Fix PostgreSQL permissions and data schema, and relevant docs #1708
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jan 23, 2024
Closed
|
That's something I wanted to discuss. #1438 is partly covered by this, but this doesn't address point 2 of #1438 - without being in Research Users group, sys admins and data administrators can't get to the database to modify anything. If we are fine with that (and the docs now spell out that they need to be research users to be able to login to the SRD), then this closes #1438 #1392 is slightly more about telling users how to use the databases. I've just added links to tutorials for MSSQL and PostgreSQL that hopefully suffice. |
10 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
✅ Checklist
Enable foobar integrationrather than515 foobar).develop.'[WIP]'to the title if needed (if you're not yet ready to merge)../tests/AutoFormat_Powershell.ps1 -TargetPath <path to file or directory>for Powershell).Moves the script that ensures users have appropriate roles for modifying certain database tables to the correct directory, and corrects the mustache file that adds this script to the server. Previously, the script was not present on the server. Thus users were not given the right permissions and no data schema was created.
Changes the database trigger to avoid using
pg_has_role. For superusers,pg_has_rolereports that they have every possible user role on the server, irrespective of what other roles they are actually assigned.Adds a cron job that runs every 10 minutes, 1 minute after the LDAP users are updated, to trigger an update of user roles.
Updates docs for system managers regarding the intended use of the security groups on the DC and their impact on database access rights.
🌂 Related issues
Relates to #1438 and #1392
🔬 Tests
Deployed a new PostgreSQL database, created and modified a table in the
dataschema using a user in theData Administratorssecurity group and confirmed that aResearch Usersuser could only read, not modify the table.Checked that user permissions are correctly updated on the PostgreSQL database. The permissions now update appropriately every 10 minutes, including removing a user from the Sys Admins group.