change_archiver.sql
change_opdb.sql
[INFRA-296] Adjust database permissions Created: 14/Jul/21 Updated: 26/Oct/21 Resolved: 26/Oct/21 |
|
| Status: | Done |
| Project: | Software Development Infrastructure |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Normal |
| Reporter: | cloomis | Assignee: | Kiyoto Yabe |
| Resolution: | Done | Votes: | 0 |
| Labels: | EngRun | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
change_archiver.sql
change_opdb.sql
|
| Story Points: | 1 |
| Sprint: | EngRun3Cleanup |
| Description |
|
We currently use the pfs role for all connections to the opdb and archiver databases, and that role has infinite power (it has the superuser bit). We should be more careful, if only to avoid doom-typos. How about three roles:
|
| Comments |
| Comment by Kiyoto Yabe [ 05/Oct/21 ] |
|
Do we need to fix this before the Nov. run? |
| Comment by cloomis [ 07/Oct/21 ] |
|
Depend on how scared you are of anyone running "DROP DATABASE OPDB;". I am actually more scared of "DROP DATABASE ARCHIVER;" We replicate opdb to Hilo and Princeton, but not the archiver. We were planning to have a summit backup machine for replication, but that has not yet happened. |
| Comment by hassan [ 07/Oct/21 ] |
|
I think this needs to be done before the next run. If I understand correctly, currently everyone has superuser access. So anyone could inadvertently modify the database contents. |
| Comment by Kiyoto Yabe [ 07/Oct/21 ] |
|
OK, I will think about a plan to change permissions (consulting with experts). BTW, we replicated the entire database cluster at summit to Hilo, so is `archiver` I guess. |
| Comment by Kiyoto Yabe [ 12/Oct/21 ] |
|
I'm thinking about the following SQL commands:
These seem to work fine in my test environment, but perhaps not in the real environment. So, any comments are very welcome. Maybe there exists a smarter way... Notes:
|
| Comment by Kiyoto Yabe [ 20/Oct/21 ] |
|
Planned commands are something like this: [done] CREATE USER admin WITH PASSWORD 'usual password' Superuser Createrole CreateDB Replication; [done] CREATE USER public_user WITH PASSWORD 'ask me'; (admin@archiver) ALTER USER pfs WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION; REASSIGN OWNED BY pfs TO admin; GRANT USAGE ON SCHEMA public TO pfs; GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO pfs; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT ON TABLES TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO pfs; (admin@opdb) GRANT USAGE ON SCHEMA public TO pfs; GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO pfs; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT ON TABLES TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO pfs; GRANT USAGE ON SCHEMA public TO public_user; GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO public_user; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO public_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO public_user; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO public_user; |
| Comment by cloomis [ 21/Oct/21 ] |
|
Am happy trying the archiver changes at JHU. |
| Comment by cloomis [ 21/Oct/21 ] |
|
Wait, typo? We do not want to grant anything but SELECT to public_user, so not: GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO public_user; |
| Comment by cloomis [ 21/Oct/21 ] |
|
FYI the REASSIGN OWNED BY pfs TO admin; command takes longer than you might guess. Several minutes at JHU. Worked fine in the end. I did swap the order of the ALTER USER pfs and REASSIGN OWNED BY commands since I was slightly worried about cutting my legs off at the knees. |
| Comment by Kiyoto Yabe [ 21/Oct/21 ] |
|
After removing a blocking process, the following SQL commands to change permissions have been sent. Indeed, I did not use `REASSIGN OWNED` but made SQL commands to change for each table detected by the following command: SELECT 'ALTER TABLE ' || schemaname || '.' || tablename || ' OWNER TO admin;'FROM pg_tables WHERE tableowner ='pfs'; |
| Comment by Kiyoto Yabe [ 22/Oct/21 ] |
|
I just realized that `obslog` needed to delete records of some tables. I just add the following permissions for `obslog_*_note` tables. BEGIN; GRANT UPDATE, DELETE ON obslog_visit_note TO pfs; GRANT UPDATE, DELETE ON obslog_mcs_exposure_note TO pfs; GRANT UPDATE, DELETE ON obslog_visit_set_note TO pfs; COMMIT; |
| Comment by Kiyoto Yabe [ 26/Oct/21 ] |
|
So far, I don't see (or hear) any problems caused by the change, so I close this ticket. File a new one, if we get some troubles. |
| Comment by Kiyoto Yabe [ 26/Oct/21 ] |
|
(Just a record) I also added the followings: GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO pfs; |
