Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add More Granular Check to Postgres User During setup_db #4941

Closed
1 of 2 tasks
mradamcox opened this issue Jun 21, 2019 · 3 comments
Closed
1 of 2 tasks

Add More Granular Check to Postgres User During setup_db #4941

mradamcox opened this issue Jun 21, 2019 · 3 comments

Comments

@mradamcox
Copy link
Member

mradamcox commented Jun 21, 2019
edited
Loading

User Story
Currently, in our setup_db command, there is a check to determine whether the user is a superuser: https://github.com/archesproject/arches/blob/master/arches/management/commands/setup_db.py#L152

cursor.execute("SELECT current_setting('is_superuser')")

If the user is a superuser, then the DROP/CREATE db commands are run to make a completely fresh installation of the Arches database. This must happen the very first time that the database is setup. If the user is not a superuser, then a "reset" of the database is undertaken, where all the data is flushed, but no CREATE commands are run. This can be done over and over by a non-superuser, but only if the database has been created already.

I have found that on AWS RDS (and perhaps other hosted Postgres solutions) the "superuser" you are provided with is not actually a superuser in the proper sense, but it has a more specific set of privileges (which do include the ability to create a database).

This means that in the case of RDS, the user is not properly flagged as a "superuser" with our current code, which triggers the database reset instead of the database creation, which, in turn, fails if the database hasn't yet been created.

Proposal

I have tested and confirmed that in the case of RDS, replacing the superuser check above with this check:

cursor.execute("SELECT rolcreatedb FROM pg_roles WHERE rolname = '{}'".format(username))

does properly determine whether the user has the ability to create databases, so it can be used to trigger the database creation.

Acceptance Criteria

  • Unit Tests passed
  • Documentation

Definition of Done
setup_db must continue to work, but should use a more specific check for whether the user has permission to create databases on the server.
mradamcox added a commit to legiongis/arches that referenced this issue Jun 21, 2019
@mradamcox
improve check for createdb privileges during setup_db re: archesproje…
317a8bb 
…ct#4941
mradamcox added a commit to legiongis/arches that referenced this issue Jun 25, 2019
@mradamcox
improve check for createdb privileges during setup_db re: archesproje…
e75ccc3 
…ct#4941
@mradamcox mradamcox mentioned this issue Jun 25, 2019
Merged
6 tasks
chiatt added a commit that referenced this issue Jun 25, 2019
@chiatt
Merge pull request #4947 from legiongis/4941_improve_pguser_createdb_…
85ab99d 
…chk_4.4.x

improve check for createdb privileges during setup_db re: #4941
mradamcox added a commit to legiongis/arches that referenced this issue Jul 11, 2019
@mradamcox
improve check for createdb privileges during setup_db re: archesproje…
bd12d9e 
…ct#4941
mradamcox added a commit that referenced this issue Jul 11, 2019
@mradamcox
Merge pull request #4997 from legiongis/cherry_pick_PR_4947_to_master
4bd7ed4 
improve check for createdb privileges during setup_db re: #4941
@mradamcox
Copy link
Member Author

This is now addressed, in stable/4.4.x (before the 4.4.2 release) and in master.

@mradamcox mradamcox reopened this Jul 16, 2019
@mradamcox
Copy link
Member Author

mradamcox commented Jul 16, 2019
edited
Loading

@whatisgalen figured out this is not a sufficient fix, as the "Superuser" attribute does allow the creation of databases, but it doesn't actually bring along the "Create DB" attribute. A little more work needs to be done on this, presumably just additionally checking for rolsuper.

mradamcox added a commit to legiongis/arches that referenced this issue Jul 16, 2019
@mradamcox
add check for superuser role archesproject#4941
771872e
@mradamcox mradamcox mentioned this issue Jul 16, 2019
Merged
3 tasks
mradamcox added a commit that referenced this issue Jul 16, 2019
@mradamcox
Merge pull request #5009 from legiongis/4941_fix_setup_db_privilege_c…
8cf80e8 
…heck

add check for superuser role #4941
mradamcox added a commit to legiongis/arches that referenced this issue Jul 22, 2019
@mradamcox
add check for superuser role archesproject#4941
20ed30e
@mradamcox mradamcox mentioned this issue Jul 22, 2019
Merged
6 tasks
mradamcox added a commit that referenced this issue Jul 22, 2019
@mradamcox
Merge pull request #5023 from legiongis/4941_add_superuser_role_check…
3e30d8d 
…_4.4.x

add check for superuser role #4941
@mradamcox
Copy link
Member Author

The fix for this is now in stable/4.4.x and master, so I'm re-closing the ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mradamcox