Fix Lakebase schema permissions with custom schema patching #187
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Create 'metamcp_app' schema owned by service principal to avoid permission errors when creating database types and enums. The CAN_CONNECT_AND_CREATE permission doesn't allow type creation in the public schema. Changes: - Add ensureCustomSchema() to create metamcp_app schema before migrations - Configure PGOPTIONS to set search_path for both migrations and runtime - Import pg client from workspace node_modules for schema setup 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Use createRequire to properly import CommonJS pg module from ESM context. The previous dynamic import failed because pg doesn't have a default export. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Changed lakebase_database_name from 'metamcp_app' to 'postgres' to use the default Lakebase database. The 'metamcp_app' schema will be created by ensureCustomSchema() within the postgres database. Also commented out database_catalogs section as it's not yet implemented. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Changed from 'metamcp' to 'metamcp-lakebase' to match the actual deployed instance name. This fixes the credential fetch failure that was causing the app to crash at runtime. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Added comprehensive documentation explaining why custom schema is required for Lakebase and how automatic patching works. Changes: - README.md: Added "Lakehouse Provisioning & Custom Schema" section explaining the CAN_CONNECT_AND_CREATE limitation and automated patching approach - AGENTS.md: Added "Lakebase Schema Patching (CRITICAL)" section with detailed technical explanation of patches and troubleshooting - scripts/prepare-metamcp.sh: Added automatic patching of schema definitions and migration files to use metamcp_app schema The patching approach ensures all database objects are created in metamcp_app schema where the service principal has ownership, avoiding "permission denied for schema public" errors. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Resolves permission denied errors when deploying MetaMCP to Databricks Apps with Lakebase by implementing automatic schema patching.
Problem
Lakebase service principals with
CAN_CONNECT_AND_CREATEpermission cannot create database objects in the PostgreSQLpublicschema, resulting in:Solution
Implemented build-time patching in
scripts/prepare-metamcp.shthat automatically redirects all database objects to a custommetamcp_appschema where the service principal has full ownership.Changes
pgSchema("metamcp_app")"metamcp_app"instead of"public"PGOPTIONSto use custom schema search pathPatches Applied
pgSchemafrom drizzle-orm/pg-corepgEnum()→metamcpSchema.enum()pgTable()→metamcpSchema.table()schemaFilter: ["metamcp_app"]to drizzle.config.ts"metamcp_app"schemaPGOPTIONS="-c search_path=metamcp_app,public"at runtimeTesting
metamcp_appschemaVersion Safety
Patches are applied automatically during every build via
prepare-metamcp.sh, so upgrading MetaMCP versions will continue to work - patches are reapplied fresh each time.🤖 Generated with Claude Code