Alex Lourie has uploaded a new change for review. Change subject: packaging: setup: updated read-only user permissions ......................................................................
packaging: setup: updated read-only user permissions This new implementation updates creating a read only user with correct permissions. Change-Id: I6044b4561606427ac32686fcd46e02032ce4347b Bug-Url: https://bugzilla.redhat.com/990095 Signed-off-by: Alex Lourie <alou...@redhat.com> --- M packaging/common_utils.py 1 file changed, 106 insertions(+), 10 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-dwh refs/changes/81/17581/1 diff --git a/packaging/common_utils.py b/packaging/common_utils.py index 1d2b8cb..fe7ccf4 100755 --- a/packaging/common_utils.py +++ b/packaging/common_utils.py @@ -42,6 +42,7 @@ PGPASS_FILE_ADMIN_LINE = "DB ADMIN credentials" FILE_ENGINE_CONFIG_BIN="/usr/bin/engine-config" FILE_DATABASE_CONFIG = "/etc/ovirt-engine/engine.conf.d/10-setup-database.conf" +READ_ONLY_UPDATE_SQLFILE = '/tmp/updateReadOnly.sql' # ERRORS # TODO: Move all errors here and make them consistent @@ -630,6 +631,11 @@ createUser( user=user, password=password, + database=db_dict['name'], + ) + updateReadOnly( + user=user, + database=db_dict['name'], ) return (True, '') @@ -938,7 +944,7 @@ ) -def createUser(user, password, option=''): +def createUser(user, password, option='', database=''): sql_query_set = [ ( '"DROP ROLE if exists {user};"' @@ -948,15 +954,6 @@ '{option} login encrypted password \'{password}\';"' ), ] - if option is '': - sql_query_set.append( - ( - '"alter user {user} set default_transaction_read_only to true;"' - ).format( - user=user - ) - ) - for sql_query in sql_query_set: sql_command = [ EXEC_PSQL, @@ -966,6 +963,53 @@ user=user, option=option, password=password, + database=database, + ), + ] + if database is not '': + sql_command.extend( + [ + '-d', database, + ] + ) + cmd = [ + EXEC_SU, + '-l', + 'postgres', + '-c', + '{command}'.format( + command=' '.join(sql_command), + ) + ] + + execCmd( + cmdList=cmd, + failOnError=True + ) + + +def updateReadOnly(user, database): + sql_query_set = [ + ( + '"GRANT CONNECT ON DATABASE ${database} TO ${user};"' + ), + ( + '"GRANT USAGE ON SCHEMA public TO ${user};"' + ), + ( + '"alter user {user} ' + 'set default_transaction_read_only to true;"' + ), + ] + for sql_query in sql_query_set: + sql_command = [ + EXEC_PSQL, + '-U', 'postgres', + '-c', + '-d', database, + sql_query.format( + user=user, + database=database, ), ] cmd = [ @@ -983,6 +1027,58 @@ failOnError=True ) + namespace_query = ( + '"SELECT \'GRANT SELECT ON \' || relname || \' ' + 'TO ${user};\' FROM pg_class JOIN pg_namespace ' + 'ON pg_namespace.oid = pg_class.relnamespace ' + 'WHERE nspname = \'public\' AND relkind IN (\'r\', \'v\');"' + ) + sql_command = [ + EXEC_PSQL, + '-U', 'postgres', + '-c', + '-d', database, + namespace_query.format( + user=user, + ), + ] + cmd = [ + EXEC_SU, + '-l', + 'postgres', + '-c', + '{command}'.format( + command=' '.join(sql_command), + ) + ] + + commands, rc = execCmd( + cmdList=cmd, + failOnError=True + ) + + with open(READ_ONLY_UPDATE_SQLFILE, 'w') as ro: + ro.write(commands) + + if os.path.exists(READ_ONLY_UPDATE_SQLFILE): + command = [ + EXEC_PSQL, + '-U', 'postgres', + '-d', database, + '-f', READ_ONLY_UPDATE_SQLFILE, + ] + cmd = [ + EXEC_SU, + '-l', + 'postgres', + '-c', + command, + ] + execCmd( + cmdList=cmd, + failOnError=True, + ) + def testLocalDb(): sql_query_set = [ -- To view, visit http://gerrit.ovirt.org/17581 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I6044b4561606427ac32686fcd46e02032ce4347b Gerrit-PatchSet: 1 Gerrit-Project: ovirt-dwh Gerrit-Branch: master Gerrit-Owner: Alex Lourie <alou...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
