From 72960324bcd56aee9cdf0fe902cfcee490f8c00b Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 20 Nov 2024 08:48:37 +0545 Subject: [PATCH] chore: add notes on migration --- functions/postgrest.sql | 13 ------------- tests/migration_dependency_test.go | 2 -- views/034_rls_enable.sql | 21 +++++++++++++++++++-- views/035_rls_disable.sql | 20 +++++++++++++++----- 4 files changed, 34 insertions(+), 22 deletions(-) diff --git a/functions/postgrest.sql b/functions/postgrest.sql index 671fec20..2fa25dda 100644 --- a/functions/postgrest.sql +++ b/functions/postgrest.sql @@ -13,16 +13,3 @@ BEGIN ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO postgrest_anon; END IF; END $$; - - -DO $$ -BEGIN - IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'api_views_owner') THEN - -- CREATE a ROLE that will own all views where we need to enforce RLS. - CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS; - END IF; - - GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; -END -$$; - diff --git a/tests/migration_dependency_test.go b/tests/migration_dependency_test.go index 59ebbfa5..53447d33 100644 --- a/tests/migration_dependency_test.go +++ b/tests/migration_dependency_test.go @@ -8,8 +8,6 @@ import ( var _ = Describe("migration dependency", Ordered, func() { It("should have no executable scripts", func() { - Skip("") - db, err := DefaultContext.DB().DB() Expect(err).To(BeNil()) diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql index d0b15890..35fd4526 100644 --- a/views/034_rls_enable.sql +++ b/views/034_rls_enable.sql @@ -1,9 +1,26 @@ +DO $$ +BEGIN + IF NOT EXISTS ( + SELECT + FROM + pg_catalog.pg_roles + WHERE + rolname = 'api_views_owner') THEN + -- NOTE:In postgres v14, views are run using the view owner's permission. + -- When RLS is enabled, we want to run the view using the current user (postgres_anon for eg.) + -- Hence, we create a new role to make the owner of all the views that make use of RLS enabled tables. + -- The role is created using NOBYPASSRLS option so RLS is enforced. + CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS; +END IF; +END +$$; + +GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; + ALTER TABLE config_items ENABLE ROW LEVEL SECURITY; ALTER TABLE components ENABLE ROW LEVEL SECURITY; -GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner; - -- Policy config items DROP POLICY IF EXISTS config_items_auth ON config_items; diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql index 1471a1a0..235cefd8 100644 --- a/views/035_rls_disable.sql +++ b/views/035_rls_disable.sql @@ -8,9 +8,19 @@ DROP POLICY IF EXISTS config_items_auth ON config_items; DROP POLICY IF EXISTS components_auth ON components; -- View owners -ALTER VIEW config_detail OWNER TO current_user; -ALTER VIEW config_summary OWNER TO current_user; -ALTER VIEW config_labels OWNER TO current_user; -ALTER VIEW config_names OWNER TO current_user; -ALTER VIEW config_statuses OWNER TO current_user; +ALTER VIEW config_detail OWNER TO CURRENT_USER; + +ALTER VIEW config_labels OWNER TO CURRENT_USER; + +ALTER VIEW config_names OWNER TO CURRENT_USER; + +ALTER VIEW config_statuses OWNER TO CURRENT_USER; + +ALTER VIEW config_summary OWNER TO CURRENT_USER; + +ALTER MATERIALIZED VIEW config_item_summary_3d OWNER TO CURRENT_USER; + +ALTER MATERIALIZED VIEW config_item_summary_7d OWNER TO CURRENT_USER; + +ALTER MATERIALIZED VIEW config_item_summary_30d OWNER TO CURRENT_USER;