Skip to content

Add new databases new users new roles with selective permission #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lecping wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Add new databases new users new roles with selective permission #56

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
edd10e3
feat(datamodel): add username to metadata warehouse
lecping Dec 16, 2025
e5f04dc
feat(datamodel): add four databases for metadata warehouse
lecping Dec 16, 2025
a2aeb82
feat(datamodel): configure dataset DB for user roles and permission
lecping Dec 16, 2025
e274909
feat(datamodel): configure file DB for user roles and permission
lecping Dec 16, 2025
6e29501
feat(datamodel): configure tool DB for user roles and permission
lecping Dec 16, 2025
69ca6f7
feat(datamodel): configure user DB for user roles and permission
lecping Dec 16, 2025
01d85de
refactor: rename `userDB` to `appDB`
vemonet Jan 14, 2026
9c9d1b8
feat(datamodel): add database-level role-based access control template
lecping Feb 12, 2026
8a57948
fix(datamodel): initialize database with postgres superuser and defau…
lecping Feb 12, 2026
757f86c
fix(datamodel): initialize user with limited privilleges
lecping Feb 12, 2026
dcde94d
feat(datamodel): grant user-role to database-level role from role-bas…
lecping Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions scripts/postgres_data/create_sql/createDB.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
-- database to store metadata about datasets
CREATE DATABASE datasetDB;
Copy link
Collaborator

@tobiasschweizer tobiasschweizer Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this relate to existing DB structure? Is datasetDB supposed to replace the existing DB structure?

Copy link
Collaborator

@tobiasschweizer tobiasschweizer Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If yes, then this structure would have to comply with what we currently have since the existing code depends on it (SQL queries, FastAPI)

Copy link
Collaborator

@tobiasschweizer tobiasschweizer Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if admin is going to be replaced by datasetDB, then this would need to be adapted when creating the psycopg client as now it is assumed that the db user and the db name are the same.

Copy link
Collaborator Author

@lecping lecping Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes it will be the case, I can update accordingly. with a database and user of the same name "admin"is not easy for monitoring purpose.

Copy link
Collaborator Author

@lecping lecping Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will open another PR after Michal copied the data from postgres DB to datasetDB.

-- database to store metadata about file registry from datasets
CREATE DATABASE fileDB;
-- database to store metadata about tool registry
CREATE DATABASE toolDB;
-- database to store metadata about user usage and query
CREATE DATABASE userDB;
41 changes: 41 additions & 0 deletions scripts/postgres_data/create_sql/datasetDBconfig.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
-- ---------------------------
-- DATABASE 1 – Dataset / FAIR, connect to datasetDB first
-- ---------------------------
\c datasetDB

-- Create roles
CREATE ROLE datasetDB_read;
CREATE ROLE datasetDB_readwrite;
CREATE ROLE datasetDB_admin;

GRANT CONNECT ON DATABASE datasetDB TO datasetDB_read, datasetDB_readwrite, datasetDB_admin;

-- READ
GRANT USAGE ON SCHEMA public TO datasetDB_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO datasetDB_read;

-- READWRITE
GRANT USAGE, CREATE ON SCHEMA public TO datasetDB_readwrite;
GRANT SELECT, INSERT, UPDATE ON ALL TABLES IN SCHEMA public TO datasetDB_readwrite;

-- ADMIN
GRANT ALL PRIVILEGES ON DATABASE datasetDB TO datasetDB_admin;
GRANT ALL PRIVILEGES ON SCHEMA public TO datasetDB_admin;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO datasetDB_admin;

-- Future tables inherit permissions
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO datasetDB_read;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE ON TABLES TO datasetDB_readwrite;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL ON TABLES TO datasetDB_admin;

-- Read
GRANT datasetDB_read TO reggie, jusong, ritwik;
-- Read/Write, script cannot delete important
GRANT datasetDB_readwrite TO script;
-- Admin
GRANT datasetDB_admin TO tobias, josip, michal, ping, vincent;
43 changes: 43 additions & 0 deletions scripts/postgres_data/create_sql/fileDBconfig.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
-- ---------------------------
-- DATABASE 2 – File Registry, connect to fileDB first
-- ---------------------------
\c fileDB

-- Create roles
CREATE ROLE fileDB_read;
CREATE ROLE fileDB_readwrite;
CREATE ROLE fileDB_admin;

GRANT CONNECT ON DATABASE fileDB TO fileDB_read, fileDB_readwrite, fileDB_admin;

-- READ
GRANT USAGE ON SCHEMA public TO fileDB_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO fileDB_read;

-- READWRITE
GRANT USAGE, CREATE ON SCHEMA public TO fileDB_readwrite;
GRANT SELECT, INSERT, UPDATE ON ALL TABLES TO fileDB_readwrite;

-- ADMIN
GRANT ALL PRIVILEGES ON DATABASE fileDB TO fileDB_admin;
GRANT ALL PRIVILEGES ON SCHEMA public TO fileDB_admin;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO fileDB_admin;

-- Future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO fileDB_read;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE ON TABLES TO fileDB_readwrite;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL ON TABLES TO fileDB_admin;

-- Read
GRANT fileDB_read TO tobias, josip, ping, vincent, ritwik;

-- Read/Write, script cannot delete important
GRANT fileDB_readwrite TO script;

-- Admin
GRANT fileDB_admin TO michal, reggie, jusong, eko;
42 changes: 42 additions & 0 deletions scripts/postgres_data/create_sql/toolDBconfig.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
-- ---------------------------
-- DATABASE 3 – Tool Registry, connect to toolDB first
-- ---------------------------
/c toolDB
-- Create roles
CREATE ROLE toolDB__read;
CREATE ROLE toolDB__readwrite;
CREATE ROLE toolDB__admin;

GRANT CONNECT ON DATABASE toolDB TO toolDB_read, toolDB_readwrite, toolDB_admin;

-- READ
GRANT USAGE ON SCHEMA public TO toolDB_read;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO toolDB_read;

-- READWRITE
GRANT USAGE, CREATE ON SCHEMA public TO toolDB_readwrite;
GRANT SELECT, INSERT, UPDATE ON ALL TABLES TO toolDB_readwrite;

-- ADMIN
GRANT ALL PRIVILEGES ON DATABASE toolDB TO toolDB_admin;
GRANT ALL PRIVILEGES ON SCHEMA public TO toolDB_admin;
GRANT ALL PRIVILEGES ON ALL TABLES TO toolDB_admin;

-- Future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO toolDB_read;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE ON TABLES TO toolDB_readwrite;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL ON TABLES TO toolDB_admin;

-- Read
GRANT toolDB__read TO tobias, josip, ping, vincent, ritwik;

-- Read/Write, script cannot delete important
GRANT toolDB__readwrite TO script;

-- Admin
GRANT toolDB__admin TO michal, jusong, reggie, eko;
15 changes: 15 additions & 0 deletions scripts/postgres_data/create_sql/user.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
---------------------------------------------------------
-- CREATE GOLOBAL USERS

CREATE ROLE reggie LOGIN PASSWORD 'reggie';
Copy link
Collaborator

@tobiasschweizer tobiasschweizer Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there another way to manage user? This seems hard to maintain as new users will join the project.

Copy link
Collaborator Author

@lecping lecping Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can write a procedure to skip those roles which have been already created before. So far we still do not have procedure.

Copy link
Collaborator Author

@lecping lecping Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have to manually manage the user in user.sql and their access in access.sql assuming that we will not have more than 10 new users every year

CREATE ROLE jusong LOGIN PASSWORD 'jusong';
CREATE ROLE ritwik LOGIN PASSWORD 'ritwik';
CREATE ROLE tobias LOGIN PASSWORD 'tobias';
CREATE ROLE josip LOGIN PASSWORD 'josip';
CREATE ROLE michal LOGIN PASSWORD 'michal';
CREATE ROLE ping LOGIN PASSWORD 'ping';
CREATE ROLE vincent LOGIN PASSWORD 'vincent';
CREATE ROLE eko LOGIN PASSWORD 'eko';

-- System service accounts
CREATE ROLE script LOGIN PASSWORD 'script';
44 changes: 44 additions & 0 deletions scripts/postgres_data/create_sql/userDBconfig.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@

-- ---------------------------
-- DATABASE 4 – User History, connect to userDB first
-- ---------------------------
/c userDB

-- Create roles
CREATE ROLE userDB_read;
CREATE ROLE userDB_readwrite;
CREATE ROLE userDB_admin;

GRANT CONNECT ON DATABASE userDB TO userDB_read, userDB_readwrite, userDB_admin;

-- READ
GRANT USAGE ON SCHEMA public TO userDB_read;
GRANT SELECT ON ALL TABLES TO userDB_read;

-- READWRITE
GRANT USAGE, CREATE ON SCHEMA public TO userDB_readwrite;
GRANT SELECT, INSERT, UPDATE ON ALL TABLES TO userDB_readwrite;

-- ADMIN
GRANT ALL PRIVILEGES ON DATABASE userDB TO userDB_admin;
GRANT ALL PRIVILEGES ON SCHEMA public TO userDB_admin;
GRANT ALL PRIVILEGES ON ALL TABLES TO userDB_admin;

-- Future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT ON TABLES TO userDB_read;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE ON TABLES TO userDB_readwrite;

ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL ON TABLES TO userDB_admin;

-- Read
GRANT userDB_read TO jusong, reggie, josip, tobias;

-- Read/Write, script cannot delete important
GRANT userDB_readwrite TO script;

-- Admin
GRANT userDB_admin TO michal, vincent, ritwik, ping;