#3882 - EDW API - DB User Part 1

[bidyashish]

Technical

Need to create a read only DB user for the EDW API rather than using the admin user.

• Create new read only DB user with access to all tables

Demo

HELM Upgrade

1. make upgrade NAMESPACE=a6ef19-dev
   

Crunchy read-only-user setup

Steps to Perform in Master Node of Postgres

1. Wait around 20 mins to deploy helm chart completely after Helm upgrade.
2. Run connect-[ENV]-db-superuser for each environment from ~/sources/makefile eg. make connect-dev-db-superuser MASTER_POD=pod_id
3. For superuser credentials please look into openshift secrets. Secret name: simsdb-pguser-postgres Secret key names: user and password.
4. Once connected to Database as superuser, run the following commands.

GRANT USAGE ON SCHEMA information_schema TO "read-only-user";
GRANT USAGE ON SCHEMA sims TO "read-only-user";
GRANT SELECT ON ALL TABLES IN SCHEMA sims TO "read-only-user";
ALTER DEFAULT PRIVILEGES IN SCHEMA sims GRANT SELECT ON TABLES TO "read-only-user";

Wiki Updated to https://github.com/bcgov/SIMS/wiki/DevOps-and-Running-the-Application#crunchy-backup-and-restore

Need to update User to
EDW Repo
https://github.com/bcgov/aest-api/blob/bdb09cefe7fbf761624109cac0d193072cc70de1/openshift/sims_dc.yaml#L101C29-L101C60

[guru-aot]

Please apply the command upgrade 'make upgrade NAMESPACE={{dev-namespace}}', which is working and confirm if the commands above is enough to access the schema and its objects.

I think you may not need
GRANT CONNECT ON DATABASE simsdb TO "read-only-user";

Please confirm. Also provide proof of upgrade in dev as a screenshot.

Thanks

[bidyashish]

Please apply the command upgrade 'make upgrade NAMESPACE={{dev-namespace}}', which is working and confirm if the commands above is enough to access the schema and its objects.

I think you may not need GRANT CONNECT ON DATABASE simsdb TO "read-only-user";

Please confirm. Also provide proof of upgrade in dev as a screenshot.

Thanks

Thanks @guru-aot
Nice catch, CONNECT permission removed from Wiki and PR info, I tested it without CONNECT and it seems to work fine

HELM Upgrade screenshot added.

[bidyashish]

Note:
Permission GRANT USAGE ON SCHEMA information_schema TO "read-only-user"; is added in Wiki and PR.

Above permission is needed to view all table in SIMS schema for DB Beaver(not tested) and Datagrip(tested).

[dheepak-aot]

Minor spelling not right on prefered preferred

[bidyashish]

Thanks @dheepak-aot ,
All words of prefered is changed to preferred .

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Backend Unit Tests Coverage Report

Totals
Statements:	22.49% ( 3850 / 17122 )
Methods:	10.37% ( 224 / 2161 )
Lines:	25.88% ( 3322 / 12837 )
Branches:	14.31% ( 304 / 2124 )

[github-actions]

E2E Workflow Workers Coverage Report

Totals
Statements:	65.59% ( 589 / 898 )
Methods:	59.63% ( 65 / 109 )
Lines:	68.72% ( 468 / 681 )
Branches:	51.85% ( 56 / 108 )

[github-actions]

E2E Queue Consumers Coverage Report

Totals
Statements:	86.14% ( 1249 / 1450 )
Methods:	82.42% ( 136 / 165 )
Lines:	88.51% ( 1032 / 1166 )
Branches:	68.07% ( 81 / 119 )

[dheepak-aot]

Thanks for doing the changes @bidyashish . Looks good 👍

Please update the wiki(if not already updated) with the SQL scripts for read-only-user.

And also add release instructions to execute the SQL pertaining to read-only-user https://app.zenhub.com/workspaces/student-information-management-system-5fce9df5aa1b45000e937014/issues/zh/276

[github-actions]

E2E SIMS API Coverage Report

Totals
Statements:	67.77% ( 5992 / 8842 )
Methods:	65.54% ( 738 / 1126 )
Lines:	71.62% ( 4695 / 6555 )
Branches:	48.15% ( 559 / 1161 )

[guru-aot]

LGTM, nice work @bidyashish

[andrewsignori-aot]

Thanks for making the changes, looks good 👍