# Building a security schema in PostgreSQL


This Notebook guides you through the process of defining a set of users and roles, with appropriate privileges, to support a security schema in SQL. 

You will import two tables, as used in Part 10, under two separate users, and create a view which combines them. This will require appropriate permissions to be granted by one user to the other.

Finally, you will check that a select privilege on the view can be granted to a further user.

Much of the code needed to complete this Notebook is already provided, but you need to insert code where indicated.

Solutions are provided in Notebook `23.1 Building a security schema_completed`.

## 1 Setting up the database user structure

In previous Notebooks you have accessed PostgreSQL with the user 'test', which has limited privileges, but sufficient to create and administer tables and views.  

PostgreSQL has a built-in definition of a 'superuser' who has full privileges on all parts of the database.  A superuser can GRANT any of the privileges they have by default, including, for example, CREATEUSER, to any other user; but the detail of managing the full range of privileges is beyond the scope of this module.  It should also be borne in mind that the precise set of privileges associated with users by default is not specified in the SQL standard, so it will vary between different database platforms.

To keep things simple, we shall use just two kinds of user: 'standard users' (like 'test') and 'superusers'.

So, to create new users, including a dbadmin user, you need to connect to PostgreSQL as a superuser.

The default superuser is 'root', which is authenticated by the Linux operating system. There is a special shorthand for connecting to the database as root.

First, we should import the standard sqlmagic.

In [None]:
%load_ext sql

Now connect as 'root'

In [None]:
%sql postgresql:///tm351test

Now create a user dbadmin, with a password - say, 'secret' (you do have to remember it!), and SUPERUSER privileges.

In [None]:
%%sql

DROP USER IF EXISTS dbadmin;

CREATE USER dbadmin WITH PASSWORD 'secret' SUPERUSER;

On the basis that it is not good practice to perform 'routine' work as an overall superuser, reconnect to the database as user dbadmin.

Note that dbadmin *is* a superuser, but only for PostgreSQL. We selected that option, when the user was created, as a shorthand, because we are not exploring the management of the complete range of user privileges: we have simplified the range to 'ordinary' users and 'superusers'.

In [None]:
%sql postgresql://dbadmin:secret@localhost:5432/tm351test

It is now possible to create two more users - with standard privileges - who will own and manage the data tables.  Although there will be just two tables and a single view, we can illustrate several aspects of a security schema if the two tables are created and owned by separate users.

Let us call the two users
- `patient_admin`, with password 'patients'
- `doctor_admin`, with password 'doctors'.

Note that neither of these users should be created with SUPERUSER privileges.

In [None]:
%%sql
-- insert your own CREATE USER statements
-- remember to check that the users do not already exist (DROP USER IF EXISTS...)
DROP USER IF EXISTS patient_admin, doctor_admin;
CREATE USER ...

To complete the hierarchy of users and roles, we shall need some further users, which we shall create later.  
Let us create also a ROLE, `doctor`, to which we shall GRANT privileges later (Section 4) in this Notebook.

To simplify the structure a little, we create a ROLE `doctor` which, eventually, will be applied to all doctor users.

Note that you will not be able to drop this role if it has been granted to any users.

In [None]:
%%sql
DROP ROLE IF EXISTS doctor;
CREATE ROLE doctor;

Check which users exist by looking at the `pg_user` catalog table.

In [None]:
%%sql

SELECT * from pg_user;

## 2 Creating tables and importing data

We can use exactly the same mechanism to import data as in Notebook 09.3.

We can illustrate the need to GRANT privileges if the patient data is created by user `patient_admin` and the `doctors` table by `doctor_admin`.

Connect first as `doctor_admin`.

In [None]:
# complete the connection command

%sql postgresql://doctor_admin:doctors@localhost:5432/tm351test

The filename and data are the same as for Notebook 09.3, so the same set of commands are needed to load the data.

First define the table - avoiding an error if it already exists by dropping it first.

In [None]:
%%sql
DROP TABLE IF EXISTS doctors;

CREATE TABLE doctors (
 doctor_id CHAR(3) NOT NULL
  CHECK (doctor_id SIMILAR TO 'd[0-9][0-9]'),
 doctor_name VARCHAR(20) NOT NULL,
 date_of_birth DATE NOT NULL,
 PRIMARY KEY (doctor_id)
 );

Then import the data.

In [None]:
import psycopg2 as pg
conn = pg.connect(dbname='tm351test', host='localhost', user='doctor_admin', password='doctors', port=5432)

c = conn.cursor()
io = open('data/doctor.csv', 'r')
c.copy_from(io, 'doctors', sep=',', null='')
io.close()
c.execute("COMMIT")

And look at the data.

In [None]:
%%sql

SELECT * FROM doctors;

Now change user to `patient_admin`.

In [None]:
# write your own connection instruction.
%sql postgresql:...

Create the `patients` table ...

In [None]:
%%sql
DROP TABLE IF EXISTS patients;

CREATE TABLE patients (
  patient_id CHAR(4) NOT NULL
    CHECK (patient_id SIMILAR TO 'p[0-9][0-9][0-9]'),
  patient_name VARCHAR(20) NOT NULL,
  date_of_birth DATE NOT NULL,
  gender CHAR(1) NOT NULL
    CHECK (gender = 'F' OR gender = 'M'),
  height DECIMAL(4,1)
    CHECK (height > 0),
  weight DECIMAL(4,1)
    CHECK (weight > 0),
    doctor_id CHAR(3),
 PRIMARY KEY (patient_id),
 FOREIGN KEY (doctor_id) REFERENCES doctors(doctor_id)
 
 );

Why did this operation fail?

The error message is clear: the current user (`patient_admin`) does not have permission for `doctors`, but the table definition includes a Foreign Key (REFERENCES) constraint to `doctors`.

So, `patient_admin` needs the REFERENCES privilege on `doctors`.

And only the owner of the table (`doctor_admin`) (or a superuser) can GRANT privileges on `doctors`.  

So, you need to:
- reconnect as `doctor_admin`
- GRANT the REFERENCES privilege to `patient_admin`
- reconnect as `patient_admin`
- try again to create the `patients` table.

*__Note:__ It is very important to be connected as the correct user for each of the following operations.  This is likely to mean swapping user several times, by running a cell to reconnect to Postgres.  Although you could, in principle, just create one 'connection' cell for each user, and run them, as required, out of sequence, to connect as whichever user you need for the next operation, you are __strongly advised not to do so__. Using such a shortcut makes it much more likely that you will forget which user is currently connected, and inadvertently do something as the 'wrong' user.  This can make rolling things back extremely challenging, as you may find that you have created dependencies that can only be undone by the supersuer 'root'.*  

*If all else fails, drop everything by running the `Part 23 reset` Notebook, and then re-run this Notebook, taking care to ensure that you are connected as the right user for each operation!*

In [None]:
# connect as doctor_admin
%sql ...

In [None]:
%%sql
-- GRANT the REFERENCES privilege to patient_admin
...

Reconnect as `patient_admin`, then define the `patients` table.

In [None]:
# write your own connection instruction.
%sql ...

In [None]:
%%sql
DROP TABLE IF EXISTS patients;

CREATE TABLE patients (
  patient_id CHAR(4) NOT NULL
    CHECK (patient_id SIMILAR TO 'p[0-9][0-9][0-9]'),
  patient_name VARCHAR(20) NOT NULL,
  date_of_birth DATE NOT NULL,
  gender CHAR(1) NOT NULL
    CHECK (gender = 'F' OR gender = 'M'),
  height DECIMAL(4,1)
    CHECK (height > 0),
  weight DECIMAL(4,1)
    CHECK (weight > 0),
    doctor_id CHAR(3),
 PRIMARY KEY (patient_id),
 FOREIGN KEY (doctor_id) REFERENCES doctors(doctor_id)
 
 );

Now import the data ...

In [None]:
conn = pg.connect(dbname='tm351test', host='localhost', user='patient_admin', password='patients', port=5432)
c = conn.cursor()
io = open('data/patient+doctor_id.csv', 'r')
c.copy_from(io, 'patients', sep=',', null='')
io.close()
c.execute("COMMIT")

... and check the imported data.

In [None]:
%%sql
SELECT * FROM patients;

## 3 Create a view to combine the two tables

Given that `patients` references the `doctors` table, it is possible to create a simple view to combine the patient name with his or her doctor's name.

Strictly, it is possible to create the view already, but it will only be possible for `patient_admin` to SELECT from the view if the owner of the view (`patient_admin`) has the SELECT privilege on `doctors`.

To GRANT the SELECT privilege, you will need to repeat the operation you used when granting the REFERENCES privilege, including the changes of connected user.  

In [None]:
# Connect as doctor_admin
%sql ...

In [None]:
%%sql
--- grant SELECT to patient_admin
...

In [None]:
# reconnect as patient_admin
%sql ...

Once `patient_admin` has the appropriate privileges, you can SELECT from the VIEW that you should create in the next cell.

In [None]:
%%sql
-- complete the view definition

DROP VIEW IF EXISTS patient_doctor;

CREATE VIEW patient_doctor (patient_name, doctor_name) AS
...;

GRANT SELECT ON patient_doctor TO doctor_admin WITH GRANT OPTION;

Note that we have also granted the SELECT privilege, with the GRANT option, on the view to `doctor_admin`.

Both `patient_admin` and `doctor_admin` should now be able to retrieve all of the data in the view - even though `doctor_admin` does not have SELECT privilege on `patients`.

In [None]:
%%sql
select * from patient_doctor;

## 4 Using a ROLE

As part of the initial user hierarchy, you defined a ROLE, `doctor`.

Let us assume that each of the five doctors is to have a database user created, with username the same as their surname (all lower case), and a password that is merely their name reversed, with the first letter capitalised.  So, for example, Dr. Gibson will be user `gibson`, with password `Nosbig`.

It would be reasonable, in this case, for each of the five doctors to have the same privileges.  We can achieve this by creating each user within the `doctor` role, which you created earlier.

You wil need to use the superuser, `dbadmin`, to create users.

The schema owner, `doctor_admin`, can then GRANT the SELECT privilege on both the `doctors` table (which `doctor_admin` owns) and the `patient_doctor` view (as `doctor_admin` was granted this privilege with the GRANT option).

Create these five users, and check that each can connect to the database, and access both the `doctors` and `patient_doctor` tables.

**You will need these users for the next Notebook.**

First, connect as `dbadmin`.

Then if the users already exist, drop them.

You can then create new users, as required.

In [None]:
# connect as dbadmin
%sql ...

In [None]:
%%sql

DROP USER IF EXISTS gibson, paxton, nolan, rampton, tamblin;


If this operation fails, it may be because privileges have been granted either to the role (`doctor`) or to one of the users - perhaps during a previous execution of this Notebook.  

Privileges can be revoked only by the user who has granted them - or by `root` - so it will be necessary to reconnect as the user who granted the privileges in order to revoke them - assuming that you can remember which user it was!  

This is one place where you really can find yourself in an irresolvable knot, and it may be necessary to run the `Part 23 reset` Notebook, and then repeat this Notebook, being __very__ careful about which user you use to do what.

In [None]:
#%%sql
# -- connect as doctor_admin, or whichever user granted the offending privileges, if you need to run this instruction.
# -- REVOKE ALL PRIVILEGES ON doctors, patient_doctor FROM doctor;

In [None]:
%%sql

CREATE USER gibson WITH PASSWORD 'Nosbig' IN ROLE doctor;
CREATE USER ...


Then reconnect as `doctor_admin`, to grant the privileges.  

In [None]:
# Connect as doctor_admin
%sql ...

In [None]:
%%sql

GRANT SELECT ON doctors TO doctor;
GRANT SELECT ON patient_doctor TO doctor;

Finally, connect as one of the new users, and check that they can retrieve the data from the `doctors` table and the `patient_doctor` view.

In [None]:
%sql postgresql://gibson:Nosbig@localhost:5432/tm351test

In [None]:
%%sql

SELECT * FROM doctors;

In [None]:
%%sql

SELECT * FROM patient_doctor;

You will need all of the users, roles, tables, views and privileges created in this Notebook for the next two Notebooks in Part 23.

## What next?

If you are working through this Notebook as part of an inline exercise, return to the module materials now.

If you are working through this set of Notebooks as a whole, move on to `23.2 Using views for security`.