chore: add notes on migration

flanksource · Nov 20, 2024 · c96542d · c96542d
1 parent 8360d3b
commit c96542d
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 20 deletions.
diff --git a/functions/postgrest.sql b/functions/postgrest.sql
@@ -13,16 +13,3 @@ BEGIN
         ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO postgrest_anon;
     END IF;
 END $$;
-
-
-DO $$
-BEGIN
-  IF NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'api_views_owner') THEN
-    -- CREATE a ROLE that will own all views where we need to enforce RLS.
-    CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS;
-  END IF;
-
-  GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
-END
-$$;
-
diff --git a/views/034_rls_enable.sql b/views/034_rls_enable.sql
@@ -1,9 +1,26 @@
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT
+    FROM
+      pg_catalog.pg_roles
+    WHERE
+      rolname = 'api_views_owner') THEN
+  -- NOTE:In postgres v14, views are run using the view owner's permission.
+  -- When RLS is enabled, we want to run the view using the current user (postgres_anon for eg.)
+  -- Hence, we create a new role to make the owner of all the views that make use of RLS enabled tables.
+  -- The role is created using NOBYPASSRLS option so RLS is enforced.
+  CREATE ROLE api_views_owner NOSUPERUSER NOBYPASSRLS;
+END IF;
+END
+$$;
+
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
+
 ALTER TABLE config_items ENABLE ROW LEVEL SECURITY;
 
 ALTER TABLE components ENABLE ROW LEVEL SECURITY;
 
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO api_views_owner;
-
 -- Policy config items
 DROP POLICY IF EXISTS config_items_auth ON config_items;
 

diff --git a/views/035_rls_disable.sql b/views/035_rls_disable.sql
@@ -8,9 +8,19 @@ DROP POLICY IF EXISTS config_items_auth ON config_items;
 DROP POLICY IF EXISTS components_auth ON components;
 
 -- View owners
-ALTER VIEW config_detail OWNER TO current_user;
-ALTER VIEW config_summary OWNER TO current_user;
-ALTER VIEW config_labels OWNER TO current_user;
-ALTER VIEW config_names OWNER TO current_user;
-ALTER VIEW config_statuses OWNER TO current_user;
+ALTER VIEW config_detail OWNER TO CURRENT_USER;
+
+ALTER VIEW config_labels OWNER TO CURRENT_USER;
+
+ALTER VIEW config_names OWNER TO CURRENT_USER;
+
+ALTER VIEW config_statuses OWNER TO CURRENT_USER;
+
+ALTER VIEW config_summary OWNER TO CURRENT_USER;
+
+ALTER MATERIALIZED VIEW config_item_summary_3d OWNER TO CURRENT_USER;
+
+ALTER MATERIALIZED VIEW config_item_summary_7d OWNER TO CURRENT_USER;
+
+ALTER MATERIALIZED VIEW config_item_summary_30d OWNER TO CURRENT_USER;