Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change the set-up process as recommended by @kindly
- Loading branch information
Showing
4 changed files
with
120 additions
and
142 deletions.
There are no files selected for viewing
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,79 @@ | ||
''' | ||
Setup the right permissions on the datastore db | ||
''' | ||
|
||
import sys | ||
import os | ||
import logging | ||
|
||
|
||
def _run_cmd(command_line, inputstring=''): | ||
logging.info("Running:", command_line) | ||
import subprocess | ||
p = subprocess.Popen( | ||
command_line, shell=True, | ||
stdin=subprocess.PIPE, | ||
stdout=subprocess.PIPE, | ||
stderr=subprocess.PIPE) | ||
stdout_value, stderr_value = p.communicate(input=inputstring) | ||
if stderr_value: | ||
print '\nAn error occured: {0}'.format(stderr_value) | ||
sys.exit(1) | ||
|
||
|
||
def _run_sql(sql, as_sql_user, database='postgres'): | ||
logging.debug("Executing: \n#####\n", sql, "\n####\nOn database:", database) | ||
_run_cmd("sudo -u '{username}' psql --dbname='{database}' -W".format( | ||
username=as_sql_user, | ||
database=database | ||
), inputstring=sql) | ||
|
||
|
||
def set_permissions(pguser, ckandb, datastoredb, ckanuser, writeuser, readonlyuser): | ||
__dir__ = os.path.dirname(os.path.abspath(__file__)) | ||
filepath = os.path.join(__dir__, 'set_permissions.sql') | ||
with open(filepath) as f: | ||
set_permissions_sql = f.read() | ||
|
||
sql = set_permissions_sql.format( | ||
ckandb=ckandb, | ||
datastoredb=datastoredb, | ||
ckanuser=ckanuser, | ||
writeuser=writeuser, | ||
readonlyuser=readonlyuser) | ||
|
||
_run_sql(sql, | ||
as_sql_user=pguser, | ||
database=datastoredb) | ||
|
||
|
||
if __name__ == '__main__': | ||
import argparse | ||
argparser = argparse.ArgumentParser( | ||
description='Set the permissions on the CKAN datastore. ', | ||
epilog='"The ships hung in the sky in much the same way that bricks don\'t."') | ||
|
||
argparser.add_argument('-p', '--pg_super_user', dest='pguser', default='postgres', type=str, | ||
help="the postgres super user") | ||
|
||
argparser.add_argument(dest='ckandb', default='ckan', type=str, | ||
help="the name of the ckan database") | ||
argparser.add_argument(dest='datastoredb', default='datastore', type=str, | ||
help="the name of the datastore database") | ||
argparser.add_argument(dest='ckanuser', default='ckanuser', type=str, | ||
help="username of the ckan postgres user") | ||
argparser.add_argument(dest='writeuser', default='writeuser', type=str, | ||
help="username of the datastore user that can write") | ||
argparser.add_argument(dest='readonlyuser', default='readonlyuser', | ||
help="username of the datastore user who has only read permissions") | ||
|
||
args = argparser.parse_args() | ||
|
||
set_permissions( | ||
pguser=args.pguser, | ||
ckandb=args.ckandb, | ||
datastoredb=args.datastoredb, | ||
ckanuser=args.ckanuser, | ||
writeuser=args.writeuser, | ||
readonlyuser=args.readonlyuser | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,56 +1,54 @@ | ||
/* | ||
This script creates a new datastore database and | ||
This script sets-up the permissions for the the datastore. | ||
creates a new datastore database and | ||
a new read-only user for ckan who will only be able | ||
to select from the datastore database but has no create/write/edit | ||
permission or any permissions on other databases. | ||
Please set the variables to you current setup. For testing purposes it | ||
Please set the variables to you current set-up. For testing purposes it | ||
is possible to set maindb = datastoredb. | ||
To run the script, execute: | ||
sudo -u postgres psql postgres -f create_read_only_user.sql | ||
sudo -u postgres psql postgres -f set_permissions.sql | ||
*/ | ||
|
||
\set maindb "ckan" | ||
-- don't quote the datastoredb variable or create the database separately | ||
\set datastoredb datastore | ||
\set ckanuser ckanuser | ||
\set rouser readonlyuser | ||
\set ropwd 'pass' | ||
|
||
-- create the datastore database | ||
create database :datastoredb; | ||
|
||
-- switch to the new database | ||
\c :datastoredb; | ||
|
||
/* | ||
-- delete the previous users | ||
REVOKE CONNECT ON DATABASE :datastoredb FROM :rouser; | ||
DROP OWNED BY :rouser; | ||
DROP USER :rouser; | ||
--*/ | ||
|
||
-- revoke permissions for the new user | ||
-- name of the main CKAN database | ||
\set maindb "{ckandb}" | ||
-- the name of the datastore database | ||
\set datastoredb '{datastoredb}' | ||
-- username of the ckan postgres user | ||
\set ckanuser '{ckanuser}' | ||
-- username of the datastore user that can write | ||
\set wuser '{writeuser}' | ||
-- username of the datastore user who has only read permissions | ||
\set rouser '{readonlyuser}' | ||
|
||
-- revoke permissions for the read-only user | ||
---- this step can be ommitted if the datastore not | ||
---- on the same server as the CKAN database | ||
REVOKE CREATE ON SCHEMA public FROM PUBLIC; | ||
REVOKE USAGE ON SCHEMA public FROM PUBLIC; | ||
|
||
GRANT CREATE ON SCHEMA public TO :ckanuser; | ||
GRANT USAGE ON SCHEMA public TO :ckanuser; | ||
|
||
-- create new read only user | ||
CREATE USER :rouser WITH PASSWORD :ropwd NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN; | ||
GRANT CREATE ON SCHEMA public TO :ckanuser; | ||
GRANT USAGE ON SCHEMA public TO :ckanuser; | ||
|
||
-- take connect permissions from main db | ||
-- take connect permissions from main CKAN db | ||
---- again, this can be ommited if the read-only user can never have | ||
---- access to the main CKAN database | ||
REVOKE CONNECT ON DATABASE :maindb FROM :rouser; | ||
|
||
-- grant select permissions for read-only user | ||
GRANT CONNECT ON DATABASE :datastoredb TO :rouser; | ||
GRANT USAGE ON SCHEMA public TO :rouser; | ||
|
||
-- grant access to current tables and views | ||
-- grant access to current tables and views to read-only user | ||
GRANT SELECT ON ALL TABLES IN SCHEMA public TO :rouser; | ||
|
||
-- grant access to new tables and views by default | ||
ALTER DEFAULT PRIVILEGES FOR USER :ckanuser IN SCHEMA public | ||
---- the permissions will be set when the write user creates a table | ||
ALTER DEFAULT PRIVILEGES FOR USER :wuser IN SCHEMA public | ||
GRANT SELECT ON TABLES TO :rouser; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters