-
Notifications
You must be signed in to change notification settings - Fork 222
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #561 from rhelmer/bug751731-roles-idempotent
Bug751731 roles idempotent
- Loading branch information
Showing
2 changed files
with
41 additions
and
61 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,60 +1,40 @@ | ||
| -- analyst role, for read-only connections by analytics users | ||
| CREATE ROLE analyst; | ||
| ALTER ROLE analyst WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN CONNECTION LIMIT 10; | ||
| ALTER ROLE analyst SET statement_timeout TO '15min'; | ||
| ALTER ROLE analyst SET work_mem TO '128MB'; | ||
| ALTER ROLE analyst SET temp_buffers TO '128MB'; | ||
|
|
||
| -- breakpad group and RW and RO users | ||
| -- these are our main users | ||
| CREATE ROLE breakpad; | ||
| ALTER ROLE breakpad WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN; | ||
|
|
||
| CREATE ROLE breakpad_ro; | ||
| ALTER ROLE breakpad_ro WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT breakpad TO breakpad_ro GRANTED BY postgres; | ||
|
|
||
| CREATE ROLE breakpad_rw; | ||
| ALTER ROLE breakpad_rw WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT breakpad TO breakpad_rw GRANTED BY postgres; | ||
|
|
||
| -- breakpad_metrics user for nightly batch updates from metrics | ||
| CREATE ROLE breakpad_metrics; | ||
| ALTER ROLE breakpad_metrics WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT breakpad TO breakpad_metrics GRANTED BY postgres; | ||
|
|
||
| -- monitor and processor roles for data processing | ||
| CREATE ROLE processor; | ||
| ALTER ROLE processor WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT breakpad_rw TO processor GRANTED BY postgres; | ||
|
|
||
| CREATE ROLE monitor; | ||
| ALTER ROLE monitor WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT breakpad_rw TO monitor GRANTED BY postgres; | ||
| GRANT processor TO monitor GRANTED BY postgres; | ||
|
|
||
| -- monitoring group and separate users for ganglia and nagios | ||
| CREATE ROLE monitoring; | ||
| ALTER ROLE monitoring WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB NOLOGIN; | ||
|
|
||
| CREATE ROLE ganglia; | ||
| ALTER ROLE ganglia WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT monitoring TO ganglia GRANTED BY postgres; | ||
|
|
||
| CREATE ROLE nagiosdaemon; | ||
| ALTER ROLE nagiosdaemon WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
| GRANT monitoring TO nagiosdaemon GRANTED BY postgres; | ||
|
|
||
| -- replicator role for replication | ||
| CREATE ROLE replicator; | ||
| ALTER ROLE replicator WITH SUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN; | ||
|
|
||
| -- passwords. reset here for specific passwords you need | ||
| -- only the roles needed on vagrant are given passwords here | ||
| -- so that other roles aren't automatically open | ||
|
|
||
| ALTER ROLE breakpad_ro WITH PASSWORD 'aPassword'; | ||
| ALTER ROLE breakpad_rw WITH PASSWORD 'aPassword'; | ||
| ALTER ROLE processor WITH PASSWORD 'aPassword'; | ||
| ALTER ROLE monitor WITH PASSWORD 'aPassword'; | ||
| -- this file creates all of the roles and inherited permissions | ||
| -- for socorro users on the PostgreSQL database. | ||
| -- it does NOT set passwords for them, which you need to do | ||
| -- separately. Since it does set dummy passwords for a few | ||
| -- roles, if you are setting up Socorro on a non-test machine, | ||
| -- you will need to immediately reset those | ||
|
|
||
| -- create roles idempotently to avoid errors | ||
| -- also set dummy passwords for the core login roles | ||
| -- if we are creating them for the first time | ||
| DO $d$ | ||
| DECLARE someroles TEXT[]; | ||
| rolepass TEXT[]; | ||
| iter INT := 1; | ||
| BEGIN | ||
|
|
||
| someroles := ARRAY['analyst','breakpad','breakpad_ro','breakpad_rw', | ||
| 'breakpad_metrics','processor','monitor','monitoring', | ||
| 'nagiosdaemon','ganglia','replicator']; | ||
|
|
||
| rolepass := ARRAY['breakpad_ro','breakpad_rw','processor','monitor']; | ||
|
|
||
| WHILE iter < array_upper(someroles, 1) LOOP | ||
| PERFORM 1 FROM information_schema.enabled_roles | ||
| WHERE role_name = someroles[iter]; | ||
|
|
||
| IF NOT FOUND THEN | ||
| EXECUTE 'CREATE ROLE ' || someroles[iter] || | ||
| ' WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN;'; | ||
| IF someroles[iter] = ANY ( rolepass ) THEN | ||
| EXECUTE 'ALTER ROLE ' || someroles[iter] || | ||
| ' WITH PASSWORD ''aPassword'''; | ||
| END IF; | ||
| END IF; | ||
| iter := iter + 1; | ||
|
|
||
| END LOOP; | ||
|
|
||
| END;$d$; | ||
|
|