Create read and write access level roles and give grants #69
Conversation
The prom_reader and prom_writer roles are created and granted specific access to all the different schemas, tables and functions. prom_writer inherits from prom_reader. prom_reader has read-only access.
cevian
left a comment
There was a problem hiding this comment.
Some comments, mostly look good.
- We need to add the idempotent role creation
- Let's remove the grants for admin functions but leave a comment there for later so easy to find
- We need to do idempotent role creation in extension sql as well for prom_reader and add grants to that role for the functions there (https://github.com/timescale/timescale-prometheus/blob/master/extension/sql/timescale-prometheus.sql)
| GRANT USAGE ON SCHEMA SCHEMA_CATALOG TO prom_reader; | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA SCHEMA_CATALOG TO prom_reader; | ||
| ALTER DEFAULT PRIVILEGES IN SCHEMA SCHEMA_CATALOG GRANT SELECT ON TABLES TO prom_reader; | ||
| GRANT CREATE ON SCHEMA SCHEMA_CATALOG TO prom_writer; |
There was a problem hiding this comment.
this should be an admin thing. A writer is only for writing prom data it does not need to add catalog tables.
| GRANT SELECT ON ALL TABLES IN SCHEMA SCHEMA_CATALOG TO prom_reader; | ||
| ALTER DEFAULT PRIVILEGES IN SCHEMA SCHEMA_CATALOG GRANT SELECT ON TABLES TO prom_reader; | ||
| GRANT CREATE ON SCHEMA SCHEMA_CATALOG TO prom_writer; | ||
| GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA SCHEMA_CATALOG TO prom_writer; |
There was a problem hiding this comment.
Privileges should be SELECT, INSERT, UPDATE, DELETE not all. Same on line below
|
|
||
| CREATE SCHEMA IF NOT EXISTS SCHEMA_PROM; -- data tables + public functions | ||
| GRANT USAGE ON SCHEMA SCHEMA_PROM TO prom_reader; | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA SCHEMA_PROM TO prom_reader; |
There was a problem hiding this comment.
actually there are no tables in here any more (need too change comment) so I think this should just be USAGE on the schema for both reader and writer
|
|
||
| CREATE SCHEMA IF NOT EXISTS SCHEMA_EXT; -- optimized versions of functions created by the extension | ||
| GRANT USAGE ON SCHEMA SCHEMA_EXT TO prom_reader; | ||
| GRANT SELECT ON ALL TABLES IN SCHEMA SCHEMA_EXT TO prom_reader; |
There was a problem hiding this comment.
again no tables in here so we just need usage for both reader and writer.
| GRANT SELECT ON ALL TABLES IN SCHEMA SCHEMA_SERIES TO prom_reader; | ||
| ALTER DEFAULT PRIVILEGES IN SCHEMA SCHEMA_SERIES GRANT SELECT ON TABLES TO prom_reader; | ||
| GRANT CREATE ON SCHEMA SCHEMA_SERIES TO prom_writer; | ||
| GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA SCHEMA_SERIES TO prom_writer; |
There was a problem hiding this comment.
should probably be SELECT only since these are just views
| LANGUAGE SQL VOLATILE; | ||
| COMMENT ON FUNCTION SCHEMA_PROM.set_default_retention_period(INTERVAL) | ||
| IS 'set the retention period for any metrics (existing and new) without an explicit override'; | ||
| GRANT EXECUTE ON FUNCTION SCHEMA_PROM.set_default_retention_period(INTERVAL) TO prom_writer; |
There was a problem hiding this comment.
this should be an admin func
| SELECT true; | ||
| $func$ | ||
| LANGUAGE SQL VOLATILE; | ||
| GRANT EXECUTE ON FUNCTION SCHEMA_PROM.set_metric_retention_period(TEXT, INTERVAL) TO prom_writer; |
| LANGUAGE SQL VOLATILE; | ||
| COMMENT ON FUNCTION SCHEMA_PROM.reset_metric_retention_period(TEXT) | ||
| IS 'resets the retention period for a specific metric to using the default'; | ||
| GRANT EXECUTE ON FUNCTION SCHEMA_PROM.reset_metric_retention_period(TEXT) TO prom_writer; |
| END | ||
| $func$ | ||
| LANGUAGE PLPGSQL VOLATILE; | ||
| GRANT EXECUTE ON FUNCTION SCHEMA_CATALOG.drop_metric_chunks(TEXT, TIMESTAMPTZ) TO prom_writer; |
| $$ LANGUAGE PLPGSQL; | ||
| COMMENT ON PROCEDURE SCHEMA_PROM.drop_chunks() | ||
| IS 'drops data according to the data retention policy. This procedure should be run regularly in a cron job'; | ||
| GRANT EXECUTE ON PROCEDURE SCHEMA_PROM.drop_chunks() TO prom_writer; |
davidkohn88
left a comment
There was a problem hiding this comment.
This looks good. I don't know whether we also need to modify grants in the extension bit though?
| GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA SCHEMA_INFO TO prom_writer; | ||
| ALTER DEFAULT PRIVILEGES IN SCHEMA SCHEMA_INFO GRANT ALL PRIVILEGES ON TABLES TO prom_writer; | ||
|
|
||
| GRANT prom_reader TO prom_writer; |
There was a problem hiding this comment.
Doesn't horribly matter, but I'd put the grant of prom reader to prom writer right after you create the roles, just makes everything else make more sense.
Also fixed SELECT GRANT not given to prom_reader on SCHEMA_PROM
10c9b9d to
a329015
Compare
|
Committed changes per comment suggestions. Additionally:
|
cevian
left a comment
There was a problem hiding this comment.
Looks good. I will want some of our integration test to run as users for prom_reader and prom_writer users. But I'll leave it up to you if that should be part of this or a a separate PR. Also, I think some of the commits can be squashed before merge.
The prom_reader and prom_writer roles are created
and granted specific access to all the different schemas,
tables and functions. prom_writer inherits from prom_reader.
prom_reader has read-only access.