Make safer use of postgres roles...

by separating ownership of the catalog database from its routine use.
2022-10-10 09:06:38 +01:00 · 2022-10-10 09:06:38 +01:00 · f499c6f58c
parent 9e1f9cf899
commit f499c6f58c
8 changed files with 80 additions and 36 deletions
--- a/58
+++ b/58
@ -1,24 +1,63 @@
+0. Preliminary configuration for postgresql

-0. Ensure you can connect to your default postgresql database.
-   I.e. that if you run
+These are one-time things to do, in that you can recreate and reload
+the catalog database any number of times without having to do these
+steps again.

-      psql
+Create a user to own the tables and a role to use the tables.  (The
+connection limits are merely suggestions.)

-   it connects and lets you run SQL.  To create the tables, run
+   # su - postgres
+   $ createuser --connection-limit=1 --createdb --echo pgc_owner
+   $ createuser --connection-limit=5 --no-login pgc_user

-      make -f Makefile.orig create-tables
+Configure postgres to allow connection to the catalog database by your
+postgres username, e.g. "irulan".  This is for the case that the
+postgres server runs on the same host.  Consult postgres's excellent
+documentation for other cases.

-   To load (most of) the Gutenberg catalog, run
+In pg_ident.conf, add two map lines so that the end of the file resembles this:

-      make -f Makefile.orig load-gutenberg
+   # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+   irulanmap       irulan                  irulan
+   irulanmap       irulan                  pgc_owner

-1. To install the perl modules, run (for example)
+In pg_hba.conf, modify the second "local" line, the one following the
+"postgres" line, so that it has a map option on the end.
+
+   local   all  all      peer map=irulanmap
+
+Tell postgres about these edits.
+
+   # systemctl reload postgres
+   
+At this point "irulan" has privilege to create and drop the catalog
+database.  Routine use of the database is more safely done by a
+username with lesser privilege, i.e. only the "pgc_user" role.  E.g.
+
+   $ psql
+   postgres=# grant pgc_user to fenring;
+   postgres=# \q
+
+1. As the operating system user "irulan", you should now be able to
+use any of the targets in Makefile.orig to create and load the catalog
+database.
+
+   $ make -f Makefile.orig PGC_DANGEROUS=1 rebuild-db
+   $ make -f Makefile.orig load-catalog
+
+At this point, "irulan" should be able to run the tests successfully
+with e.g.
+
+   $ prove -l
+
+2. To install the perl modules, run (for example)

      perl Makefile.PL INSTALL_BASE=~/.local
      make test
      make install

-2. To use these modules from your program, assuming the INSTALL_BASE
+3. To use these modules from your program, assuming the INSTALL_BASE
   suggested above,

      declare -x PERL5LIB="$HOME/.local/lib/perl5"
@ -27,4 +66,3 @@
   <https://tildegit.org/barnold/mojo-tutorial>).

 <barnold@tilde.club>
-
--- a/Makefile.orig
+++ b/Makefile.orig
@ -1,13 +1,23 @@
-.PHONY: drop-tables create-tables delete-rows load-gutenberg
+.PHONY: dangerous drop-db rebuild-db

-drop-tables:
-	psql --command="DROP TABLE IF EXISTS book, author;"
+dangerous:
+ifndef PGC_DANGEROUS
+	$(error Refusing to continue without PGC_DANGEROUS set.)
+endif

-create-tables: drop-tables
-	psql --file="create-tables.sql"
+drop-db: dangerous
+	dropdb --if-exists --username="pgc_owner" pg_book_catalog

-delete-rows:
-	psql --command="TRUNCATE TABLE book, author;"
+rebuild-db: drop-db
+	createdb --username="pgc_owner" pg_book_catalog \
+           "Tables for an import of the book catalog from Project Gutenberg."
+	psql --dbname="pg_book_catalog" --username="pgc_owner" \
+           --command="\set ON_ERROR_STOP" \
+           --command="BEGIN TRANSACTION;" \
+           --file="create-tables.sql" \
+           --command="COMMIT;"

-load-gutenberg: delete-rows
+load-catalog:
+	psql  --username="pgc_owner" pg_book_catalog \
+           --command="TRUNCATE TABLE book, author;"
 	bin/load-gutenberg.pl pg_catalog.csv
--- a/19
+++ b/19
@ -1,18 +1,8 @@
 ABOUT

-This is a small project using DBIx::Class and Test2::Suite to provide
-some of the gutenberg.org catalog in a relational database (PostgreSQL).
-
-A script creates the tables with SQL, I didn't attempt to use DBIx for
-that as yet.  The SQL and the make-schema script are for postgres
-since that was expedient for me.  It also assumes the simplest case
-where you have a default database that postgres will connect you to if
-you don't name one.
-
-The script bin/load-gutenberg.pl loads from the catalog file available
-from gutenberg.org, providing thousands of authors and book titles.
-Run it from the command line or via 'make -f Makefile.orig' load-gutenberg'.
-
+This is a small project to provide some of the gutenberg.org catalog
+in a relational database (PostgreSQL).  It has no affiliation with
+Project Gutenberg.

 COPYING

@ -22,5 +12,6 @@ Gutenberg project release their catalogs into the public domain.
 Otherwise, you may redistribute under the same terms as perl itself or
 under the GPL V3 or a later version, at your option.

-barnold <barnold@tilde.club>
+Comments are welcome at <barnold@tilde.club>.
+

--- a/bin/load-gutenberg.pl
+++ b/bin/load-gutenberg.pl
@ -61,7 +61,7 @@ printf("Count authors: %d\n", $count_auth);

 # Connect to postgres.
 my $dbh_pg = DBI->connect(
-   "dbi:Pg:", undef, undef,
+   "dbi:Pg:dbname=pg_book_catalog", "pgc_owner", undef,
   { AutoCommit => 0, RaiseError => 1, PrintError => 1 },
 ) or die $DBI::errstr;

--- a/create-tables.sql
+++ b/create-tables.sql
@ -21,3 +21,5 @@ row in the author table.';

 CREATE INDEX book_authid ON book (author_id);
 CREATE INDEX book_title ON book (title);
+
+GRANT SELECT ON author, book TO pgc_user;
--- a/t/00-author.t
+++ b/t/00-author.t
@ -10,9 +10,10 @@ use lib "$FindBin::Bin/../lib";
 # DBIx::Class is used implicitly via a 'Schema':
 use Book::Schema;
 use Test2::V0;
+use Test2::Plugin::BailOnFail;

 # Connect.
-my $schema = Book::Schema->connect('dbi:Pg:');
+my $schema = Book::Schema->connect('dbi:Pg:dbname=pg_book_catalog', 'pgc_owner');
 isa_ok($schema, ["Book::Schema"], "Acquired our Book::Schema object.");

 # Acquire ResultSet for Author.
--- a/t/01-books.t
+++ b/t/01-books.t
@ -7,9 +7,10 @@ use lib "$FindBin::Bin/../lib";
 # DBIx::Class is used implicitly via a 'Schema':
 use Book::Schema;
 use Test2::V0;
+use Test2::Plugin::BailOnFail;

 # Connect.
-my $schema = Book::Schema->connect('dbi:Pg:');
+my $schema = Book::Schema->connect('dbi:Pg:dbname=pg_book_catalog', 'pgc_owner');
 isa_ok(
   $schema, ["Book::Schema"],
   "Acquired our Book::Schema object."
--- a/t/02-failures.t
+++ b/t/02-failures.t
@ -6,9 +6,10 @@ use FindBin;
 use lib "$FindBin::Bin/../lib";
 use Book::Schema;
 use Test2::V0;
+use Test2::Plugin::BailOnFail;

 # Connect and acquire an author.
-my $schema = Book::Schema->connect('dbi:Pg:');
+my $schema = Book::Schema->connect('dbi:Pg:dbname=pg_book_catalog', 'pgc_owner');
 my $rset_author = $schema->resultset('Author');
 my $charles = $rset_author->find({ name => "Charles Dickens" });