrole;                                             

Then myrole is granted privileges for ALL columns. Likewise, if we do:

grant all (id) on mytable to myrole;                                        
revoke all on mytable from myrole;                                          

Then the grant on the id column is revoked.

This is unlike how grants for schemas and tables interact, where you need privileges for BOTH the schema the table is in AND the table itself in order to access the table.

Example output:

Request:

GET /column-privileges

Response:

[
  {
    "column_id": "12345.1",
    "relation_schema": "public"
    "relation_name": "mytable",
    "column_name": "mycolumn",
    "privileges": [
      {
        "grantee": "postgres",
        "grantor": "postgres",
        "is_grantable": false,
        "privilege_type": "INSERT",
      },
      ...
    ],
  },
  ...
]

---

Request:

POST /column-privileges
[
  {
    "column_id": "11111.1",
    "grantee": "postgres",
    "privilege_type": "ALL"
  },
  {
    "column_id": "22222.2",
    "grantee": "postgres",
    "privilege_type": "ALL"
  }
]

Response:

[
  {
    "column_id": "11111.1",
    "relation_schema": "public"
    "relation_name": "t1",
    "column_name": "col",
    "privileges": [...]
  },
  {
    "column_id": "22222.2",
    "relation_schema": "public",
    "relation_name": "t2",
    "column_name": "col",
    "privileges": [...]
  }
]

---

Request:

DELETE /table-privileges
[
  {
    "column_id": "11111.1",
    "grantee": "postgres",
    "privilege_type": "ALL"
  },
  {
    "column_id": "22222.2",
    "grantee": "postgres",
    "privilege_type": "ALL"
  }
]

Response:

[
  {
    "column_id": "11111.1",
    "relation_schema": "public"
    "relation_name": "t1",
    "column_name": "col",
    "privileges": []
  },
  {
    "relation_id": "22222.2",
    "relation_schema": "public",
    "relation_name": "t2",
    "column_name": "col",
    "privileges": []
  }
]