Commit ab9db106 authored by sim's avatar sim

[FIX] Database user gargantua don't need to be superuser

parent ddb6ecd9
......@@ -36,13 +36,17 @@ anon_role = ReplaceableObject("anon", "NOLOGIN")
roles = [gargantext_role, authenticator_role, anon_role]
grants = [
('gargantext', 'gargantua'),
# Enable login through PostgREST auth system for gargantua, anon and
# gargantext
('gargantua, anon, gargantext', 'authenticator'),
# Basic privileges for gargantext role
('USAGE ON SCHEMA api', 'gargantext'),
('CREATE, USAGE ON SCHEMA api', 'gargantext'),
('SELECT ON nodes', 'gargantext'),
('UPDATE (parent_id, name, date, hyperdata) ON nodes', 'gargantext'),
('INSERT ON nodes', 'gargantext'),
......@@ -90,14 +94,11 @@ def upgrade():
op.create_role(role)
op.create_view(api_nodes_view)
op.execute("ALTER VIEW api.nodes OWNER TO gargantext")
# BYPASSRLS is only useful if gargantua is not owner of tables
op.execute("ALTER ROLE gargantua WITH BYPASSRLS")
for grant in grants:
op.execute('GRANT {} TO {}'.format(*grant))
op.execute("ALTER VIEW api.nodes OWNER TO gargantext")
op.execute("ALTER TABLE nodes ENABLE ROW LEVEL SECURITY")
for sp in stored_procedures:
......@@ -119,7 +120,6 @@ def downgrade():
for grant in grants:
op.execute('REVOKE {} FROM {}'.format(*grant))
op.execute("ALTER ROLE gargantua WITH NOBYPASSRLS")
op.drop_view(api_nodes_view)
for role in roles:
......
......@@ -21,7 +21,7 @@ su postgres -c 'pg_ctlcluster 9.6 main start'
service postgresql start
su postgres -c "psql -c \"CREATE user gargantua WITH PASSWORD 'C8kdcUrAQy66U'\""
su postgres -c "psql -c \"CREATE USER gargantua PASSWORD 'C8kdcUrAQy66U' CREATEROLE BYPASSRLS\""
su postgres -c "createdb -O gargantua gargandb"
echo "Postgres configured"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment