• Stars
    star
    311
  • Rank 134,521 (Top 3 %)
  • Language
    Python
  • License
    Other
  • Created almost 7 years ago
  • Updated 10 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Manage a Postgres cluster's roles, role memberships, schema ownership, and privileges

pgbedrock

travis_ci coveralls postgres_versions pip_versions

pgbedrock is an application for managing the roles, memberships, ownerships, and most importantly the permissions for tables, sequences, and schemas in a Postgres database.

Given the parameters to connect to a Postgres database (i.e. host, port, etc.) and a YAML file (a "spec") representing the desired database configuration, pgbedrock makes sure that the configuration of that database matches the spec. If there are differences, it will alter the database to make it match the spec.

It can be run as a docker container (via docker run quay.io/squarespace/pgbedrock) or as a local command-line utility (via pip install pgbedrock).

Detailed information can be found in the documentation.

Example

As an example, the definition for the jdoe role in the spec might look like this:

jdoe:
    can_login: yes
    is_superuser: no
    attributes:
        - PASSWORD "{{ env['JDOE_PASSWORD'] }}"
    member_of:
        - analyst
    owns:
        schemas:
            - finance_reports
        tables:
            - finance_reports.Q2_revenue
            - finance_reports.Q2_margin
    privileges:
        schemas:
            read:
                - finance
                - marketing
            write:
                - reports
        tables:
            read:
                - finance.*
                - marketing.ad_spend
                - marketing.impressions
            write:
                - reports.*
            except:
                - reports.Q2_fixed_assets
        sequences:
            write:
                - reports.*

When pgbedrock is run, it would make sure that:

  • The role jdoe exists
  • jdoe can log in
  • jdoe is not a superuser
  • jdoe's password is the same as what is in the $JDOE_PASSWORD environment variable
  • All other role attributes for jdoe are the Postgres defaults (as defined by pg_authid).
  • jdoe is a member of the analyst role
  • jdoe is a member of no other roles
  • jdoe owns the finance_reports schema
  • jdoe owns the finance_reports.Q2_revenue and finance_reports.Q2_margin tables
  • jdoe has read-level schema access (in Postgres terms: USAGE) for the finance and marketing schemas
  • jdoe has write-level schema access (CREATE) for the reports schema
  • jdoe has read-level access (SELECT) to all tables in the finance schema and to the marketing.ad_spend and marketing.impressions tables
  • jdoe has default privileges to read from all future tables created in the finance schema
  • jdoe has write-level access (SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, and TRIGGER) to all tables in the reports schema except for the Q2_fixed_assets table
  • jdoe has default privileges to write to all future tables created in the reports schema
  • jdoe has write-level access (SELECT, USAGE, UPDATE) to all sequences in the reports schema
  • jdoe has default privileges to write to all future sequences created in the reports schema
  • jdoe does not have any access other than that listed above (except whatever it inherits from the analyst role that jdoe is a member of)

Quickstart

Using pgbedrock requires three steps: generating a spec for a database, reviewing that spec, and configuring the database using that spec. Below we will do this using the pgbedrock docker image, but these steps can also be done with the pip-installed version of the tool.

  1. Generate a spec for a database. Specify the connection parameters below (host, port, database, username, and user password) as well as the place to output the tentative spec. Note that the user passed with -U must be a superuser.

    docker run -it \
        quay.io/squarespace/pgbedrock generate \
        -h myhost.mynetwork.net \
        -p 5432 \
        -d mydatabase \
        -U mysuperuser \
        -w supersecret > path/to/spec.yml
  2. Review the spec. pgbedrock is not quite as flexible as Postgres's permissioning, and as a result the generated spec may differ slightly from the current state of your database. For more information on these potential simplifications, see the Notable Functionality And Caveats section in the docs. As a result, it is recommended to run pgbedrock configure in check mode the first time you use it to see what changes it would introduce to your current setup. This looks similar to the command above, but requires us to also pass in the passwords for any roles whose passwords are managed within Postgres itself. These can be identified in the spec file as roles with a line that looks like PASSWORD "{{ env['MYROLE_PASSWORD'] }}" (if you forget to pass in these passwords pgbedrock will just throw an error and refuse to run). Note that you must run pgbedrock configure against the Postgres primary. To run pgbedrock in check mode we do the following:

    docker run -it \
        -e "JDOE_PASSWORD=${JDOE_PASSWORD}" \
        -e "JSMITH_PASSWORD=${JSMITH_PASSWORD}" \
        -v /path/to/spec.yml:/opt/spec.yml \
        quay.io/squarespace/pgbedrock configure spec.yml \
        -h myhost.mynetwork.net \
        -p 5432 \
        -d mydatabase \
        -U mysuperuser \
        -w supersecret \
        --check

    Note that --check is actually the default behavior, so we could also omit that.

  3. Configure the database using the spec. Once you feel comfortable with the changes pgbedrock would introduce, run the above command again using --live instead of --check. Changes will now be made real. To make future changes, modify the spec file and run the above command.

For further information, see the documentation.

License

Copyright 2018 Squarespace, Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

More Repositories

1

datasheets

Read data from, write data to, and modify the formatting of Google Sheets
Python
617
star
2

base-template

A Squarespace starter template with minimal markup and styles.
CSS
190
star
3

simple-source

Easy and type-safe iOS table and collection views in Swift.
Swift
98
star
4

jersey2-guice

Jersey 2.0 w/ Guice
Java
92
star
5

squarespace-toolbelt

JavaScript
87
star
6

base-template-npm

JavaScript
86
star
7

wright-framework

Less
66
star
8

template-compiler

Java compiler for primary Squarespace template language
Java
41
star
9

squarespace-core

JavaScript
32
star
10

endeavor-framework

Less
29
star
11

template-engine

TypeScript implementation of Squarespace template language
TypeScript
26
star
12

less-compiler

Less compiler in Java
Java
18
star
13

squarespace-video-background-rendering

JavaScript
15
star
14

eslint-config-squarespace

Provides the universal configuration for eslint at Squarespace.
JavaScript
14
star
15

doncab-framework

Less
14
star
16

squarespace-mercury

JavaScript
13
star
17

squarespace-video-background

Less
11
star
18

pouchdb-lru-cache

PouchDB plugin for storing binary data in a least-recently-used (LRU) cache.
JavaScript
11
star
19

squarespace-controller

JavaScript
10
star
20

cldr

Java library for localization using Unicode CLDR JSON data
Java
10
star
21

squarespace-social-links

Less
9
star
22

squarespace.github.io

Open source at Squarespace
CSS
9
star
23

squarespace-layout-base

JavaScript
8
star
24

bureau-framework

Less
8
star
25

dossier-framework

Less
8
star
26

graphite-tools

Tools for the Graphite project
Python
7
star
27

squarespace-layout-autocolumns

JavaScript
6
star
28

squarespace-polyfills

JavaScript
6
star
29

squarespace-darwin

JavaScript
5
star
30

squarespace-ancillary

JavaScript
4
star
31

cldr-engine-java

Java port of @phensley/cldr Typescript library
Java
4
star
32

less-ts

Squarespace Less compiler in Typescript
TypeScript
3
star
33

squarespace-layout-slideshow

JavaScript
2
star
34

gradle-jasmin-plugin

Gradle plugin to assemble Jasmin source to JVM classfiles
Java
2
star
35

squarespace-fonts-loaded

JavaScript
1
star
36

clojuresque-base

Clojure
1
star
37

introduction-to-react-workshop

HTML
1
star
38

gradle-utils

Groovy
1
star
39

compiler-common

Common code for Squarespace's compiler projects
Java
1
star
40

clojuresque

Groff
1
star
41

netty-http-client-test

Java
1
star