https://pfspipe.ipmu.jp/jira This file is an XML representation of an issue en-us 8.3.4 803005 13-09-2019 https://pfspipe.ipmu.jp/jira/browse/INFRA-296 Software Development Infrastructure <p>We currently use the <tt>pfs</tt> role for all connections to the opdb and archiver databases, and that role has infinite power (it has the superuser bit). We should be more careful, if only to avoid doom-typos. How about three roles:</p> <div class='table-wrap'> <table class='confluenceTable'><tbody> <tr> <th class='confluenceTh'>Name</th> <th class='confluenceTh'>Permissions</th> <th class='confluenceTh'>Note</th> </tr> <tr> <td class='confluenceTd'>public</td> <td class='confluenceTd'>select</td> <td class='confluenceTd'>For querying and browsing</td> </tr> <tr> <td class='confluenceTd'>pfs</td> <td class='confluenceTd'>select,insert</td> <td class='confluenceTd'>For the ICS and DRP programs, mainly</td> </tr> <tr> <td class='confluenceTd'>admin</td> <td class='confluenceTd'>all</td> <td class='confluenceTd'>Obvious</td> </tr> </tbody></table> </div> INFRA-296

Adjust database permissions

Task Normal Done Done Kiyoto Yabe cloomis EngRun Tue, 13 Jul 2021 19:27:35 +0000 Tue, 26 Oct 2021 07:56:04 +0000 Tue, 26 Oct 2021 06:40:24 +0000 0 3 <p>Do we need to fix this before the Nov. run?</p> <p>Depend on how scared you are of anyone running "DROP DATABASE OPDB;". I am actually more scared of "DROP DATABASE ARCHIVER;"</p> <p>We replicate opdb to Hilo and Princeton, but not the archiver. We were planning to have a summit backup machine for replication, but that has not yet happened.</p> <p>I think this needs to be done before the next run. If I understand correctly, currently everyone has superuser access. So anyone could inadvertently modify the database contents.</p> <p>OK, I will think about a plan to change permissions (consulting with experts). BTW, we replicated the entire database cluster at summit to Hilo, so is `archiver` I guess.</p> <p>I'm thinking about the following SQL commands:</p> <ul> <li>CREATE USER admin WITH PASSWORD 'usual password' Superuser Createrole CreateDB Replication;</li> <li>CREATE USER public_user WITH PASSWORD 'public user password';</li> <li>ALTER ROLE pfs WITH NOSUPERUSER NOCREATEDB  NOCREATEROLE NOREPLICATION;</li> <li>admin@opdb (repeat followings for archiver) <ul> <li>REASSIGN OWNED BY pfs TO admin;</li> <li>REVOKE ALL ON SCHEMA public FROM pfs;</li> <li>REVOKE ALL ON ALL TABLES IN SCHEMA public FROM pfs;</li> <li>GRANT USAGE ON SCHEMA public TO pfs;</li> <li><br/> GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to pfs;</li> <li>GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO pfs;</li> <li>ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT ON TABLES TO pfs;</li> <li><br/> ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO pfs;</li> <li>REVOKE ALL ON SCHEMA public FROM public_user;</li> <li>REVOKE ALL ON ALL TABLES IN SCHEMA public FROM public_user;</li> <li>GRANT USAGE ON SCHEMA public TO public_user;</li> <li>GRANT SELECT ON ALL TABLES IN SCHEMA public TO public_user;</li> <li>ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO public_user;</li> <li>ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO public_user;</li> </ul> </li> </ul> <p>These seem to work fine in my test environment, but perhaps not in the real environment. So, any comments are very welcome. Maybe there exists a smarter way...</p> <p>Notes:</p> <ul> <li>`public` is a reserved word so will use `public_user` for a public user</li> <li>Do we need `UPDATE` for `pfs`?</li> <li>Probably we need to change this monitoring `opDB` &amp; `archiver` access. Maybe downtime?</li> </ul> <p>Planned commands are something like this:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [done] CREATE USER admin WITH PASSWORD <span class="code-quote">'usual password'</span> Superuser Createrole CreateDB Replication; [done] CREATE USER public_user WITH PASSWORD <span class="code-quote">'ask me'</span>; (admin@archiver) ALTER USER pfs WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION; REASSIGN OWNED BY pfs TO admin; GRANT USAGE ON SCHEMA <span class="code-keyword">public</span> TO pfs; GRANT USAGE ON ALL SEQUENCES IN SCHEMA <span class="code-keyword">public</span> TO pfs; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA <span class="code-keyword">public</span> TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT SELECT, INSERT ON TABLES TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT USAGE ON SEQUENCES TO pfs; (admin@opdb) GRANT USAGE ON SCHEMA <span class="code-keyword">public</span> TO pfs; GRANT USAGE ON ALL SEQUENCES IN SCHEMA <span class="code-keyword">public</span> TO pfs; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA <span class="code-keyword">public</span> TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT SELECT, INSERT ON TABLES TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT USAGE ON SEQUENCES TO pfs; GRANT USAGE ON SCHEMA <span class="code-keyword">public</span> TO public_user; GRANT USAGE ON ALL SEQUENCES IN SCHEMA <span class="code-keyword">public</span> TO public_user; GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA <span class="code-keyword">public</span> TO public_user; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT SELECT ON TABLES TO public_user; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT USAGE ON SEQUENCES TO public_user;   </pre> </div></div> <p>Am happy trying the archiver changes at JHU.</p> <p>Wait, typo?</p> <p>We do <b>not</b> want to grant anything but <tt>SELECT</tt> to <tt>public_user</tt>, so not:</p> <div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent"> <pre>GRANT SELECT, INSERT ON ALL TABLES IN SCHEMA public TO public_user; </pre> </div></div> <p>FYI the <tt>REASSIGN OWNED BY pfs TO admin;</tt> command takes longer than you might guess. Several minutes at JHU. Worked fine in the end. I did swap the order of the <tt>ALTER USER pfs</tt> and <tt>REASSIGN OWNED BY</tt> commands since I was slightly worried about cutting my legs off at the knees.</p> <p>After removing a blocking process, the following SQL commands to change permissions have been sent. Indeed, I did not use `REASSIGN OWNED` but made SQL commands to change for each table detected by the following command:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> SELECT    <span class="code-quote">'ALTER TABLE '</span> || schemaname    || <span class="code-quote">'.'</span> || tablename ||    <span class="code-quote">' OWNER TO admin;'</span>FROM pg_tables WHERE tableowner =<span class="code-quote">'pfs'</span>; </pre> </div></div> <p><span class="nobr"><a href="https://pfspipe.ipmu.jp/jira/secure/attachment/14250/14250_change_opdb.sql" title="change_opdb.sql attached to INFRA-296">change_opdb.sql^{<img class="rendericon" src="https://pfspipe.ipmu.jp/jira/images/icons/link_attachment_7.gif" height="7" width="7" align="absmiddle" alt="" border="0"/>}</a></span></p> <p><span class="nobr"><a href="https://pfspipe.ipmu.jp/jira/secure/attachment/14249/14249_change_archiver.sql" title="change_archiver.sql attached to INFRA-296">change_archiver.sql^{<img class="rendericon" src="https://pfspipe.ipmu.jp/jira/images/icons/link_attachment_7.gif" height="7" width="7" align="absmiddle" alt="" border="0"/>}</a></span></p> <p>I just realized that `obslog` needed to delete records of some tables. I just add the following permissions for `obslog_*_note` tables.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> BEGIN; GRANT UPDATE, DELETE ON obslog_visit_note TO pfs; GRANT UPDATE, DELETE ON obslog_mcs_exposure_note TO pfs; GRANT UPDATE, DELETE ON obslog_visit_set_note TO pfs; COMMIT; </pre> </div></div> <p>So far, I don't see (or hear) any problems caused by the change, so I close this ticket. File a new one, if we get some troubles.</p> <p>(Just a record) I also added the followings:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> GRANT SELECT ON ALL SEQUENCES IN SCHEMA <span class="code-keyword">public</span> TO pfs; ALTER DEFAULT PRIVILEGES IN SCHEMA <span class="code-keyword">public</span> GRANT SELECT ON SEQUENCES TO pfs; </pre> </div></div> Development Rank 0|zzs9uc: Sprint EngRun3Cleanup Story Points 1.0