From 354dd238f33faaf8745681b7b2bf10054ccfd5f2 Mon Sep 17 00:00:00 2001 From: "Karl O. Pinc" Date: Tue, 12 Sep 2023 12:16:38 -0500 Subject: [PATCH] Adjust permission system for Azure's lack of the SUPERUSER role property --- db/README | 17 ++-- db/include/macros.m4 | 6 +- doc/src/architecture/users.m4 | 60 ++++++++++++-- include/global_constants.m4 | 3 + make_files/defaults.mk | 16 +++- make_files/make_db.mk | 142 ++++++++++++++++++++-------------- 6 files changed, 166 insertions(+), 78 deletions(-) diff --git a/db/README b/db/README index 90e2e27..ea4946e 100644 --- a/db/README +++ b/db/README @@ -1,10 +1,15 @@ It is expected that a single PG role own all the database objects. -This is the ADMINUSER variable of the makefiles. The problem with -having various developer's personal SUPERUSER roles owning various -objects is that when the developer goes away, so should their personal -roles. And deleting roles that own things is a problem. That said, -the system will work just fine no matter who owns the objects in the -dbs. +This is the ADMIN_GROUP variable of the makefiles. The build system +should take care of this requirement so long as the ADMINUSER +used to connect to the database is a member of the ADMIN_GROUP. + +The problem with having various developer's personal SUPERUSER roles +owning various objects is that when the developer goes away, so should +their personal roles. And deleting roles that own things is a +problem. Further, the system relies on ADMIN_GROUP ownership of +database objects to give user logins with "superuser" status (whether +the actual PG SUPERUSER role property or the SokweDB elevated +permission level) unlimited permissions to modify all data. About the build system: diff --git a/db/include/macros.m4 b/db/include/macros.m4 index 2c7e6fa..74e47e1 100644 --- a/db/include/macros.m4 +++ b/db/include/macros.m4 @@ -113,7 +113,7 @@ define({restrict_special_column},{dnl IF (NEW.$2 <> OLD.$2 OR NEW.$2 IS NULL AND OLD.$2 IS NOT NULL OR NEW.$2 IS NOT NULL AND OLD.$2 IS NULL) - AND NOT(has_table_privilege('$1', 'trigger')) THEN + AND NOT(pg_has_role('sdb_admin_group', 'USAGE')) THEN RAISE EXCEPTION insufficient_privilege USING MESSAGE= 'Error updating $1.$2' , DETAIL = 'This column has special meaning to SokweDB' @@ -136,7 +136,7 @@ changequote({,}) define({restrict_special_row},{dnl IF (NEW.$2 = '$3' OR OLD.$2 = '$3') AND (NEW <> OLD) - AND NOT(has_table_privilege('$1', 'trigger')) THEN + AND NOT(pg_has_role('sdb_admin_group', 'USAGE')) THEN RAISE EXCEPTION insufficient_privilege USING MESSAGE= 'Error updating $1; insufficent privilege' , DETAIL = '($1.$2) = ($3): sdb_cannot_change_msg' @@ -156,7 +156,7 @@ dnl changequote({,}) define({restrict_delete},{dnl IF OLD.$2 = '$3' - AND NOT(has_table_privilege('$1', 'trigger')) THEN + AND NOT(pg_has_role('sdb_admin_group', 'USAGE')) THEN RAISE EXCEPTION insufficient_privilege USING MESSAGE= 'Error deleting from $1; insufficent privilege' , DETAIL = '($1.$2) = ($3): sdb_cannot_delete_msg' diff --git a/doc/src/architecture/users.m4 b/doc/src/architecture/users.m4 index 90243d1..a0fd2a0 100644 --- a/doc/src/architecture/users.m4 +++ b/doc/src/architecture/users.m4 @@ -48,18 +48,64 @@ with SQL, e.g.:: Or grants can be made through some other mechanism. -Superusers -`````````` +.. _the_administrator_permission_level: + +The Administrator Permission Level +`````````````````````````````````` + +The ``sdb_admin_group`` permission level has maximal permissions. +It is used to create :ref:`superusers `. + +Permissions are implemented as `PostgreSQL roles`_. +It is the ``sdb_admin_group`` role that owns all the SokweDB database +objects, the tables, views, etc. -`Superusers`_ have permission to do anything with a database, create -and destroy tables, create and destroy user logins, etc. Only a few -people are expected to have superuser privileges. +.. _superusers: + +Superusers (aka Administrators) +``````````````````````````````` + +`Superusers `__ have permission to do anything +with a database, create and destroy tables, create and destroy user +logins, etc.\ [#f1]_ +Only a few people are expected to have superuser privileges. + +.. The alternative to giving people 2 logins, regular and superuser + is to use NOINHERIT when granting and then SET ROLE for the user + to use the elevated permissions. But this is too complicated. Those people with superuser privileges will typically have 2 logins, one ordinary login and a second login with superuser privileges. The superuser login should be used only when necessary, as when a new person is given access to SokweDB and a new database login must be -created. Ordinary interactions with the database, data entry, data +created. +Ordinary interactions with the database, data entry, data retrieval, etc., should be done with a non-superuser login. -.. _Superusers: https://www.postgresql.org/docs/current/role-attributes.html +Membership in the ``sdb_admin_group`` role is what grants superuser +privileges. + +.. _developers: + +Developers +`````````` + +Developers, the users who maintain the database structure, etc., must +be :ref:`superusers `. + +.. _role_attributes: + https://www.postgresql.org/docs/current/role-attributes.html + +.. _PostgreSQL roles: + https://www.postgresql.org/docs/current/user-manag.html + +.. rubric:: Footnotes + +.. [#f1] The Azure cloud platform does not allow logins (aka roles) to have + the ``SUPERUSER`` :ref:`role attribute `. + Instead, the ``CREATEDB`` and ``CREATEROLE`` attributes are most + that can be given. + The SokweDB ``sdb_admin_group`` group (aka role) has ``CREATEDB`` + and ``CREATEROLE`` privileges. + This is enough that there is no need for the actual ``SUPERUSER`` + attribute. diff --git a/include/global_constants.m4 b/include/global_constants.m4 index 9b288de..964bff0 100644 --- a/include/global_constants.m4 +++ b/include/global_constants.m4 @@ -34,6 +34,9 @@ dnl dnl Database permissions dnl +dnl CAUTION: The Makefiles will need to be editing correspondingly if you +dnl change the sdb_admin_group. +define(`sdb_admin_group', `admin') define(`sdb_reader', `reader') define(`sdb_writer', `writer') diff --git a/make_files/defaults.mk b/make_files/defaults.mk index 563d731..291e1cf 100644 --- a/make_files/defaults.mk +++ b/make_files/defaults.mk @@ -31,7 +31,7 @@ ## ADMINUSER ## The PostgreSQL role used to connect to the database. This must ## have the permissions necessary to modify the db structure, etc. -## The default is: sokwedb_admin@sokwe-dbs +## The default is the effectve Unix login, $USER. ## ## HOST ## The host hosting the database. The default is: @@ -42,7 +42,14 @@ ifeq ($(strip $(TARGET_DB)),) endif export HOST := sokwe-dbs.postgres.database.azure.com -export ADMINUSER := sokwedb_admin@sokwe-dbs +export ADMINUSER := $USER + +# The group (aka role) that makes a user an admin or a developer. +# CAUTION: Changing this value requires a corresponding change to +# include/global_constants.m4. +# This is not part of make's "help" output since we want to +# discourage any change. +export ADMIN_GROUP := admin # For invoking psql everywhere. export PSQL_ARGS_MINIMAL := -U $(ADMINUSER) -d $(TARGET_DB) -h $(HOST) @@ -50,5 +57,6 @@ export PSQL_ARGS := --tuples-only -q $(PSQL_ARGS_MINIMAL) export PSQL_SINGLE_TRANS := --single-transaction --file - # Variable to setup connections before use. -export PSQL_SETUP := echo SET client_min_messages TO WARNING\; ; \ - echo "SET plpgsql.extra_warnings TO 'all'\;" ; +export PSQL_SETUP := printf 'SET client_min_messages TO WARNING;\n' ; \ + printf "SET plpgsql.extra_warnings TO 'all'\;\n" ; \ + printf 'SET ROLE $(ADMIN_GROUP);\n' ; diff --git a/make_files/make_db.mk b/make_files/make_db.mk index ecec9d1..0bb8ca6 100644 --- a/make_files/make_db.mk +++ b/make_files/make_db.mk @@ -447,111 +447,121 @@ $(DB_TARGETS): %.sql: %.m4 $(DB_DEPENDS) ## ## Variables (in addition to the DATABASE TARGET variables above): ## -## DB_OWNER -## The role which is to own the new database. This role is expected -## to be the ADMINUSER role, the role used to make database objects. -## TARGET_USER -## The user to be created or otherwise modified. +## TARGET_ROLE +## The role (user or group) to be created or otherwise modified. ## NEW_PASSWORD ## The password to assign. -## NEW_DB -## The database to be created. ## NEW_DESCRIPTION ## The description of the new object (database). ## ## Usage: -## The expectation is that first an administrative user will be created, then -## a database created -- owned by the newly created role. -## Hint: Use TARGET_DB=postgres when doing this, since your new database +## +## 1) If you already have a Postgres role that can login, create roles, and +## create databases then that role should be used as the administrative +## user. Otherwise, first create an administrative user with +## "create-adminuser". +## +## 2) Use the administrative user to create the the "admin" group/role +## ("create-admingroup") and then the database ("init-database"). +## Hint: Use TARGET_DB=postgres for all of this, since your new database ## won't yet exist. ## - -DB_OWNER ?= $(ADMINUSER) +## The database will be owned by the admin group. +## +## After cluster initialization create at least one login for an individual +## using the administrative user. Give the logins elevated priviliges with +## the INHERIT, CREATEUSER, and CREATEDB attributes and by putting them +## into the admin group. It is easiest to do all of this using the SokweDB +## user administration tools. +## +## When this is done the administrative user is no longer needed and should +## be deleted. Per-person roles, the individual login(s) created above, +## have all available permissions. +## +## Additional databases may be created using individual logins. Creating +## them with "make" will properly initialize them for use with SokweDB. # Build the statements used to setup dbs. CREATE_DB := createdb --encoding='SQL_ASCII' \ --locale='C' \ --template='template0' \ - --owner='$(DB_OWNER)' \ + --owner='$(ADMIN_GROUP)' \ --username='$(ADMINUSER)' \ --host='$(HOST)' \ - $(NEW_DB) "$(NEW_DESCRIPTION)" + $(TARGET_DB) "$(NEW_DESCRIPTION)" # (Note which contain double and which single quotes, which affects how the # printf statement using them is executed.) # ($$user because make otherwise interprets the $.) -SET_SEARCH_PATH := ALTER DATABASE $(NEW_DB) \ +SET_SEARCH_PATH := ALTER DATABASE $(TARGET_DB) \ SET search_path = sokwedb, lookup, upload, "$$user"; -SET_DATESTYLE := ALTER DATABASE $(NEW_DB) \ +SET_DATESTYLE := ALTER DATABASE $(TARGET_DB) \ SET DATESTYLE = 'ISO,MDY'; -CREATE_ADMINUSER := CREATE ROLE $(TARGET_USER) LOGIN SUPERUSER CREATEROLE \ +CREATE_SUPERUSER := CREATE ROLE $(TARGET_ROLE) LOGIN SUPERUSER \ PASSWORD '$(NEW_PASSWORD)'; -SET_PASSWORD := ALTER ROLE $(TARGET_USER) PASSWORD '$(NEW_PASSWORD)' +CREATE_ADMINUSER := CREATE ROLE $(TARGET_ROLE) LOGIN CREATEDB CREATEROLE \ + PASSWORD '$(NEW_PASSWORD)'; +CREATE_ADMINGROUP := CREATE ROLE $(ADMIN_GROUP) NOLOGIN CREATEDB CREATEROLE; +SET_PASSWORD := ALTER ROLE $(TARGET_ROLE) PASSWORD '$(NEW_PASSWORD)' ## The available targets for make (make TARGET) are: ## - -## create-adminuser Create the role expected to own all objects -## in the database. (See the db/README.) -## Note that this role does not have permission -## to create databases. It does have permission to -## create new users (roles). The TARGET_USER is created, -## using the ADMINUSER to do so. +## create-adminuser This target only works when the PostgreSQL cluster +## with which you are interacting is on the local host. +## If your cluster was created on a remote host you are +## expected to have access credentials to an role with +## the necessary permissions, per "Usage" above. +## Create the role, TARGET_ROLE, used to create the +## first database and otherwise initialize the cluster. +## It is not necessary to have an existing PostgreSQL +## user to use to login. This is expected to be +## executed as the Unix "root" user. .PHONY: create-adminuser create-adminuser: [ -n "$(NEW_PASSWORD)" ] \ || { printf 'The NEW_PASSWORD variable must be set\n' >&2 ; \ exit 1 ; } - ( $(PSQL_SETUP) \ - printf "$(CREATE_ADMINUSER)\n" ; \ - ) \ - | psql $(PSQL_ARGS) $(PSQL_SINGLE_TRANS) --set=ON_ERROR_STOP=y - -## create-adminuser-root -## This target only works when the PostgreSQL cluster -## with which you are interacting is on the local host. -## Create the role, TARGET_USER, expected to own all -## objects in the database -- without having an -## existing PostgreSQL user to use to login. This is -## expected to be executed as the Unix "root" user. -## See also the description of create-adminuser above. -.PHONY: create-adminuser-root -create-adminuser-root: - [ -n "$(NEW_PASSWORD)" ] \ - || { printf 'The NEW_PASSWORD variable must be set\n' >&2 ; \ + [ -n "$(TARGET_ROLE)" ] \ + || { printf 'The TARGET_ROLE variable must be set\n' >&2 ; \ exit 1 ; } ( $(PSQL_SETUP) \ printf "$(CREATE_ADMINUSER)\n" ; \ ) \ | su postgres -c 'psql -h $(HOST) -d postgres -U postgres' -## init-database Create and initialize the database named -## by the NEW_DB variable. This target may be used -## by a regular, non-root, Unix user. To create the db -## the ADMINUSER variable is used, which must have a -## value different from the usual because it be a role -## with permissions to create databases. It is -## strongly recommended that the DB_OWNER variable be -## set to the administrative user that will be used to -## create database objects. (See the db/README.) -## Note: Does not run in a transaction. Can do some -## things and then fail, leaving the cluster in an -## unusual state. +## create-admingroup Create the role expected to own all objects +## in the database. (See the db/README.) Note that +## this role has permission to create databases and +## create new users (roles). The ADMINUSER is used +## to create the new role. +.PHONY: create-admingroup +create-admingroup: + ( printf "$(CREATE_ADMINGROUP)\n" ; \ + ) \ + | psql $(PSQL_ARGS) $(PSQL_SINGLE_TRANS) --set=ON_ERROR_STOP=y + +## init-database Create and initialize the database named by the +## TARGET_DB variable. This target may be used by a +## regular, non-root, Unix user. To create the db the +## ADMINUSER variable is used. Note: Does not run in a +## transaction. Can create the database and then fail, +## leaving the cluster in an unusual state. .PHONY: init-database init-database: - [ -n "$(NEW_DB)" ] \ - || { printf 'The NEW_DB variable must be set\n' >&2 ; \ + [ -n "$(TARGET_DB)" ] \ + || { printf 'The TARGET_DB variable must be set\n' >&2 ; \ exit 1 ; } $(CREATE_DB) ( $(PSQL_SETUP) \ printf '$(SET_SEARCH_PATH)\n' ; \ printf "$(SET_DATESTYLE)\n" ; \ ) \ - | psql $(PSQL_ARGS) --set=ON_ERROR_STOP=y + | psql $(PSQL_ARGS) $(PSQL_SINGLE_TRANS) --set=ON_ERROR_STOP=y + ## ## Lesser used targets: ## -## set-password Set the password of TARGET_USER to NEW_PASSWORD +## set-password Set the password of TARGET_ROLE to NEW_PASSWORD .PHONY: set-password set-password: [ -n "$(NEW_PASSWORD)" ] \ @@ -562,6 +572,22 @@ set-password: ) \ | psql $(PSQL_ARGS) $(PSQL_SINGLE_TRANS) --set=ON_ERROR_STOP=y +## create-superuser Create a Postgres role with SUPERUSER permissions. +## This role can be used in place of the adminuser. +## This target otherwise works like create-adminuser, +## above. +.PHONY: create-superuser +create-superuser: + [ -n "$(NEW_PASSWORD)" ] \ + || { printf 'The NEW_PASSWORD variable must be set\n' >&2 ; \ + exit 1 ; } + [ -n "$(TARGET_ROLE)" ] \ + || { printf 'The TARGET_ROLE variable must be set\n' >&2 ; \ + exit 1 ; } + ( $(PSQL_SETUP) \ + printf "$(CREATE_SUPERUSER)\n" ; \ + ) \ + | su postgres -c 'psql -h $(HOST) -d postgres -U postgres' ## set-search_path Set the default search_path the database named ## by the TARGET_DB variable. -- 2.34.1