cleaning up
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/push Build is failing
Details
This commit is contained in:
parent
bb7539dcb6
commit
10f7aab3ed
39
README.md
39
README.md
|
@ -1,3 +1,10 @@
|
|||
### TODO before merge
|
||||
- testing and tests
|
||||
- need someone to test isolation of PostgreSQL users
|
||||
- handling for improper (missing values, unable to connect) config
|
||||
- make MySQLService and PostgreSQLService look nicer to read
|
||||
- check database.py
|
||||
|
||||
# pyceo
|
||||
[![Build Status](https://ci.csclub.uwaterloo.ca/api/badges/public/pyceo/status.svg?ref=refs/heads/v1)](https://ci.csclub.uwaterloo.ca/public/pyceo)
|
||||
|
||||
|
@ -33,7 +40,37 @@ On phosphoric-acid, you will additionally need to create a principal
|
|||
called `ceod/admin` (remember to addprinc **and** ktadd).
|
||||
|
||||
#### Database
|
||||
TODO - Andrew
|
||||
Edit the `/etc/csc/ceod.ini` with the credentials required to access MySQL and PostgreSQL
|
||||
```
|
||||
[mysql]
|
||||
host =
|
||||
username =
|
||||
password =
|
||||
|
||||
[postgresql]
|
||||
host =
|
||||
usrename =
|
||||
password =
|
||||
```
|
||||
#### PostgreSQL Database
|
||||
PostgreSQL is not designed for isolation of users and by default will allow any user to connect and edit any database. To disallow users to create public schema we run
|
||||
```
|
||||
su postgres
|
||||
psql
|
||||
|
||||
REVOKE ALL ON SCHEMA public FROM public;
|
||||
GRANT ALL ON SCHEMA public TO postgres;
|
||||
```
|
||||
We also want to change `pg_hba.conf` to only allow local connections and force the requested database to have the same name as the user creating the connection ([more info](https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html))
|
||||
```
|
||||
# TYPE DATABASE USER ADDRESS METHOD
|
||||
local all postgres peer
|
||||
local sameuser all md5
|
||||
```
|
||||
- peer authentication only requires that your os username matches the postgres username (no password)
|
||||
- Users will have access to list of databases and users, and this cannot be disabled without possible issues ([more info](https://wiki.postgresql.org/wiki/Shared_Database_Hosting#template1))
|
||||
- [Managing rights in PostgreSQL](https://wiki.postgresql.org/images/d/d1/Managing_rights_in_postgresql.pdf)
|
||||
|
||||
|
||||
#### Dependencies
|
||||
Next, install and activate a virtualenv:
|
||||
|
|
|
@ -2,7 +2,7 @@ from flask import Blueprint, request
|
|||
from zope import component
|
||||
from ceod.api.utils import authz_restrict_to_staff, authz_restrict_to_syscom, \
|
||||
user_is_in_group, requires_authentication_no_realm, \
|
||||
create_streaming_response, create_sync_response, development_only
|
||||
create_streaming_response, development_only
|
||||
from ceo_common.errors import UserNotFoundError, DatabaseConnectionError
|
||||
from ceo_common.interfaces import IDatabaseService
|
||||
|
||||
|
@ -10,6 +10,8 @@ from ceo_common.interfaces import IDatabaseService
|
|||
bp = Blueprint('db', __name__)
|
||||
|
||||
# could combine create_mysql_db and create_postgresql_db into one function
|
||||
# catch other less expected errors (mysql or psql error)
|
||||
# handle if user somehow dropped their database
|
||||
|
||||
|
||||
@bp.route('/mysql/<username>', methods=['POST'])
|
||||
|
|
|
@ -9,7 +9,6 @@ import ceod.utils as utils
|
|||
@implementer(IDatabaseService)
|
||||
class MySQLService:
|
||||
def __init__(self):
|
||||
# how to set default values for these
|
||||
self.type = 'mysql'
|
||||
config = component.getUtility(IConfig)
|
||||
self.host = config.get('mysql_host')
|
||||
|
|
|
@ -15,20 +15,6 @@ class PostgreSQLService:
|
|||
self.auth_username = config.get('postgresql_username')
|
||||
self.auth_password = config.get('postgresql_password')
|
||||
|
||||
# https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html
|
||||
# pg_hba.conf only listen to localhost and only allow users to login to database with the same name as user
|
||||
# local sameuser all localhost md5
|
||||
# need different line for syscom
|
||||
|
||||
# Allow only postgres to create on the schema public
|
||||
# REVOKE ALL ON SCHEMA public FROM PUBLIC;
|
||||
# GRANT ALL ON SCHEMA public TO postgres;
|
||||
|
||||
# by default all database created are open to connection from anyone
|
||||
# only the owner (and superusers) can ever drop a database
|
||||
|
||||
# note that pg_catalog allows access list of database and user names for everyone and cannot be disabled with breaking some things
|
||||
|
||||
def create_db(self, username: str) -> str:
|
||||
component.getUtility(ILDAPService).get_user(username) # make sure user exists
|
||||
password = utils.gen_password()
|
||||
|
@ -39,7 +25,7 @@ class PostgreSQLService:
|
|||
user=self.auth_username,
|
||||
password=self.auth_password,
|
||||
) as con:
|
||||
# limit access to localhost?
|
||||
# only the owner (and superusers) can ever drop a database
|
||||
search_for_user = "SELECT FROM pg_roles WHERE rolname='%(username)s'"
|
||||
create_user = "CREATE USER %(username)s WITH NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '%(password)s'"
|
||||
create_database = "CREATE DATABASE %(username)s"
|
||||
|
|
|
@ -8,3 +8,4 @@ requests-gssapi==1.2.3
|
|||
zope.component==5.0.1
|
||||
zope.interface==5.4.0
|
||||
mysql-connector-python==8.0.26
|
||||
psycopg2==2.9.1
|
Loading…
Reference in New Issue