Commit 166ee105 authored by Michał 'rysiek' Woźniak's avatar Michał 'rysiek' Woźniak
Browse files

just a bit more consistency with function argument order; also,...

just a bit more consistency with function argument order; also, create_readonly_postgres_user() ready for testing
parent 473266bf
......@@ -88,10 +88,10 @@ function clean_db_vars {
# $2 - user to connect as
# $3 - password for that user
# $4 - username to be created
# $5 - optional; hostname of the user to be created
# (if unset or an empty string, '%' will be used)
# $6 - optional; password for the user to be created
# $5 - optional; password for the user to be created
# (if unset or an empty string, random password will be generated and printed on-screen)
# $6 - optional; hostname of the user to be created
# (if unset or an empty string, '%' will be used)
#
# the user gets SELECT, SHOW DATABASES, LOCK TABLES, EXECUTE, SHOW VIEW privileges on *all databases*
function create_readonly_mysql_user() {
......@@ -109,15 +109,15 @@ function create_readonly_mysql_user() {
# read-only user hostname
RUSER_HOST="%"
if [ ! -z ${5+x} ]; then
RUSER_HOST="$5"
if [ ! -z ${6+x} ]; then
RUSER_HOST="$6"
fi
echo " +-- hostname: $RUSER_HOST"
# read-only user password
# if supplied, use it
if [ ! -z ${6+x} ]; then
RUSER_PW="$6"
if [ ! -z ${5+x} ]; then
RUSER_PW="$5"
echo " +-- password: (provided on the command line)"
# otherwise, create a random one
else
......@@ -274,9 +274,7 @@ export -f dump_mysql_dbs
# $2 - user to connect as
# $3 - password for that user
# $4 - username to be created
# $5 - optional; hostname of the user to be created
# (if unset or an empty string, '%' will be used)
# $6 - optional; password for the user to be created
# $5 - optional; password for the user to be created
# (if unset or an empty string, random password will be generated and printed on-screen)
#
# not as simple as the mysql version; we need to make sure that:
......@@ -319,7 +317,78 @@ export -f dump_mysql_dbs
# https://wiki.postgresql.org/images/d/d1/Managing_rights_in_postgresql.pdf
function create_readonly_postgres_user() {
DATABASES="$( PGPASSWORD="$4" psql -h "$2" -U "$3" -lAqt | grep '|' | cut -d '|' -f 1 | egrep -v "template[0-9]" )"
# get the details
PG_HOST="$1"
PG_USER="$2"
PG_PASS="$3"
RUSER_NAME="$4"
# read-only user password
# if supplied, use it
if [ ! -z ${5+x} ]; then
RUSER_PW="$5"
echo " +-- password: (provided on the command line)"
# otherwise, create a random one
else
RUSER_PW="$( pwgen -s 24 1 )" || display_error_and_quit "Error generating password; is pwgen installed and in \$PATH?"
echo " +-- password: $RUSER_PW"
fi
# make sure the role exists and has the basic required privileges (and lacks the unneeded ones)
PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -c "
CREATE ROLE $RUSER_NAME NOSUPERUSER NOCREATEDB NOCREATEROLE LOGIN NOREPLICATION PASSWORD '$RUSER_PW';
GRANT SELECT ON pg_authid TO $RUSER_NAME;" \
|| display_error_and_quit "Error creating the $RUSER_NAME role and granting SELECT on pg_authid."
# get the list of databases
DATABASES="$( PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -lAqt | grep '|' | cut -d '|' -f 1 | egrep -v "template[0-9]" )" \
|| display_error_and_quit "Error getting list of databases"
# do we have any databases?
if [[ "$DATABASES" == "" ]]; then
echo " +-- no databases found."
return 0
fi
# and for each one of them
for DATABASE in $DATABASES; do
# grant CONNECT
PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -c "GRANT CONNECT ON DATABASE $DATABASE TO $RUSER_NAME;" \
|| display_error_and_quit "Error granting CONNECT on database $DATABASE"
# get all schemas
SCHEMAS="$( PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -Aqt -c '\dn' | grep '|' | cut -d '|' -f 1 )" \
|| display_error_and_quit "Error getting list of schemas"
# let's go through the schemas, then
for SCHEMA in $SCHEMAS; do
# grant USAGE on the schema
PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -c "GRANT USAGE ON SCHEMA $SCHEMA TO $RUSER_NAME;" "$DATABASE" \
|| display_error_and_quit "Error granting USAGE on schema $SCHEMA"
# grant SELECT on all tables and sequences, and EXECUTE on all functions, in the schema
PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -c "
GRANT SELECT ON ALL TABLES IN SCHEMA $SCHEMA TO $RUSER_NAME;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA $SCHEMA TO $RUSER_NAME;
GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA $SCHEMA TO $RUSER_NAME;" "$DATABASE" \
|| display_error_and_quit "Error granting USAGE on schema $SCHEMA"
done
done
# get the list of roles
ROLES="$( PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -c '\dg' | grep '|' | cut -d '|' -f 1 )" \
|| display_error_and_quit "Error getting list of databases"
# and for each role
for ROLE in $ROLES; do
# set default privileges on tables/sequences/function
PGPASSWORD="$PG_PASS" psql -h "$PG_HOST" -U "$PG_USER" -c "
ALTER DEFAULT PRIVILEGES FOR ROLE $ROLE GRANT SELECT ON TABLES TO $RUSER_NAME;
ALTER DEFAULT PRIVILEGES FOR ROLE $ROLE GRANT SELECT ON SEQUENCES TO $RUSER_NAME;
ALTER DEFAULT PRIVILEGES FOR ROLE $ROLE GRANT EXECUTE ON FUNCTIONS TO $RUSER_NAME;" \
|| display_error_and_quit "Error altering default privileges for role $ROLE"
done
}
export -f create_readonly_postgres_user
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment