postgres: Adding docs for creating a read only user. #2168
Conversation
Reached out to the SME's about some possible approaches for creating read only users on our platform. Useful in cases where a customer wants to limit a users' ability to access data.
Deploying with
|
| Latest commit: |
4be7747
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://35fac1c7.devportal.pages.dev |
| Branch Preview URL: | https://rjoerger-pg-readonly-user.devportal.pages.dev |
| @@ -0,0 +1,15 @@ | |||
| Read Only User for PostgreSQL | |||
There was a problem hiding this comment.
Restrict access to databases or tables in Aiven for PostgreSQL®
| ============================= | ||
| In the interest of having users with the least permissions to complete their tasks, one may need a user with read only access to the whole database or a handful of tables. In some cases, we may want this to happen automatically, below are two approaches to complete this task. | ||
|
|
||
| All new objects shall have a role with read-only permissions |
There was a problem hiding this comment.
Set read-only access in a schema
--------------------------------
You can set up the read-only access for a specific user's role in a particular schema.
|
|
||
| 2. To update any existing database objects, run the following: ``GRANT SELECT ON ALL TABLES IN SCHEMA <schema name> to <myreadonlyrole>;`` | ||
|
|
||
| Only certain databases should be read-only for users in a particular role: |
There was a problem hiding this comment.
Set read-only access in a database
----------------------------------
You can set up the read-only access for a specific user's role in a particular database.
docs/products/postgresql/howto.rst
Outdated
| @@ -40,6 +40,7 @@ Aiven for PostgreSQL® how-tos | |||
| - :doc:`Prevent PostgreSQL® full disk issues </docs/products/postgresql/howto/prevent-full-disk>` | |||
| - :doc:`Enable and use pgvector on Aiven for PostgreSQL® </docs/products/postgresql/howto/use-pgvector>` | |||
| - :doc:`Check size of a database, a table or an index </docs/products/postgresql/howto/pg-object-size>` | |||
| - :doc:`Add Read Only User </docs/products/postgresql/howto/readonly-user>` | |||
There was a problem hiding this comment.
Plz change the title to "Restrict access to databases or tables in Aiven for PostgreSQL®".
There was a problem hiding this comment.
Also, there's another listing file to be updated: Please add the new document to the /docs/products/postgresql/howto/list-dba-tasks.rst file.
| @@ -0,0 +1,15 @@ | |||
| Read Only User for PostgreSQL | |||
| ============================= | |||
| In the interest of having users with the least permissions to complete their tasks, one may need a user with read only access to the whole database or a handful of tables. In some cases, we may want this to happen automatically, below are two approaches to complete this task. | |||
There was a problem hiding this comment.
Please rephrase into the following:
This article shows how you can restrict access to Aiven for PostgreSQL® databases and tables by setting up read-only permissions for specific user's roles.
|
|
||
| Only certain databases should be read-only for users in a particular role: | ||
| ========================================================================== | ||
| 1. Create a new database which will be used as a template ``CREATE DATABASE ro_<name>_template...`` |
There was a problem hiding this comment.
Please rephrase the steps as follows:
1. Create a template database by running the following query:
.. code-block:: bash
CREATE DATABASE ro_TEMPLATE_DATABASE_NAME_template
2. Update the standardizable information of the template database. (***how?)
3. Create a new database that uses the template database.
.. code-block:: bash
CREATE DATABASE DATABASE_NAME WITH TEMPLATE = 'ro_TEMPLATE_DATABASE_NAME_template'
*** Please also add how the user updates the standardizable information of the template database if possible.
There was a problem hiding this comment.
The standard information in this case would be the specific permissions that the CU would like to have be part of their template. Shall I say apply standard permissions & roles instead?
There was a problem hiding this comment.
Thanks, that makes sense! how about
2. For the new template database, set permissions and roles that you want as default ones in the template.
|
|
||
| All new objects shall have a role with read-only permissions | ||
| ------------------------------------------------------------ | ||
| 1. Alter the default permissions for the role for the given schema: ``ALTER DEFAULT PRIVILEGES FOR ROLE <target role> IN SCHEMA <schema name> abbreviated_grant_or_revoke`` |
There was a problem hiding this comment.
Please rephrase the steps as follows:
1. Modify default permissions for a user's role in a particular schema.
.. code-block:: bash
ALTER DEFAULT PRIVILEGES FOR ROLE NAME_OF_ROLE IN SCHEMA NAME_OF_SCHEMA YOUR_GRANT_OR_REVOKE_PERMISSIONS
2. Apply the new read-only access setting to your existing database objects that uses the affected schema.
.. code-block:: bash
GRANT SELECT ON ALL TABLES IN SCHEMA NAME_OF_SCHEMA to NAME_OF_READ_ONLY_ROLE
What do you mean by abbreviated_grant_or_revoke? Is this a "hard" part of the code or a placeholder for including relevant value?
There was a problem hiding this comment.
RE: abbreviated_grant_or_revoke, yes that is something the user would have to replace with their desired permissions. Shall I replace it with <grant or revoke>?
There was a problem hiding this comment.
Let's use
YOUR_GRANT_OR_REVOKE_PERMISSIONS
There was a problem hiding this comment.
Also, usually we use all-caps (a word with all the letters in the upper case) for variables or placeholders (as YOUR_GRANT_OR_REVOKE_PERMISSIONS). I see you use it for whole queries. Is that possible for you to update the queries by replacing all-caps words/expressions with the lower case unless otherwise required by the SQL standard?
Per the comments on the PR, I am fixing these docs to be more presentable.
| @@ -39,7 +39,7 @@ Database administration tasks | |||
| :shadow: md | |||
| :margin: 2 2 0 0 | |||
|
|
|||
| .. grid-item-card:: :doc:`Use the PostgreSQL® pg_repack extension </docs/products/postgresql/howto/use-pg-repack-extension>` | |||
| .. grid-item-card:: :doc:`Use the PostgreSQL® pg_repack extension </docs/productspostgresql/howto/use-pg-repack-extension>` | |||
There was a problem hiding this comment.
In </docs/productspostgresql/howto/use-pg-repack-extension>, the slash is missing after products.
Queries don't have to be strictly uppercase. In order to be consistent with doc team standards, making the variables capitalized.
What changed, and why it matters
Added a page on how to create read only users' on our platform. Helpful for deflecting support requests. Reached out to the SME's about some possible approaches for creating read only users on our platform. Useful in cases where a customer wants to limit a users' ability to access data.