Reworked the actions schema to use the sequencing user for now

Author: cohansen

.github/workflows/pgcmp.yml

@@ -82,7 +82,7 @@ jobs:
       - name: Dump v2.8.0 Database
         run: |
           mkdir pgdumpV2_8_0
-          PGURI=postgres://"${POSTGRES_USER}":"${POSTGRES_PASSWORD}"@localhost:5432/aerie \
+          PGURI=postgres://"${AERIE_USERNAME}":"${AERIE_PASSWORD}"@localhost:5432/aerie \
           PGCMPOUTPUT=./pgdumpV2_8_0/AerieV2_8_0 \
           PGCLABEL=AerieV2_8_0 \
           PGBINDIR=/usr/bin \
@@ -109,8 +109,8 @@ jobs:
         run: |
           cd deployment
           cat << EOF > .env
-          AERIE_USERNAME=${POSTGRES_USER}
-          AERIE_PASSWORD=${POSTGRES_PASSWORD}
+          AERIE_USERNAME=${AERIE_USERNAME}
+          AERIE_PASSWORD=${AERIE_PASSWORD}
           EOF
           python -m pip install -r requirements.txt
           python aerie_db_migration.py migrate --apply --all
@@ -123,7 +123,7 @@ jobs:
       - name: Dump Migrated Database
         run: |
           mkdir pgdumpmigrated
-          PGURI=postgres://"${POSTGRES_USER}":"${POSTGRES_PASSWORD}"@localhost:5432/aerie \
+          PGURI=postgres://"${AERIE_USERNAME}":"${AERIE_PASSWORD}"@localhost:5432/aerie \
           PGCMPOUTPUT=./pgdumpmigrated/AerieMigratedUp \
           PGCLABEL=AerieMigratedUp \
           PGBINDIR=/usr/bin \
@@ -186,7 +186,7 @@ jobs:
       - name: Dump Current Database
         run: |
           mkdir pgdumpcurrent
-          PGURI=postgres://"${POSTGRES_USER}":"${POSTGRES_PASSWORD}"@localhost:5432/aerie \
+          PGURI=postgres://"${AERIE_USERNAME}":"${AERIE_PASSWORD}"@localhost:5432/aerie \
           PGCMPOUTPUT=./pgdumpcurrent/AerieCurrent \
           PGCLABEL=AerieCurrent \
           PGBINDIR=/usr/bin \
@@ -202,16 +202,16 @@ jobs:
         run: |
           cd deployment
           cat << EOF > .env
-          AERIE_USERNAME=${POSTGRES_USER}
-          AERIE_PASSWORD=${POSTGRES_PASSWORD}
+          AERIE_USERNAME=${AERIE_USERNAME}
+          AERIE_PASSWORD=${AERIE_PASSWORD}
           EOF
           python -m pip install -r requirements.txt
           python aerie_db_migration.py migrate --revert --all
           cd ..
       - name: Dump Migrated Database
         run: |
           mkdir pgdumpmigrateddown
-          PGURI=postgres://"${POSTGRES_USER}":"${POSTGRES_PASSWORD}"@localhost:5432/aerie \
+          PGURI=postgres://"${AERIE_USERNAME}":"${AERIE_PASSWORD}"@localhost:5432/aerie \
           PGCMPOUTPUT=./pgdumpmigrateddown/AerieMigratedDown \
           PGCLABEL=AerieMigratedDown \
           PGBINDIR=/usr/bin \

deployment/hasura/migrations/Aerie/14_actions/down.sql

@@ -1,17 +1,15 @@
 drop trigger notify_action_run_inserted on actions.action_run;
-drop function actions.notify_action_run_inserted cascade;
+drop function actions.notify_action_run_inserted;
 
-drop table actions.action_run cascade;
+drop table actions.action_run;
 
 drop trigger notify_action_definition_inserted on actions.action_definition;
-drop function actions.notify_action_definition_inserted cascade;
+drop function actions.notify_action_definition_inserted;
 drop trigger set_timestamp on actions.action_definition;
-drop table actions.action_definition cascade;
+drop table actions.action_definition;
 
 drop type actions.action_run_status;
 
-drop role action_server;
-
-drop schema actions cascade;
+drop schema actions;
 
 call migrations.mark_migration_rolled_back('14');

deployment/hasura/migrations/Aerie/14_actions/up.sql

@@ -1,16 +1,22 @@
 create schema actions;
 
-create role action_server;
-
-grant create, usage on schema actions to action_server;
-grant select, insert, update, delete on all tables in schema actions to action_server;
-grant execute on all routines in schema actions to action_server;
-
-alter default privileges in schema actions grant select, insert, update, delete on tables to action_server;
-alter default privileges in schema actions grant execute on routines to action_server;
-
-grant create, usage on schema sequencing to action_server;
-grant select, insert, update, delete on table sequencing.user_sequence to action_server;
+DO $$
+  DECLARE seq_user text;
+  BEGIN
+    SELECT into seq_user grantee
+    FROM information_schema.role_table_grants
+    WHERE table_schema = 'sequencing'
+      AND table_name = 'user_sequence'
+      and privilege_type = 'INSERT'
+      and grantee != (select current_user as usersss)
+    limit 1;
+
+    EXECUTE format('grant create, usage on schema actions to %I', seq_user);
+    EXECUTE format('grant select, insert, update, delete on all tables in schema actions to %I', seq_user);
+    EXECUTE format('grant execute on all routines in schema actions to %I', seq_user);
+    EXECUTE format('alter default privileges in schema actions grant select, insert, update, delete on tables to %I', seq_user);
+    EXECUTE format('alter default privileges in schema actions grant execute on routines to %I', seq_user);
+  END $$;
 
 create type actions.action_run_status as enum ('pending', 'in-progress', 'failed', 'complete');
 

deployment/postgres-init-db/init-aerie.sh

@@ -23,9 +23,6 @@ psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname postgres <<-EOSQL
   CREATE USER "$SEQUENCING_DB_USER" WITH PASSWORD '$SEQUENCING_DB_PASSWORD';
   \echo 'Done!'
 
-  \echo 'Initializing action user...'
-  CREATE USER "$ACTION_DB_USER" WITH PASSWORD '$ACTION_DB_PASSWORD';
-
   \echo 'Initializing aerie database...'
   CREATE DATABASE aerie OWNER "$AERIE_USERNAME";
   \connect aerie
@@ -47,7 +44,6 @@ psql -v ON_ERROR_STOP=1 --username "$AERIE_USERNAME" --dbname "aerie" <<-EOSQL
   \set merlin_user $MERLIN_DB_USER
   \set scheduler_user $SCHEDULER_DB_USER
   \set sequencing_user $SEQUENCING_DB_USER
-  \set action_user $ACTION_DB_USER
   \echo 'Initializing aerie database objects...'
   \ir /docker-entrypoint-initdb.d/sql/init.sql
   \echo 'Done!'

deployment/postgres-init-db/sql/init.sql

@@ -9,9 +9,6 @@ begin;
   -- Create Non-Public Schemas
   \ir schemas.sql
 
-  -- Create roles
-  \ir roles.sql
-
   -- Migrations
   \ir tables/migrations/schema_migrations.sql
   \ir applied_migrations.sql

deployment/postgres-init-db/sql/init_db_users.sql

@@ -95,14 +95,14 @@ begin;
   -- Action DB Permissions --
   ---------------------------
   -- The Action User currently has control of all tables in the actions schema
-  grant create, usage on schema actions to action_server;
-  grant select, insert, update, delete on all tables in schema actions to action_server;
-  grant execute on all routines in schema actions to action_server;
+  grant create, usage on schema actions to :"sequencing_user";
+  grant select, insert, update, delete on all tables in schema actions to :"sequencing_user";
+  grant execute on all routines in schema actions to :"sequencing_user";
 
-  alter default privileges in schema actions grant select, insert, update, delete on tables to action_server;
-  alter default privileges in schema actions grant execute on routines to action_server;
+  alter default privileges in schema actions grant select, insert, update, delete on tables to :"sequencing_user";
+  alter default privileges in schema actions grant execute on routines to :"sequencing_user";
 
-  -- The Action Server needs to be able to write sequences
-  grant create, usage on schema sequencing to action_server;
-  grant select, insert, update, delete on table sequencing.user_sequence to action_server;
+  -- The Action Server needs to be able to write sequences, right now we're reusing the sequencing user so these are commented out.
+  -- grant create, usage on schema sequencing to :"sequencing_user";
+  -- grant select, insert, update, delete on table sequencing.user_sequence to :"sequencing_user";
 end;

deployment/postgres-init-db/sql/roles.sql

@@ -15,8 +15,8 @@ services:
       PORT: 27186
       AERIE_DB_HOST: postgres
       AERIE_DB_PORT: 5432
-      ACTION_DB_USER: "${ACTION_USERNAME}"
-      ACTION_DB_PASSWORD: "${ACTION_PASSWORD}"
+      ACTION_DB_USER: "${SEQUENCING_USERNAME}"
+      ACTION_DB_PASSWORD: "${SEQUENCING_PASSWORD}"
       ACTION_LOCAL_STORE: /usr/src/app/action_file_store
       ACTION_WORKER_NUM: 8
       ACTION_MAX_WORKER_NUM: 8