Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Map the normal user permissions vs the root on Postgresql #1038

Open
mmrraju opened this issue Feb 28, 2024 · 7 comments
Open

Map the normal user permissions vs the root on Postgresql #1038

mmrraju opened this issue Feb 28, 2024 · 7 comments
Assignees
@devrimyatar

Comments

@mmrraju
Copy link

mmrraju commented Feb 28, 2024

Target ticket-11691

It needs to have superuser rights on its database. It's important to separate the user used for installation and upgrade from the user used for day-to-day operations
@mmrraju
Copy link
Author

mmrraju commented Feb 28, 2024

cc @devrimyatar , @moabu

@devrimyatar
Copy link
Collaborator

@yurem Which of these previleges are required for Gluu to operate without issue?
https://www.postgresql.org/docs/current/ddl-priv.html

@yurem
Copy link
Contributor

yurem commented Mar 11, 2024

We need to change owner of all object in jansdb to new user jans_admin.
Setup before creating tables should add jans_admin user and use it as owner of all tables. After this we can change privileges of jans user:

ALTER DEFAULT PRIVILEGES 
    FOR USER jans
    IN SCHEMA public
    GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO jans;

-- Need only if there are tables already
REVOKE ALL
ON ALL TABLES IN SCHEMA public 
FROM jans;

-- Need only if there are tables already
GRANT SELECT, INSERT, UPDATE, DELETE
ON ALL TABLES IN SCHEMA public 
TO jans;

Expected result after installation:
image
image

Also we need to modify jans user DB privileges:

REVOKE ALL ON DATABASE jansdb FROM jans;

GRANT CONNECT ON DATABASE jansdb TO jans;

@pstef
Copy link

pstef commented Mar 12, 2024
edited
Loading

To change the owner you can simply use REASSIGN OWNED BY.

What I really wanted to highlight here is that in my case the database and the roles will have been created by the cluster admin, so the installer shouldn't try to create those, or perhaps it only should as an option. For example I would run these:

SET ROLE postgres;
CREATE DATABASE jansdb;
CREATE USER jans;
CREATE USER jans_admin;
GRANT CREATE ON DATABASE jansdb TO jans_admin;
\password jans_admin
\password jans
\c jansdb
SET ROLE postgres;
REVOKE ALL ON SCHEMA public FROM public;
ALTER SCHEMA public OWNER TO jans_admin;

Then the installer can connect to the jansdb database using the jans_admin role and run
ALTER DEFAULT PRIVILEGES FOR USER jans IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO jans;
and then run all the object creation DDLs.

@yurem
Copy link
Contributor

yurem commented Mar 12, 2024
edited
Loading

@iromli

@pstef
Copy link

pstef commented Mar 13, 2024

I believe the ALTER DEFAULT PRIVILEGES should actually be

ALTER DEFAULT PRIVILEGES FOR USER jans_admin GRANT ALL PRIVILEGES ON TABLES TO jans;
ALTER DEFAULT PRIVILEGES FOR USER jans_admin GRANT ALL PRIVILEGES ON SEQUENCES TO jans;
ALTER DEFAULT PRIVILEGES FOR USER jans_admin GRANT EXECUTE ON ROUTINES TO jans;
ALTER DEFAULT PRIVILEGES FOR USER jans_admin GRANT USAGE ON TYPES TO jans;
ALTER DEFAULT PRIVILEGES FOR USER jans_admin GRANT USAGE ON SCHEMAS TO jans;

@mmrraju
Copy link
Author

mmrraju commented Apr 12, 2024

@yurem , @devrimyatar any update ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devrimyatar devrimyatar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pstef @yurem @devrimyatar @mmrraju