Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Add grants for appsmith user for embedded postgres #36664

Merged
merged 4 commits into from
Oct 4, 2024

Conversation

abhvsn
Copy link
Contributor

@abhvsn abhvsn commented Oct 2, 2024

Description

PR to add the necessary grants to appsmith user when user opts for Postgres embedded DB.

fixes #36661

Automation

/test Sanity

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/11155064003
Commit: 1fb82e5
Cypress dashboard.
Tags: @tag.Sanity
Spec:


Thu, 03 Oct 2024 04:22:54 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

  • Yes
  • No

Summary by CodeRabbit

  • New Features

    • Introduced default values for PostgreSQL database connection parameters.
    • Added a new function to manage user permissions on database schemas.
  • Improvements

    • Enhanced the existing database initialization process to include permission granting after schema verification.
    • Updated documentation within the script for better clarity on new functionalities.

Copy link
Contributor

coderabbitai bot commented Oct 2, 2024

Walkthrough

The pull request modifies the pg-utils.sh script to enhance PostgreSQL database management functionalities. It introduces default values for database connection parameters and adds a new function, grant_permissions_for_schema, to manage user permissions on schemas. The existing init_pg_db function is updated to include calls to this new function after verifying the existence of the database and schema, ensuring that the necessary permissions are granted to users.

Changes

File Change Summary
deploy/docker/fs/opt/appsmith/pg-utils.sh Added default values for DB_USER, DB_HOST, DB_PORT, DB_SCHEMA, DB_NAME, and postgres_admin_user. Introduced grant_permissions_for_schema function for managing schema permissions. Updated init_pg_db to call the new function after checking database and schema existence. Enhanced documentation with comments.

Assessment against linked issues

Objective Addressed Explanation
Add explicit permissions for appsmith user to create tables (#[36661])

Possibly related PRs

Suggested labels

Task

Suggested reviewers

  • sharat87
  • pratapaprasanna
  • AnaghHegde

In the script of PostgreSQL delight,
New functions and defaults take flight.
Granting permissions, oh what a sight,
For appsmith users, all feels just right!
With every change, the database sings,
A world of access and joy it brings! 🎉


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot added Bug Something isn't working DB Infrastructure Pod Pod to handle database infrastructure High This issue blocks a user from building or impacts a lot of users Move to Postgres Issues required to be solved for the move to Postgres as repository layer Needs Triaging Needs attention from maintainers to triage Production labels Oct 2, 2024
@abhvsn abhvsn added ok-to-test Required label for CI and removed Bug Something isn't working High This issue blocks a user from building or impacts a lot of users Production Needs Triaging Needs attention from maintainers to triage Move to Postgres Issues required to be solved for the move to Postgres as repository layer DB Infrastructure Pod Pod to handle database infrastructure labels Oct 2, 2024
@github-actions github-actions bot added Bug Something isn't working DB Infrastructure Pod Pod to handle database infrastructure High This issue blocks a user from building or impacts a lot of users Move to Postgres Issues required to be solved for the move to Postgres as repository layer Needs Triaging Needs attention from maintainers to triage Production skip-changelog Adding this label to a PR prevents it from being listed in the changelog and removed Bug Something isn't working labels Oct 2, 2024
@abhvsn
Copy link
Contributor Author

abhvsn commented Oct 2, 2024

/build-deploy-preview skip-tests=true

@github-actions github-actions bot added the Bug Something isn't working label Oct 2, 2024
Copy link

github-actions bot commented Oct 2, 2024

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/11148781575.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 36664.
recreate: .

@github-actions github-actions bot added the Bug Something isn't working label Oct 3, 2024
@abhvsn abhvsn added ok-to-test Required label for CI and removed ok-to-test Required label for CI labels Oct 3, 2024
@github-actions github-actions bot removed the Bug Something isn't working label Oct 3, 2024
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)
deploy/docker/fs/opt/appsmith/pg-utils.sh (4)

3-9: Well done, class! Let's add a small improvement.

Good job setting up default values for our database connection parameters. This will make our script more flexible and easier to configure. However, let's make a small enhancement to improve clarity.

Consider adding a comment to explain the purpose of the postgres_admin_user variable. For example:

 DB_NAME="appsmith"
+# User with administrative privileges for PostgreSQL operations
 postgres_admin_user="postgres"

This will help other developers understand the role of this variable in our script. Remember, clear documentation is key to maintaining good code!


130-131: Excellent addition, but let's make it more consistent!

I'm pleased to see you've added the grant_permissions_for_schema function call. This is a crucial step in ensuring our database user has the necessary permissions. However, let's make a small adjustment for consistency.

Instead of hardcoding the schema name, let's use the DB_SCHEMA variable we defined earlier. This will make our code more maintainable and less prone to errors. Here's how we can improve it:

-      USER=$PG_DB_USER SCHEMA="appsmith" DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_schema
+      USER=$PG_DB_USER SCHEMA=$DB_SCHEMA DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_schema

Remember, consistency is key in programming. By using our predefined variables, we ensure that any future changes to the schema name only need to be made in one place.


148-166: Excellent work on the new function! Let's add a bit of error handling.

I'm impressed with your grant_permissions_for_schema function. The documentation is clear, and the use of local variables with defaults is a smart approach. You've covered all the necessary permissions for our application to function correctly.

To make this function even more robust, let's add some basic error handling. This will help us identify and troubleshoot any issues that might occur during the permission granting process. Here's a suggestion:

 grant_permissions_for_schema() {
   local user=${USER-$DB_USER} schema=${SCHEMA-$DB_SCHEMA} db=${DB-$DB_NAME} host=${HOST-$DB_HOST} port=${PORT-$DB_PORT}
   tlog "Granting permissions to user '${user}' on schema '$schema' in database '$db' on host '$host' and port '$port'..."
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON SCHEMA ${schema} TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ${schema} TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "ALTER DEFAULT PRIVILEGES IN SCHEMA ${schema} GRANT ALL PRIVILEGES ON TABLES TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT CONNECT ON DATABASE ${db} TO ${user};"
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON SCHEMA ${schema} TO ${user};" ; then
+    tlog "Error granting schema privileges to user '${user}'"
+    return 1
+  fi
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ${schema} TO ${user};" ; then
+    tlog "Error granting table privileges to user '${user}'"
+    return 1
+  fi
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "ALTER DEFAULT PRIVILEGES IN SCHEMA ${schema} GRANT ALL PRIVILEGES ON TABLES TO ${user};" ; then
+    tlog "Error altering default privileges for user '${user}'"
+    return 1
+  fi
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT CONNECT ON DATABASE ${db} TO ${user};" ; then
+    tlog "Error granting connect privilege to user '${user}'"
+    return 1
+  fi
+  tlog "Successfully granted all permissions to user '${user}'"
 }

This modification will help us identify which specific permission grant failed, if any. It's always good practice to handle potential errors in our scripts. Keep up the great work!


171-172: Good job on adding examples! Let's make them even clearer.

I appreciate your effort in providing example usage for our functions. This will be very helpful for other developers who might use this script in the future. Well done!

To make these examples even more clear and educational, let's add a brief comment explaining what each example does. Here's a suggestion:

-# init_pg_db
-# USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_schema
+# Initialize the PostgreSQL database:
+# init_pg_db
+
+# Grant permissions for a specific user on a schema:
+# USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_schema

Remember, good documentation is like a good lesson plan - it helps others understand and learn from our work. Keep up the excellent work in making our code more accessible!

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e625844 and 1fb82e5.

📒 Files selected for processing (1)
  • deploy/docker/fs/opt/appsmith/pg-utils.sh (3 hunks)
🧰 Additional context used
📓 Learnings (1)
deploy/docker/fs/opt/appsmith/pg-utils.sh (1)
Learnt from: abhvsn
PR: appsmithorg/appsmith#36664
File: deploy/docker/fs/opt/appsmith/pg-utils.sh:130-131
Timestamp: 2024-10-03T02:38:50.045Z
Learning: In `pg-utils.sh`, the schema is not part of the connection string and isn't available as an environment variable after `extract_postgres_db_params`.

Copy link
Member

@AnaghHegde AnaghHegde left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nit, rest looks good to me

@@ -119,6 +127,8 @@ init_pg_db() {
echo "Schema 'appsmith' does not exist. Creating schema..."
psql -h "$PG_DB_HOST" -p "$PG_DB_PORT" -U postgres -d "$PG_DB_NAME" -c "CREATE SCHEMA appsmith;"
fi

USER=$PG_DB_USER SCHEMA="appsmith" DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_schema
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the schema hardcoded here? Can you use the DB_SCHEMA here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can be used, but kept it hardcoded as the other vars are exported env variables and don't wanted to mixup.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If they can be modified then the concern is valid for the other fields as well like - user, database name

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that's why I'm using the env vars extracted from the other method.

@abhvsn abhvsn requested a review from AnaghHegde October 3, 2024 06:14
@abhvsn abhvsn merged commit 24e144e into release Oct 4, 2024
44 checks passed
@abhvsn abhvsn deleted the chore/add-permissions-for-pg-user branch October 4, 2024 04:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
DB Infrastructure Pod Pod to handle database infrastructure High This issue blocks a user from building or impacts a lot of users Move to Postgres Issues required to be solved for the move to Postgres as repository layer Needs Triaging Needs attention from maintainers to triage ok-to-test Required label for CI Production skip-changelog Adding this label to a PR prevents it from being listed in the changelog
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Bug]: For embedded postgres appsmith user is unable to create tables because of the missing permission
2 participants