New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DPE-2167] Added admin extra user role #201
Conversation
] | ||
if extra_user_role not in roles and extra_user_role != "admin" | ||
} | ||
if "SUPERUSER" in map(str.upper, privileges): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think PGB is using superuser. We should change that to admin after this change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I reverted this part of the code as I realised that Landscape needs a superuser (for plpython extension, a requirement that may or may not be removed at some time, but also due to some schema changes that may happen in a landscape server upgrade).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- we should document this properly. JFMI, which extra_user_role used by pgbouncer?
- re:
plpython
. We will have to hide it for now (c) Mohamed. Security concerns. This is why it was missing on mid-sync presentation. Mohamed will create a ticket to discuss and hide in documentation for now. No rush necessary today!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PgBouncer currently uses SUPERUSER
(to be able to create other superusers).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
What about to improve https://charmhub.io/postgresql-k8s/docs/e-users to expand "Relation/integration users" with description of extra_user_roles (internal and allowed o be used "admin". BTW, if no extra-user-roles
requested, how do we call this "role"? :-) )
@@ -347,15 +347,21 @@ def set_up_database(self) -> None: | |||
"""Set up postgres database with the right permissions.""" | |||
connection = None | |||
try: | |||
self.create_user( | |||
"admin", | |||
extra_user_roles="pg_read_all_data,pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables,pg_monitor,pg_signal_backend", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would limit privs by read and write all databases.
extra_user_roles="pg_read_all_data,pg_read_all_settings,pg_read_all_stats,pg_stat_scan_tables,pg_monitor,pg_signal_backend", | |
extra_user_roles="pg_read_all_data,pg_write_all_data", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated on 3b95919.
Good suggestion. I added the following text to both https://discourse.charmhub.io/t/charmed-postgresql-k8s-explanations-users/10843 and https://discourse.charmhub.io/t/charmed-postgresql-explanations-users/10798:
|
Issue
There is no
admin
extra user role that can be requested by client application charms.Solution
Add only read permissions to the special
admin
role. The permission to create anything in the public schema of thepostgres
database was removed.Also add to it the permission to create and drop databases (except the system database
postgres
).While reviewing, the following files can be ignored (they are generated):
poetry.lock
requirements.txt
tests/integration/ha_tests/application-charm/requirements.txt
tests/integration/new_relations/application-charm/requirements.txt
We disabled the hashes temporarily on all the
requirements.txt
files due to [canonical/charmcraft#1179] (so we can pack the charms now). I will be reverted later.Fixes #192.