Only update metadata table ownership

database/migration/src/main/resources/changelog.xml

@@ -93,12 +93,6 @@
     <!-- REMINDER!
       Before appending here, did you remember to include the 'objectQuotingStrategy="QUOTE_ALL_OBJECTS"' line in your changeset/xyz.xml...?
     -->
-    <!-- WARNING!
-      This changeset should always be last. It it always run (and should always run last) to set table ownership correctly:
-    -->
-    <include file="changesets/set_table_role.xml" relativeToChangelogFile="true" />
-
-
 </databaseChangeLog>
 <!--
 

database/migration/src/main/resources/metadata_changesets/set_table_role.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<databaseChangeLog objectQuotingStrategy="QUOTE_ALL_OBJECTS"
+                   xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                   xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.3.xsd">
+
+    <!-- The 'sharedCromwellDbRole' can be set via JAVA_OPTS if desired (eg -DsharedCromwellDbRole=...). -->
+    <property  name="sharedCromwellDbRole" value=""/>
+
+    <!--
+        This changeset will be applied whenever the 'sharedCromwellDbRole' property is set.
+        It runs every time to ensure the role is set correctly after all other changesets.
+     -->
+    <changeSet runAlways="true" author="sshah" id="set_table_role" dbms="postgresql">
+        <preConditions onFail="MARK_RAN">
+            <!-- check that 'sharedCromwellDbRole' role is set, and matches something in the pg_roles table -->
+            <sqlCheck expectedResult="1">
+                SELECT count(1)
+                FROM pg_roles
+                where '${sharedCromwellDbRole}' != '' and pg_roles.rolname = '${sharedCromwellDbRole}';
+            </sqlCheck>
+        </preConditions>
+        <sql>
+            ALTER TABLE "CUSTOM_LABEL_ENTRY" OWNER TO '${sharedCromwellDbRole}';
+            ALTER TABLE "METADATA_ENTRY" OWNER TO '${sharedCromwellDbRole}';
+            ALTER TABLE "SUMMARY_QUEUE_ENTRY" OWNER TO '${sharedCromwellDbRole}';
+            ALTER TABLE "SUMMARY_STATUS_ENTRY" OWNER TO '${sharedCromwellDbRole}';
+            ALTER TABLE "WORKFLOW_METADATA_SUMMARY_ENTRY" OWNER TO '${sharedCromwellDbRole}';
+            ALTER TABLE "sqlmetadatadatabasechangelog" OWNER TO '${sharedCromwellDbRole}';
+            ALTER TABLE "sqlmetadatadatabasechangeloglock" OWNER TO '${sharedCromwellDbRole}';
+        </sql>
+    </changeSet>
+
+</databaseChangeLog>

database/migration/src/main/resources/sql_metadata_changelog.xml

@@ -20,7 +20,9 @@
     <include file="metadata_changesets/update_metadata_archive_index.xml" relativeToChangelogFile="true" />
     <include file="metadata_changesets/reset_archive_statuses_to_null.xml" relativeToChangelogFile="true" />
     <!-- WARNING!
-      This changeset should always be last. It it always run (and should always run last) to set table ownership correctly:
+      This changeset should always be last.
+      It it always run (and should always run last) to set table ownership correctly.
+      If your changeset adds a new table, make sure it is also owned by the sharedCromwellDbRole.
     -->
     <include file="metadata_changesets/set_table_role.xml" relativeToChangelogFile="true" />