New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove db superuser requirement #3117
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we go for USAGE
on databases? I think the owner of the database is unique, and I'd assume that you specifically wouldn't want to let mathesar use that user if you're worried about security.
- Create a PostgreSQL database for Mathesar's internal usage. | ||
- Create a database user for Mathesar to use. The user should be a `SUPERUSER`, [see PostgreSQL docs for more information](https://www.postgresql.org/docs/13/sql-createrole.html). | ||
- Create a database user for Mathesar to use. | ||
- Create a PostgreSQL database for Mathesar's internal usage owned by that database user, [see PostgreSQL docs for more information](https://www.postgresql.org/docs/9.0/ddl-priv.html) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the v13 docs, please.
- Database password | ||
|
||
!!! warning "Database creation" | ||
Whenever the Docker container is started, we will attempt to create any databases in this list that don't already exist. So you don't need to ensure that they are created before installation. | ||
Whenever the Docker container is started, we will attempt to create any databases in this list that don't already exist if the user has [`CREATEDB` privilege](https://www.postgresql.org/docs/current/sql-createrole.html). So you don't need to ensure that they are created before installation. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use the v13 docs, please.
@@ -24,7 +24,7 @@ You can create a new PostgreSQL database while setting up Mathesar or use our UI | |||
To connect Mathesar to an existing database: | |||
|
|||
- The external database should be able to accept network connections from your Mathesar server. | |||
- You'll need to set up a database user for Mathesar to use. The user should be a `SUPERUSER`, [see PostgreSQL docs for more information](https://www.postgresql.org/docs/13/sql-createrole.html). | |||
- You'll need to set up a database user for Mathesar to use. The user should own that database, [see PostgreSQL docs for more information](https://www.postgresql.org/docs/9.0/ddl-priv.html) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v13 docs, please!
@@ -24,7 +24,7 @@ You can create a new PostgreSQL database while setting up Mathesar or use our UI | |||
To connect Mathesar to an existing database: | |||
|
|||
- The external database should be able to accept network connections from your Mathesar server. | |||
- You'll need to set up a database user for Mathesar to use. The user should be a `SUPERUSER`, [see PostgreSQL docs for more information](https://www.postgresql.org/docs/13/sql-createrole.html). | |||
- You'll need to set up a database user for Mathesar to use. The user should own that database, [see PostgreSQL docs for more information](https://www.postgresql.org/docs/9.0/ddl-priv.html) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can get away with the user having USAGE
on the database.
I'd like to review this from a documentation perspective once other issues are addressed, please tag me before merging. |
Thanks for the review @mathemancer. I updated the documentation to point to the correct Postgres documentation
I don't think databases have
|
… into remove-db-superuser-requirement
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, you're correct about USAGE
. I did some more reading, and it seems we're in a bit of a quandary, and the actual review we need here is from a kind of product level. My biggest problem with this change is that the OWNER
of a database is unique, and I would imagine a DBA would be similarly reluctant to change the unique owner of a database to a mathesar
user, or to grant Mathesar access to the pre-existing, unique, owner of a database's user credentials.
I suppose the plus side is that a DBA could set up a special user who owns nothing else, and make that user the owner of a database they want to use Mathesar with. However, that would remove ownership from whoever owned it previously. And if the previous owner was not a superuser, that reduces the privileges of that other user's account.
After some reading and thinking, the only actual permissions we need on a database are CREATE
and CONNECT
, and we'd probably need USAGE
and CREATE
on the public
schema, since I assume parts of our codebase assume access to public
. That would let us connect to the database, and set up Mathesar schemas, which is all that's needed for installation. However, you wouldn't really be able to see any objects in any schemas except the public
one, or ones created by the mathesar
user.
@kgodey Do you have any product considerations here we should think about? Is "Mathesar needs unique ownership over DBs it connects to" a reasonable choice, or a better one than "Mathesar needs a superuser on your DB cluster"? I'm not sure. As the originator of the issue pointed out, a superuser has access to all DBs on a cluster, whereas an owner could be restricted to just the one. The alternative is to sink more development time into coming up with a more precise privilege stance and testing that it works.
Also, @silentninja I'm approving so I'm not blocking anything once @kgodey weighs in, but please wait for her input before merging. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm in agreement with @mathemancer's concerns.
Is "Mathesar needs unique ownership over DBs it connects to" a reasonable choice, or a better one than "Mathesar needs a superuser on your DB cluster"?
I think I'd rather have "Mathesar needs a superuser on your DB cluster" than "Mathesar needs unique ownership over DBs it connects to". At least you can have multiple superusers, you can only have one owner of a DB, and I don't think most people would be comfortable setting that to a machine user (or using their own credentials).
The alternative is to sink more development time into coming up with a more precise privilege stance and testing that it works.
I thought this was what we were doing for this issue.
To get this merged, I would be okay with updating the docs to say you either need the user to be a superuser or be the database owner, but I don't think it makes sense to replace the superuser instructions with DB owner instructions. However, I don't think this fixes the larger issue, and we still need to do work on coming up with a more precise privilege set and using that instead.
This is correct. I was trying to fix #2990 which is aimed at having privileges specific to a database(based on the issue description) but this PR title made it looks like it was solving a different issue. I will create two new issues to unblock this PR as it is preventing a user from using Mathesar
As for this PR, I will update the docs to say you either need a superuser or a database owner |
@seancolsen assigning this to you since this needs documentation review. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some minor docs language changes in a766eac, and I've approved this PR from a documentation perspective only. I'm re-assigning it to you in @silentninja, just in case there is more work here that needs to be done. I haven't read through the entire diff or comments here.
Fixes #2990
The PR now creates a non-existent database during installation only if the database user has the privilege to create a database and gracefully prints a warning message instead of breaking the install script.
I have also updated the documentation to remove the need for superuser privilege and replaced it with ownership privilege of the database
Additional context
I couldn't change our test case to use just the ownership privilege of the database as our test suite needs some more additional privileges like
CREATEDB
which made the refactor really complicated.But I tested it by commenting out the
drop_database
andcreate_database
functions and the test cases that don't depend on those functions pass as expected. I think we should revisit this when we rework our test cases.Checklist
Update index.md
).develop
branch of the repositoryvisible errors.
Developer Certificate of Origin
Developer Certificate of Origin