Remove db superuser requirement

[silentninja]

Fixes #2990

The PR now creates a non-existent database during installation only if the database user has the privilege to create a database and gracefully prints a warning message instead of breaking the install script.

I have also updated the documentation to remove the need for superuser privilege and replaced it with ownership privilege of the database

Additional context
I couldn't change our test case to use just the ownership privilege of the database as our test suite needs some more additional privileges like CREATEDB which made the refactor really complicated.
But I tested it by commenting out the drop_database and create_database functions and the test cases that don't depend on those functions pass as expected. I think we should revisit this when we rework our test cases.

Checklist

• My pull request has a descriptive title (not a vague title like Update index.md).
• My pull request targets the develop branch of the repository
• My commit messages follow best practices.
• My code follows the established code style of the repository.
• I added tests for the changes I made (if applicable).
• I added or updated documentation (if applicable).
• I tried running the project locally and verified that there are no
  visible errors.

Developer Certificate of Origin

Developer Certificate of Origin

Developer Certificate of Origin
Version 1.1

Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129

Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.


Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.

[mathemancer]

Shouldn't we go for USAGE on databases? I think the owner of the database is unique, and I'd assume that you specifically wouldn't want to let mathesar use that user if you're worried about security.

[mathemancer]

Use the v13 docs, please.

[mathemancer]

Use the v13 docs, please.

[mathemancer]

v13 docs, please!

[mathemancer]

I think we can get away with the user having USAGE on the database.

[kgodey]

I'd like to review this from a documentation perspective once other issues are addressed, please tag me before merging.

[silentninja]

Thanks for the review @mathemancer. I updated the documentation to point to the correct Postgres documentation

I think we can get away with the user having USAGE on the database.

I don't think databases have USAGE privilege, please correct me if I am wrong. Postgres docs mention only CREATE | CONNECT | TEMPORARY | TEMP as the available permissions. Moreover, even if it did have USAGE privilege, we still need to DROP and CREATE schemas and other objects which a USAGE privilege does not allow. I couldn't even use GRANT ALL ON DATABASE because it doesn't allow for deleting a schema.

Postgres docs for reference

GRANT { { CREATE | CONNECT | TEMPORARY | TEMP } [, ...] | ALL [ PRIVILEGES ] }
    ON DATABASE database_name [, ...]
    TO role_specification [, ...] [ WITH GRANT OPTION ]
    [ GRANTED BY role_specification ]

[mathemancer]

Okay, you're correct about USAGE. I did some more reading, and it seems we're in a bit of a quandary, and the actual review we need here is from a kind of product level. My biggest problem with this change is that the OWNER of a database is unique, and I would imagine a DBA would be similarly reluctant to change the unique owner of a database to a mathesar user, or to grant Mathesar access to the pre-existing, unique, owner of a database's user credentials.

I suppose the plus side is that a DBA could set up a special user who owns nothing else, and make that user the owner of a database they want to use Mathesar with. However, that would remove ownership from whoever owned it previously. And if the previous owner was not a superuser, that reduces the privileges of that other user's account.

After some reading and thinking, the only actual permissions we need on a database are CREATE and CONNECT, and we'd probably need USAGE and CREATE on the public schema, since I assume parts of our codebase assume access to public. That would let us connect to the database, and set up Mathesar schemas, which is all that's needed for installation. However, you wouldn't really be able to see any objects in any schemas except the public one, or ones created by the mathesar user.

@kgodey Do you have any product considerations here we should think about? Is "Mathesar needs unique ownership over DBs it connects to" a reasonable choice, or a better one than "Mathesar needs a superuser on your DB cluster"? I'm not sure. As the originator of the issue pointed out, a superuser has access to all DBs on a cluster, whereas an owner could be restricted to just the one. The alternative is to sink more development time into coming up with a more precise privilege stance and testing that it works.

[mathemancer]

Also, @silentninja I'm approving so I'm not blocking anything once @kgodey weighs in, but please wait for her input before merging.

[kgodey]

I'm in agreement with @mathemancer's concerns.

Is "Mathesar needs unique ownership over DBs it connects to" a reasonable choice, or a better one than "Mathesar needs a superuser on your DB cluster"?

I think I'd rather have "Mathesar needs a superuser on your DB cluster" than "Mathesar needs unique ownership over DBs it connects to". At least you can have multiple superusers, you can only have one owner of a DB, and I don't think most people would be comfortable setting that to a machine user (or using their own credentials).

The alternative is to sink more development time into coming up with a more precise privilege stance and testing that it works.

I thought this was what we were doing for this issue.

---

To get this merged, I would be okay with updating the docs to say you either need the user to be a superuser or be the database owner, but I don't think it makes sense to replace the superuser instructions with DB owner instructions. However, I don't think this fixes the larger issue, and we still need to do work on coming up with a more precise privilege set and using that instead.

[silentninja]

The fundamental issue we are trying to solve is that potential users are hesitant to accept the permissions we need. This PR does not fix that issue

This is correct. I was trying to fix #2990 which is aimed at having privileges specific to a database(based on the issue description) but this PR title made it looks like it was solving a different issue.

I will create two new issues to unblock this PR as it is preventing a user from using Mathesar

• Documenting the requirement for superuser or owner privileges - Documenting the requirement for superuser or owner privileges #3178
• A draft issue for tracking product-level discussion on avoiding the need for powerful privileges for superuser/owner - Do we need powerful privileges like superuser/owner for functioning of Mathesar? #3179

As for this PR, I will update the docs to say you either need a superuser or a database owner

[rajatvijay]

@seancolsen assigning this to you since this needs documentation review.

[seancolsen]

I've added some minor docs language changes in a766eac, and I've approved this PR from a documentation perspective only. I'm re-assigning it to you in @silentninja, just in case there is more work here that needs to be done. I haven't read through the entire diff or comments here.

Feedback has been addressed