Browse Source

PostgreSQL: Correctly set database owner and schema object owner

Also, grant permission to create schema objects when given "rw"
abilities.
master
Peter J. Jones 4 weeks ago
parent
commit
9547da5974
Signed by: Peter Jones <pjones@devalot.com> GPG Key ID: 9DAFAA8D01941E49

+ 2
- 0
modules/services/databases/postgresql/create-grant.sh View File

@@ -91,6 +91,8 @@ echo_grants() {
91 91
   fi
92 92
 
93 93
   if [ "$option_access" = "w" ] || [ "$option_access" = "rw" ]; then
94
+    echo "GRANT CREATE ON SCHEMA public TO $option_user;"
95
+
94 96
     echo "GRANT $w_list ON ALL TABLES IN SCHEMA public TO $option_user;"
95 97
     echo "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT $w_list ON TABLES TO $option_user;"
96 98
 

+ 9
- 1
modules/services/databases/postgresql/default.nix View File

@@ -218,6 +218,13 @@ let
218 218
         owner = find [database.owner];
219 219
     in (concatMapStringsSep "\n" (createReadGrant database) ro) +
220 220
        (concatMapStringsSep "\n" (createGrant database) rw);
221
+
222
+  # Update database and object ownership:
223
+  updateOwners = database: ''
224
+    ${scripts}/bin/update-owner.sh \
225
+      -d "${database.name}" \
226
+      -o "${database.owner}"
227
+  '';
221 228
 in
222 229
 {
223 230
   #### Interface
@@ -268,7 +275,8 @@ in
268 275
       '' + (concatMapStringsSep "\n" createUser (attrValues cfg.accounts))
269 276
          + (lockAccounts (attrValues cfg.accounts))
270 277
          + (concatMapStringsSep "\n" createDB (attrValues cfg.databases))
271
-         + (concatMapStringsSep "\n" createGrants (attrValues cfg.databases));
278
+         + (concatMapStringsSep "\n" createGrants (attrValues cfg.databases))
279
+         + (concatMapStringsSep "\n" updateOwners (attrValues cfg.databases));
272 280
     };
273 281
   };
274 282
 }

+ 1
- 0
modules/services/databases/postgresql/scripts.nix View File

@@ -16,6 +16,7 @@ pkgs.stdenvNoCC.mkDerivation {
16 16
     substituteAll ${./create-db.sh}    $out/bin/create-db.sh
17 17
     substituteAll ${./create-grant.sh} $out/bin/create-grant.sh
18 18
     substituteAll ${./nologin.sh}      $out/bin/nologin.sh
19
+    substituteAll ${./update-owner.sh} $out/bin/update-owner.sh
19 20
 
20 21
     chmod 555 $out/bin/*.sh
21 22
   '';

+ 110
- 0
modules/services/databases/postgresql/update-owner.sh View File

@@ -0,0 +1,110 @@
1
+#!/bin/bash
2
+
3
+################################################################################
4
+# Update object ownership.
5
+set -e
6
+
7
+################################################################################
8
+option_owner=""
9
+option_database=""
10
+option_schema="public"
11
+
12
+################################################################################
13
+usage () {
14
+cat <<EOF
15
+Usage: update-owner.sh [options]
16
+
17
+  -d NAME Database name to alter
18
+  -h      This message
19
+  -o NAME Object owner
20
+
21
+EOF
22
+}
23
+
24
+################################################################################
25
+while getopts "d:ho:" o; do
26
+  case "${o}" in
27
+    d) option_database=$OPTARG
28
+       ;;
29
+
30
+    h) usage
31
+       exit
32
+       ;;
33
+
34
+    o) option_owner=$OPTARG
35
+       ;;
36
+
37
+    *) exit 1
38
+       ;;
39
+  esac
40
+done
41
+
42
+shift $((OPTIND-1))
43
+
44
+################################################################################
45
+_psql() {
46
+  @sudo@ -u @superuser@ -H psql "$@"
47
+}
48
+
49
+################################################################################
50
+set_database_owner_sql() {
51
+  echo "ALTER DATABASE $option_database OWNER TO $option_owner;"
52
+}
53
+
54
+################################################################################
55
+# Send STDIN to psql and output just the row data.
56
+list_selected_rows() {
57
+  _psql --tuples-only --no-align --dbname="$option_database"
58
+}
59
+
60
+################################################################################
61
+list_tables() {
62
+  local schema=$1
63
+
64
+  echo "SELECT tablename FROM pg_tables WHERE schemaname = '${schema}';" | \
65
+    list_selected_rows
66
+}
67
+
68
+################################################################################
69
+list_sequences() {
70
+  local schema=$1
71
+
72
+  echo "SELECT sequence_name FROM information_schema.sequences WHERE sequence_schema = '${schema}';" | \
73
+    list_selected_rows
74
+}
75
+
76
+################################################################################
77
+list_views() {
78
+  local schema=$1
79
+
80
+  echo "SELECT table_name FROM information_schema.views WHERE table_schema = '${schema}';" | \
81
+    list_selected_rows
82
+}
83
+
84
+################################################################################
85
+update_object_owner() {
86
+  local object_type=$1
87
+  local object=$2
88
+
89
+  echo "ALTER $object_type \"$object\" OWNER TO $option_owner;"
90
+}
91
+
92
+################################################################################
93
+sql_file=$(mktemp)
94
+set_database_owner_sql > "$sql_file"
95
+
96
+for t in $(list_tables "$option_schema"); do
97
+  update_object_owner "TABLE" "$t" >> "$sql_file"
98
+done
99
+
100
+for s in $(list_sequences "$option_schema"); do
101
+  update_object_owner "SEQUENCE" "$s" >> "$sql_file"
102
+done
103
+
104
+for v in $(list_views "$option_schema"); do
105
+  update_object_owner "VIEW" "$v" >> "$sql_file"
106
+done
107
+
108
+chown @superuser@ "$sql_file"
109
+_psql --dbname="$option_database" --file="$sql_file" --single-transaction
110
+rm "$sql_file"

Loading…
Cancel
Save