Merge branch '124-restricted-user' into 'master'

agneum · agneum · commit dac9c454aaa1 · 2021-02-03T11:42:21.000Z
feat: create a restricted user (joe#124)

# Description
Allow creating a user with restricted permissions in order to protect from stealing the data (massively):
- add a new API parameter `restricted` to create a user with restricted permissions
- support a new parameter in the Database Lab CLI
- define a special query template to create a user with limited permissions

# Related issue
joe#124

See merge request postgres-ai/database-lab!250
diff --git a/api/swagger-spec/dblab_server_swagger.yaml b/api/swagger-spec/dblab_server_swagger.yaml
@@ -386,6 +386,9 @@ definitions:
             type: "string"
           password:
             type: "string"
+          restricted:
+            type: "boolean"
+            default: false
 
   UpdateClone:
     type: "object"
diff --git a/cmd/cli/commands/clone/actions.go b/cmd/cli/commands/clone/actions.go
@@ -55,8 +55,9 @@ func create(cliCtx *cli.Context) error {
 		ID:        cliCtx.String("id"),
 		Protected: cliCtx.Bool("protected"),
 		DB: &types.DatabaseRequest{
-			Username: cliCtx.String("username"),
-			Password: cliCtx.String("password"),
+			Username:   cliCtx.String("username"),
+			Password:   cliCtx.String("password"),
+			Restricted: cliCtx.Bool("restricted"),
 		},
 	}
 
diff --git a/cmd/cli/commands/clone/command_list.go b/cmd/cli/commands/clone/command_list.go
@@ -43,6 +43,10 @@ func CommandList() []*cli.Command {
 						Usage:    "database password",
 						Required: true,
 					},
+					&cli.BoolFlag{
+						Name:  "restricted",
+						Usage: "create a user with restricted permissions",
+					},
 					&cli.StringFlag{
 						Name:  "id",
 						Usage: "clone ID (optional)",
diff --git a/pkg/client/dblabapi/types/clone.go b/pkg/client/dblabapi/types/clone.go
@@ -21,8 +21,9 @@ type CloneUpdateRequest struct {
 
 // DatabaseRequest represents database params of a clone request.
 type DatabaseRequest struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
+	Username   string `json:"username"`
+	Password   string `json:"password"`
+	Restricted bool   `json:"restricted"`
 }
 
 // SnapshotCloneFieldRequest represents snapshot params of a create request.
diff --git a/pkg/services/cloning/mode_base.go b/pkg/services/cloning/mode_base.go
@@ -140,7 +140,7 @@ func (c *baseCloning) CreateClone(cloneRequest *types.CloneCreateRequest) (*mode
 	c.setWrapper(clone.ID, w)
 
 	go func() {
-		session, err := c.provision.StartSession(w.username, w.password, w.snapshot.ID, cloneRequest.ExtraConf)
+		session, err := c.provision.StartSession(w.username, w.password, w.snapshot.ID, cloneRequest.DB.Restricted, cloneRequest.ExtraConf)
 		if err != nil {
 			// TODO(anatoly): Empty room case.
 			log.Errf("Failed to start session: %v.", err)
diff --git a/pkg/services/provision/databases/postgres/postgres_mgmt.go b/pkg/services/provision/databases/postgres/postgres_mgmt.go
@@ -70,9 +70,14 @@ func ResetAllPasswords(c *resources.AppConfig, whitelistUsers []string) error {
 }
 
 // CreateUser defines a method for creation of Postgres user.
-func CreateUser(c *resources.AppConfig, username string, password string) error {
-	query := fmt.Sprintf("create user \"%s\" with password '%s' login superuser;",
-		username, password)
+func CreateUser(c *resources.AppConfig, username, password string, restricted bool) error {
+	var query string
+
+	if restricted {
+		query = restrictedUserQuery(username, password, c.DB.DBName)
+	} else {
+		query = superuserQuery(username, password)
+	}
 
 	out, err := runSimpleSQL(query, c)
 	if err != nil {
@@ -83,3 +88,55 @@ func CreateUser(c *resources.AppConfig, username string, password string) error
 
 	return nil
 }
+
+func superuserQuery(username, password string) string {
+	return fmt.Sprintf(`create user "%s" with password '%s' login superuser;`, username, password)
+}
+
+const restrictedTemplate = `
+-- create new user 
+create user %[1]s with password '%s' createdb;
+
+-- grant all privileges in the database 
+grant all privileges on database %s to %[1]s;
+
+-- grant all on all objects in all schemas in the database
+do $$
+begin
+  -- grant usage on all schemas in the database
+  execute (
+    select string_agg(format('grant usage on schema %%I to %[1]s', nspname), '; ')
+    from pg_namespace
+    where nspname <> 'information_schema'
+    and nspname not like 'pg\_%%'
+  );
+   
+  -- grant all on all tables in all schemas in database
+  execute (
+    select string_agg(format('grant all on all tables in schema %%I to %[1]s', nspname), '; ')
+    from pg_namespace
+    where nspname <> 'information_schema'
+    and nspname not like 'pg\_%%'
+  );
+
+  -- grant all on all sequences in all custom schemas in the database
+  execute (
+    select string_agg(format('grant all on all sequences in schema %%I to %[1]s', nspname), '; ')
+    from pg_namespace
+    where nspname <> 'information_schema'
+    and nspname not like 'pg\_%%'
+  );
+
+  -- grant all on all functions in all schemas in the database
+  execute (
+    select string_agg(format('grant all on all functions in schema %%I to %[1]s', nspname), '; ')
+    from pg_namespace
+    where nspname <> 'information_schema'
+    and nspname not like 'pg\_%%'
+  );
+end $$; 
+`
+
+func restrictedUserQuery(username, password, database string) string {
+	return fmt.Sprintf(restrictedTemplate, username, password, database)
+}
diff --git a/pkg/services/provision/mode_local.go b/pkg/services/provision/mode_local.go
@@ -143,7 +143,7 @@ func (p *Provisioner) Reload(cfg Config, dbCfg resources.DB) {
 }
 
 // StartSession starts a new session.
-func (p *Provisioner) StartSession(username, password, snapshotID string,
+func (p *Provisioner) StartSession(username, password, snapshotID string, restricted bool,
 	extraConfig map[string]string) (*resources.Session, error) {
 	snapshotID, err := p.getSnapshotID(snapshotID)
 	if err != nil {
@@ -181,7 +181,7 @@ func (p *Provisioner) StartSession(username, password, snapshotID string,
 		return nil, errors.Wrap(err, "failed to start a container")
 	}
 
-	if err := p.prepareDB(username, password, appConfig); err != nil {
+	if err := p.prepareDB(appConfig, username, password, restricted); err != nil {
 		return nil, errors.Wrap(err, "failed to prepare a database")
 	}
 
@@ -195,6 +195,7 @@ func (p *Provisioner) StartSession(username, password, snapshotID string,
 		SocketHost:        appConfig.Host,
 		EphemeralUser:     username,
 		EphemeralPassword: password,
+		Restricted:        restricted,
 		ExtraConfig:       extraConfig,
 	}
 
@@ -264,7 +265,7 @@ func (p *Provisioner) ResetSession(session *resources.Session, snapshotID string
 		return errors.Wrap(err, "failed to start a container")
 	}
 
-	if err := p.prepareDB(session.EphemeralUser, session.EphemeralPassword, appConfig); err != nil {
+	if err := p.prepareDB(appConfig, session.EphemeralUser, session.EphemeralPassword, session.Restricted); err != nil {
 		return errors.Wrap(err, "failed to prepare a database")
 	}
 
@@ -565,7 +566,7 @@ func (p *Provisioner) scanCSVLogFile(ctx context.Context, filename string, avail
 	}
 }
 
-func (p *Provisioner) prepareDB(username, password string, pgConf *resources.AppConfig) error {
+func (p *Provisioner) prepareDB(pgConf *resources.AppConfig, username, password string, restricted bool) error {
 	if !p.config.KeepUserPasswords {
 		whitelist := []string{p.dbCfg.Username}
 
@@ -574,7 +575,7 @@ func (p *Provisioner) prepareDB(username, password string, pgConf *resources.App
 		}
 	}
 
-	if err := postgres.CreateUser(pgConf, username, password); err != nil {
+	if err := postgres.CreateUser(pgConf, username, password, restricted); err != nil {
 		return errors.Wrap(err, "failed to create user")
 	}
 
diff --git a/pkg/services/provision/resources/resources.go b/pkg/services/provision/resources/resources.go
@@ -23,6 +23,7 @@ type Session struct {
 	// For user-defined username and password.
 	EphemeralUser     string
 	EphemeralPassword string
+	Restricted        bool
 
 	ExtraConfig map[string]string
 }

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ func (p *Provisioner) Reload(cfg Config, dbCfg resources.DB) {`
`143`	`143`	`}`
`144`	`144`
`145`	`145`	`// StartSession starts a new session.`
`146`		`-func (p *Provisioner) StartSession(username, password, snapshotID string,`
	`146`	`+func (p *Provisioner) StartSession(username, password, snapshotID string, restricted bool,`
`147`	`147`	`extraConfig map[string]string) (*resources.Session, error) {`
`148`	`148`	`snapshotID, err := p.getSnapshotID(snapshotID)`
`149`	`149`	`if err != nil {`
`@@ -181,7 +181,7 @@ func (p *Provisioner) StartSession(username, password, snapshotID string,`
`181`	`181`	`return nil, errors.Wrap(err, "failed to start a container")`
`182`	`182`	`}`
`183`	`183`
`184`		`- if err := p.prepareDB(username, password, appConfig); err != nil {`
	`184`	`+ if err := p.prepareDB(appConfig, username, password, restricted); err != nil {`
`185`	`185`	`return nil, errors.Wrap(err, "failed to prepare a database")`
`186`	`186`	`}`
`187`	`187`
`@@ -195,6 +195,7 @@ func (p *Provisioner) StartSession(username, password, snapshotID string,`
`195`	`195`	`SocketHost: appConfig.Host,`
`196`	`196`	`EphemeralUser: username,`
`197`	`197`	`EphemeralPassword: password,`
	`198`	`+ Restricted: restricted,`
`198`	`199`	`ExtraConfig: extraConfig,`
`199`	`200`	`}`
`200`	`201`
`@@ -264,7 +265,7 @@ func (p Provisioner) ResetSession(session resources.Session, snapshotID string`
`264`	`265`	`return errors.Wrap(err, "failed to start a container")`
`265`	`266`	`}`
`266`	`267`
`267`		`- if err := p.prepareDB(session.EphemeralUser, session.EphemeralPassword, appConfig); err != nil {`
	`268`	`+ if err := p.prepareDB(appConfig, session.EphemeralUser, session.EphemeralPassword, session.Restricted); err != nil {`
`268`	`269`	`return errors.Wrap(err, "failed to prepare a database")`
`269`	`270`	`}`
`270`	`271`
`@@ -565,7 +566,7 @@ func (p *Provisioner) scanCSVLogFile(ctx context.Context, filename string, avail`
`565`	`566`	`}`
`566`	`567`	`}`
`567`	`568`
`568`		`-func (p Provisioner) prepareDB(username, password string, pgConf resources.AppConfig) error {`
	`569`	`+func (p Provisioner) prepareDB(pgConf resources.AppConfig, username, password string, restricted bool) error {`
`569`	`570`	`if !p.config.KeepUserPasswords {`
`570`	`571`	`whitelist := []string{p.dbCfg.Username}`
`571`	`572`
`@@ -574,7 +575,7 @@ func (p Provisioner) prepareDB(username, password string, pgConf resources.App`
`574`	`575`	`}`
`575`	`576`	`}`
`576`	`577`
`577`		`- if err := postgres.CreateUser(pgConf, username, password); err != nil {`
	`578`	`+ if err := postgres.CreateUser(pgConf, username, password, restricted); err != nil {`
`578`	`579`	`return errors.Wrap(err, "failed to create user")`
`579`	`580`	`}`
`580`	`581`
Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ type Session struct {`
`23`	`23`	`// For user-defined username and password.`
`24`	`24`	`EphemeralUser string`
`25`	`25`	`EphemeralPassword string`
	`26`	`+ Restricted bool`
`26`	`27`
`27`	`28`	`ExtraConfig map[string]string`
`28`	`29`	`}`