Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a utility or Ansible playbook to create WoW users #23

Open
toolness opened this issue Feb 11, 2019 · 2 comments
Open

Add a utility or Ansible playbook to create WoW users #23

toolness opened this issue Feb 11, 2019 · 2 comments

Comments

@toolness
Copy link
Contributor

#22 adds support for loading the WoW dataset into a wow schema but the documentation added in that PR tells the reader that they're responsible for settings up a user with the proper permissions and search_path settings. It'd be nice to have a command or Ansible playbook that does this automatically, similar to #2. Here's what I just ran to create a custom user:

CREATE USER wow WITH ENCRYPTED PASSWORD '****';
GRANT CONNECT ON DATABASE nycdb TO wow;

GRANT USAGE ON SCHEMA public TO wow;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO wow;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT SELECT ON TABLES TO wow;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public to wow;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
  GRANT EXECUTE ON FUNCTIONS TO wow;

GRANT USAGE ON SCHEMA wow TO wow;
GRANT SELECT ON ALL TABLES IN SCHEMA wow TO wow;
ALTER DEFAULT PRIVILEGES IN SCHEMA wow
  GRANT SELECT ON TABLES TO wow;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA wow to wow;
ALTER DEFAULT PRIVILEGES IN SCHEMA wow
  GRANT EXECUTE ON FUNCTIONS TO wow;

ALTER ROLE wow IN DATABASE nycdb SET search_path TO wow, public;
@toolness
Copy link
Contributor Author

toolness commented Aug 22, 2020
edited
Loading

Er, I don't think this is 100% right.

For one thing, I think that the new user will actually have the ability to create tables in the public schema, because apparently all roles can create anything in the public schema by default. In order to disable this, it seems like the only option is to revoke the permission from all users by default:

REVOKE CREATE ON SCHEMA public FROM public;

(Note that I tried revoking it from just the wow user with REVOKE CREATE ON SCHEMA public FROM wow but that didn't seem to do anything, perhaps because the wow user was still implicitly part of the public role, which did grant create permission, I'm not sure.)

Also, the user won't actually be able to create anything in the wow schema, so the additional SQL should be run:

GRANT ALL ON SCHEMA wow TO wow;

@toolness
Copy link
Contributor Author

Er, another note: make sure none of the above statements error! In particular, GRANT SELECT ON ALL TABLES IN SCHEMA public TO wow was erroring because some other users created some tables that permission couldn't be granted to, which made the entire operation fail (thus the new user couldn't read from any tables).

@toolness toolness mentioned this issue Oct 17, 2020
Merged
toolness added a commit that referenced this issue Oct 17, 2020
@toolness
Add dbtool cmds 'user:grant_schema_read' and 'user:create'. (#57)
f194255 
This adds two new commands to `dbtool.py` which make it easier to create users and give them permissions.  It helps a bit with #23.

I tried adding a corresponding `user:drop` command but wow deleting postgres users is a lot harder than I thought it'd be.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@toolness