Merge branch '124-db-for-restricted-user' into 'master'

agneum · agneum · commit e925a34a322b · 2021-02-09T13:41:10.000Z
feat: allow defining a database name for a restricted user (joe#124) Closes #124 See merge request postgres-ai/database-lab!259
diff --git a/api/swagger-spec/dblab_server_swagger.yaml b/api/swagger-spec/dblab_server_swagger.yaml
@@ -389,6 +389,8 @@ definitions:
           restricted:
             type: "boolean"
             default: false
+          db_name:
+            type: "string"
 
   UpdateClone:
     type: "object"
diff --git a/cmd/cli/commands/clone/actions.go b/cmd/cli/commands/clone/actions.go
@@ -58,6 +58,7 @@ func create(cliCtx *cli.Context) error {
 			Username:   cliCtx.String("username"),
 			Password:   cliCtx.String("password"),
 			Restricted: cliCtx.Bool("restricted"),
+			DBName:     cliCtx.String("db-name"),
 		},
 	}
 
diff --git a/cmd/cli/commands/clone/command_list.go b/cmd/cli/commands/clone/command_list.go
@@ -47,6 +47,10 @@ func CommandList() []*cli.Command {
 						Name:  "restricted",
 						Usage: "create a user with restricted permissions",
 					},
+					&cli.StringFlag{
+						Name:  "db-name",
+						Usage: "available database for a user with restricted permissions",
+					},
 					&cli.StringFlag{
 						Name:  "id",
 						Usage: "clone ID (optional)",
diff --git a/pkg/client/dblabapi/types/clone.go b/pkg/client/dblabapi/types/clone.go
@@ -24,6 +24,7 @@ type DatabaseRequest struct {
 	Username   string `json:"username"`
 	Password   string `json:"password"`
 	Restricted bool   `json:"restricted"`
+	DBName     string `json:"db_name"`
 }
 
 // SnapshotCloneFieldRequest represents snapshot params of a create request.
diff --git a/pkg/services/cloning/mode_base.go b/pkg/services/cloning/mode_base.go
@@ -139,8 +139,15 @@ func (c *baseCloning) CreateClone(cloneRequest *types.CloneCreateRequest) (*mode
 
 	c.setWrapper(clone.ID, w)
 
+	ephemeralUser := resources.EphemeralUser{
+		Name:        w.username,
+		Password:    w.password,
+		Restricted:  cloneRequest.DB.Restricted,
+		AvailableDB: cloneRequest.DB.DBName,
+	}
+
 	go func() {
-		session, err := c.provision.StartSession(w.username, w.password, w.snapshot.ID, cloneRequest.DB.Restricted, cloneRequest.ExtraConf)
+		session, err := c.provision.StartSession(w.snapshot.ID, ephemeralUser, cloneRequest.ExtraConf)
 		if err != nil {
 			// TODO(anatoly): Empty room case.
 			log.Errf("Failed to start session: %v.", err)
diff --git a/pkg/services/provision/databases/postgres/postgres.go b/pkg/services/provision/databases/postgres/postgres.go
@@ -73,7 +73,7 @@ func Start(r runners.Runner, c *resources.AppConfig) error {
 			return errors.Wrap(fmt.Errorf("postgres fatal error"), "cannot start Postgres")
 		}
 
-		out, err := runSimpleSQL("select pg_is_in_recovery()", c)
+		out, err := runSimpleSQL("select pg_is_in_recovery()", getPgConnStr(c.Host, c.DB.DBName, c.DB.Username, c.Port))
 
 		if err == nil {
 			// Server does not need promotion if it is not in recovery.
@@ -148,23 +148,22 @@ func pgctlPromote(r runners.Runner, c *resources.AppConfig) (string, error) {
 }
 
 // Generate postgres connection string.
-func getPgConnStr(c *resources.AppConfig) string {
+func getPgConnStr(host, dbname, username string, port uint) string {
 	var sb strings.Builder
 
-	if c.Host != "" {
-		sb.WriteString("host=" + c.Host + " ")
+	if host != "" {
+		sb.WriteString("host=" + host + " ")
 	}
 
-	sb.WriteString("port=" + strconv.Itoa(int(c.Port)) + " ")
-	sb.WriteString("dbname=" + c.DB.DBName + " ")
-	sb.WriteString("user=" + c.DB.Username + " ")
+	sb.WriteString("port=" + strconv.Itoa(int(port)) + " ")
+	sb.WriteString("dbname=" + dbname + " ")
+	sb.WriteString("user=" + username + " ")
 
 	return sb.String()
 }
 
-// Executes simple SQL commands which returns one string value.
-func runSimpleSQL(command string, c *resources.AppConfig) (string, error) {
-	connStr := getPgConnStr(c)
+// runSimpleSQL executes simple SQL commands which returns one string value.
+func runSimpleSQL(command, connStr string) (string, error) {
 	db, err := sql.Open("postgres", connStr)
 
 	if err != nil {
diff --git a/pkg/services/provision/databases/postgres/postgres_mgmt.go b/pkg/services/provision/databases/postgres/postgres_mgmt.go
@@ -59,7 +59,7 @@ func ResetAllPasswords(c *resources.AppConfig, whitelistUsers []string) error {
 	query := strings.Replace(ResetPasswordsQuery,
 		"{{OPTIONAL_WHERE}}", optionalWhere, 1)
 
-	out, err := runSimpleSQL(query, c)
+	out, err := runSimpleSQL(query, getPgConnStr(c.Host, c.DB.DBName, c.DB.Username, c.Port))
 	if err != nil {
 		return errors.Wrap(err, "failed to run psql")
 	}
@@ -70,16 +70,21 @@ func ResetAllPasswords(c *resources.AppConfig, whitelistUsers []string) error {
 }
 
 // CreateUser defines a method for creation of Postgres user.
-func CreateUser(c *resources.AppConfig, username, password string, restricted bool) error {
+func CreateUser(c *resources.AppConfig, user resources.EphemeralUser) error {
 	var query string
 
-	if restricted {
-		query = restrictedUserQuery(username, password, c.DB.DBName)
+	dbName := c.DB.DBName
+	if user.AvailableDB != "" {
+		dbName = user.AvailableDB
+	}
+
+	if user.Restricted {
+		query = restrictedUserQuery(user.Name, user.Password, dbName)
 	} else {
-		query = superuserQuery(username, password)
+		query = superuserQuery(user.Name, user.Password)
 	}
 
-	out, err := runSimpleSQL(query, c)
+	out, err := runSimpleSQL(query, getPgConnStr(c.Host, dbName, c.DB.Username, c.Port))
 	if err != nil {
 		return errors.Wrap(err, "failed to run psql")
 	}
diff --git a/pkg/services/provision/mode_local.go b/pkg/services/provision/mode_local.go
@@ -143,7 +143,7 @@ func (p *Provisioner) Reload(cfg Config, dbCfg resources.DB) {
 }
 
 // StartSession starts a new session.
-func (p *Provisioner) StartSession(username, password, snapshotID string, restricted bool,
+func (p *Provisioner) StartSession(snapshotID string, user resources.EphemeralUser,
 	extraConfig map[string]string) (*resources.Session, error) {
 	snapshotID, err := p.getSnapshotID(snapshotID)
 	if err != nil {
@@ -181,22 +181,20 @@ func (p *Provisioner) StartSession(username, password, snapshotID string, restri
 		return nil, errors.Wrap(err, "failed to start a container")
 	}
 
-	if err := p.prepareDB(appConfig, username, password, restricted); err != nil {
+	if err := p.prepareDB(appConfig, user); err != nil {
 		return nil, errors.Wrap(err, "failed to prepare a database")
 	}
 
 	atomic.AddUint32(&p.sessionCounter, 1)
 
 	session := &resources.Session{
-		ID:                strconv.FormatUint(uint64(p.sessionCounter), 10),
-		Pool:              fsm.Pool().Name,
-		Port:              port,
-		User:              appConfig.DB.Username,
-		SocketHost:        appConfig.Host,
-		EphemeralUser:     username,
-		EphemeralPassword: password,
-		Restricted:        restricted,
-		ExtraConfig:       extraConfig,
+		ID:            strconv.FormatUint(uint64(p.sessionCounter), 10),
+		Pool:          fsm.Pool().Name,
+		Port:          port,
+		User:          appConfig.DB.Username,
+		SocketHost:    appConfig.Host,
+		EphemeralUser: user,
+		ExtraConfig:   extraConfig,
 	}
 
 	return session, nil
@@ -265,7 +263,7 @@ func (p *Provisioner) ResetSession(session *resources.Session, snapshotID string
 		return errors.Wrap(err, "failed to start a container")
 	}
 
-	if err := p.prepareDB(appConfig, session.EphemeralUser, session.EphemeralPassword, session.Restricted); err != nil {
+	if err := p.prepareDB(appConfig, session.EphemeralUser); err != nil {
 		return errors.Wrap(err, "failed to prepare a database")
 	}
 
@@ -566,7 +564,7 @@ func (p *Provisioner) scanCSVLogFile(ctx context.Context, filename string, avail
 	}
 }
 
-func (p *Provisioner) prepareDB(pgConf *resources.AppConfig, username, password string, restricted bool) error {
+func (p *Provisioner) prepareDB(pgConf *resources.AppConfig, user resources.EphemeralUser) error {
 	if !p.config.KeepUserPasswords {
 		whitelist := []string{p.dbCfg.Username}
 
@@ -575,7 +573,7 @@ func (p *Provisioner) prepareDB(pgConf *resources.AppConfig, username, password
 		}
 	}
 
-	if err := postgres.CreateUser(pgConf, username, password, restricted); err != nil {
+	if err := postgres.CreateUser(pgConf, user); err != nil {
 		return errors.Wrap(err, "failed to create user")
 	}
 
diff --git a/pkg/services/provision/resources/resources.go b/pkg/services/provision/resources/resources.go
@@ -15,17 +15,11 @@ type Session struct {
 	Pool string
 
 	// Database.
-	Port       uint
-	User       string
-	SocketHost string
-
-	// TODO(anatoly): Were private fields. How to keep them private?
-	// For user-defined username and password.
-	EphemeralUser     string
-	EphemeralPassword string
-	Restricted        bool
-
-	ExtraConfig map[string]string
+	Port          uint
+	User          string
+	SocketHost    string
+	EphemeralUser EphemeralUser
+	ExtraConfig   map[string]string
 }
 
 // Disk defines disk status.
@@ -37,6 +31,15 @@ type Disk struct {
 	DataSize uint64
 }
 
+// EphemeralUser describes an ephemeral database user defined by Database Lab users.
+type EphemeralUser struct {
+	// TODO(anatoly): Were private fields. How to keep them private?
+	Name        string
+	Password    string
+	Restricted  bool
+	AvailableDB string
+}
+
 // Snapshot defines snapshot of the data with related meta-information.
 type Snapshot struct {
 	ID          string

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,7 @@ func create(cliCtx *cli.Context) error {`
`58`	`58`	`Username: cliCtx.String("username"),`
`59`	`59`	`Password: cliCtx.String("password"),`
`60`	`60`	`Restricted: cliCtx.Bool("restricted"),`
	`61`	`+ DBName: cliCtx.String("db-name"),`
`61`	`62`	`},`
`62`	`63`	`}`
`63`	`64`
Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ type DatabaseRequest struct {`
`24`	`24`	Username string `json:"username"`
`25`	`25`	Password string `json:"password"`
`26`	`26`	Restricted bool `json:"restricted"`
	`27`	+ DBName string `json:"db_name"`
`27`	`28`	`}`
`28`	`29`
`29`	`30`	`// SnapshotCloneFieldRequest represents snapshot params of a create request.`
Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ func (p *Provisioner) Reload(cfg Config, dbCfg resources.DB) {`
`143`	`143`	`}`
`144`	`144`
`145`	`145`	`// StartSession starts a new session.`
`146`		`-func (p *Provisioner) StartSession(username, password, snapshotID string, restricted bool,`
	`146`	`+func (p *Provisioner) StartSession(snapshotID string, user resources.EphemeralUser,`
`147`	`147`	`extraConfig map[string]string) (*resources.Session, error) {`
`148`	`148`	`snapshotID, err := p.getSnapshotID(snapshotID)`
`149`	`149`	`if err != nil {`
`@@ -181,22 +181,20 @@ func (p *Provisioner) StartSession(username, password, snapshotID string, restri`
`181`	`181`	`return nil, errors.Wrap(err, "failed to start a container")`
`182`	`182`	`}`
`183`	`183`
`184`		`- if err := p.prepareDB(appConfig, username, password, restricted); err != nil {`
	`184`	`+ if err := p.prepareDB(appConfig, user); err != nil {`
`185`	`185`	`return nil, errors.Wrap(err, "failed to prepare a database")`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`atomic.AddUint32(&p.sessionCounter, 1)`
`189`	`189`
`190`	`190`	`session := &resources.Session{`
`191`		`- ID: strconv.FormatUint(uint64(p.sessionCounter), 10),`
`192`		`- Pool: fsm.Pool().Name,`
`193`		`- Port: port,`
`194`		`- User: appConfig.DB.Username,`
`195`		`- SocketHost: appConfig.Host,`
`196`		`- EphemeralUser: username,`
`197`		`- EphemeralPassword: password,`
`198`		`- Restricted: restricted,`
`199`		`- ExtraConfig: extraConfig,`
	`191`	`+ ID: strconv.FormatUint(uint64(p.sessionCounter), 10),`
	`192`	`+ Pool: fsm.Pool().Name,`
	`193`	`+ Port: port,`
	`194`	`+ User: appConfig.DB.Username,`
	`195`	`+ SocketHost: appConfig.Host,`
	`196`	`+ EphemeralUser: user,`
	`197`	`+ ExtraConfig: extraConfig,`
`200`	`198`	`}`
`201`	`199`
`202`	`200`	`return session, nil`
`@@ -265,7 +263,7 @@ func (p Provisioner) ResetSession(session resources.Session, snapshotID string`
`265`	`263`	`return errors.Wrap(err, "failed to start a container")`
`266`	`264`	`}`
`267`	`265`
`268`		`- if err := p.prepareDB(appConfig, session.EphemeralUser, session.EphemeralPassword, session.Restricted); err != nil {`
	`266`	`+ if err := p.prepareDB(appConfig, session.EphemeralUser); err != nil {`
`269`	`267`	`return errors.Wrap(err, "failed to prepare a database")`
`270`	`268`	`}`
`271`	`269`
`@@ -566,7 +564,7 @@ func (p *Provisioner) scanCSVLogFile(ctx context.Context, filename string, avail`
`566`	`564`	`}`
`567`	`565`	`}`
`568`	`566`
`569`		`-func (p Provisioner) prepareDB(pgConf resources.AppConfig, username, password string, restricted bool) error {`
	`567`	`+func (p Provisioner) prepareDB(pgConf resources.AppConfig, user resources.EphemeralUser) error {`
`570`	`568`	`if !p.config.KeepUserPasswords {`
`571`	`569`	`whitelist := []string{p.dbCfg.Username}`
`572`	`570`
`@@ -575,7 +573,7 @@ func (p Provisioner) prepareDB(pgConf resources.AppConfig, username, password`
`575`	`573`	`}`
`576`	`574`	`}`
`577`	`575`
`578`		`- if err := postgres.CreateUser(pgConf, username, password, restricted); err != nil {`
	`576`	`+ if err := postgres.CreateUser(pgConf, user); err != nil {`
`579`	`577`	`return errors.Wrap(err, "failed to create user")`
`580`	`578`	`}`
`581`	`579`