-
-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why are migrations not always run as the root user/why does graphile-migrate require multiple users? #215
Comments
Postgres is an RDBMS, a relational database management system, designed to manage multiple databases. Each database will typically be used with a different application, and for security one application’s credentials should not be able to view, modify, destroy or corrupt another application’s database. To achieve this, each database has an “owner” which is like a mini-superuser; the owner can do most things inside the database: create/alter/drop tables, views, function, policies, permissions, etc, but cannot affect other databases (if permissions are carefully set up). We call this owner role the app user, since it’s the user used by this app to own the database. You may use whatever role you want; Migrate doesn’t care. Use the superuser role if you want, though I’d advise against it from a security point of view: I wouldn’t want the app user credentials being able to alter the template database or install untrusted extensions like |
Thank you for your in-depth response - let me see if I have this down correctly:
This variable is used to access a superuser, typically named The Given the privileges of
This variable is used to access the owner of the given database, named The owner is also a privileged account but should not be able to leave the context of its own database. This limits its ability to install extensions and cause other problems in case one or more migrations prove problematic (an example would be a bug inside a I think I was confused by the Perhaps this could be clarified in the docs in some way, e.g. by renaming Again, many thanks for your help as well as your work on graphile-migrate @benjie - I'm liking it really well so far! |
With a slight clarification that cluster-level actions (create database, create user, etc) should never happen in migrations anyway, essentially you have the crux of it, yes. Also I wouldn’t necessarily forbid ROOT_DATABASE_URL being used in prod, it may be needed for a hook like beforeAllMigrations, perhaps to ensure all the extensions are installed and all the user accounts exist. Feel free to submit a PR renaming appuser to dbowner, that seems reasonable. Often the dbowner role will be the role your application uses to connect to the database; for example Rails would use the owner role. Some more secure setups, for example a PostGraphile instance, might be more cautious and use a lower privileged role instead, but often even then privileged code such as background workers and code related to account management will use the owner role as it bypasses things like row level security. So typically it is the role the app uses. |
I'll get back to you with a PR for After doing some more thinking, what are your thoughts on |
Sure!
|
Great, thank you very much! I'm currently looking at migrating the postgis extension to v5 (graphile/postgis#58) but I'll make a PR for this issue in a few days as well. |
As noted in graphile#215, the naming `appuser` may confuse users into thinking the account to use for DATABASE_URL is the same as the account that should be used by the application to connect to the database. While this may be true in some setups, it is not a hard requirement (see the discussion in graphile#215 for further details). resolves graphile#215
As noted in graphile#215, the naming `appuser` may confuse users into thinking the account to use for DATABASE_URL is the same as the account that should be used by the application to connect to the database. While this may be true in some setups, it is not a hard requirement (see the discussion in graphile#215 for further details). resolves graphile#215
Summary
My initial experimentation with grahile-migrate has had me run into a few issues with permissions (for example, see the discussion in #214 ). More specifically:
CREATE EXTENSION
statements because they sometimes require superuser access.DATABASE_URL
credentials to apply migrations. However, the documentation explicitly uses another user thanROOT_DATABASE_URL
for this connection calledappuser
. However, I do not want my application user to runCREATE TABLE
/DROP TABLE
etc..So far, this has led to me creating a "special"
graphile_migrate
user with permissions to apply changes. However, given the constant permission issues, this user is essentially becoming another superuser to secure. Therefore, I'm thinking of just switchingDATABASE_URL
to use the same admin user asROOT_DATABASE_URL
instead.My question is why
DATABASE_URL
is documented to use anappuser
rather thanroot
/postgres
? Are there specific reasons graphile-migrate requires multiple users or security concerns with using theroot
/postgres
user?The text was updated successfully, but these errors were encountered: