Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Website database admin #15

Open
jrmerz opened this issue Aug 6, 2024 · 2 comments
Open

Website database admin #15

jrmerz opened this issue Aug 6, 2024 · 2 comments
Assignees
@jrmerz @wrenaria @UcDust
Labels
website Website task

Comments

@jrmerz
Copy link
Contributor

jrmerz commented Aug 6, 2024

Functionality overview:

Screenshot 2024-08-06 at 11 25 48 AM

Functional screenshots:

User view:
Screenshot 2024-08-06 at 11 31 50 AM

Table view:
Screenshot 2024-08-06 at 11 32 04 AM

Edit View:
Screenshot 2024-08-06 at 11 33 05 AM
@jrmerz jrmerz added the website Website task label Aug 6, 2024
@jrmerz jrmerz mentioned this issue Aug 6, 2024
Open
@wrenaria
Copy link

wrenaria commented Oct 7, 2024

@jrmerz A few questions --

1. Adding Users
Can you provide some parameters on how users are added? It seems like you will need to support a mix of CAS and other. Do you need different fields for adding those different types of accounts? Like just the Kerberos username for UC Davis CAS and more fields for other? Which ones are required vs optional?

Example fields --

  • Username
  • Display name
  • Password
  • Email

Do users have any power over managing their own account (like changing their password or display name, deleting their account from a database)?

2. Roles
Are roles customizable, or does read + write/execute cover the user needs?

@jrmerz
Copy link
Contributor Author

jrmerz commented Oct 8, 2024

@wrenaria

Accounts

A CAS username is (currently) all that's required to add a user to a database. Then there are two types of (human) user accounts for a pg farm database; normal and admin. So the only fields required to create an account are:

  • CAS Username
  • Account Type (should default to normal)

The admin account type is allowed to:

  • Add/Remove other users
  • Grant/Revoke user access to schema, tables, views, etc
  • Login as the postgres user, ie the superuser account and preform any action on the database.

Allowing non-cas users will be a design TODO for later (probably after launch).

Passwords are handled by CAS.

Roles

Roles are more tricky. Postgres has a role system, where you can assign access to tables/views/functions to roles and then assign roles to users. However, normal user accounts are a role as well, and can be directly assigned access to tables/views/functions. Additionally, there are A LOT of different permissions for the various database types (tables/views/functions/sequences, etc) https://www.postgresql.org/docs/current/ddl-priv.html .

My approach. PG Farm has simplified commands so an admin can think in terms of granting read or read+write access to a single table/view/function or they can grant read or read+write access to ALL objects (again tables/views/functions) in a schema (databases have multiple schemas).

It's my goal to push researchers to think of user access on the schema level, to simplify their lives. ie jrmerz has access to database my-cool-database and read access to everything in schema foo.

*A final foot note. Say I grant jrmerz read access to schema foo using the PG Farm helper method described above. If a another user adds another table to schema foo, jrmerz will not have access to the new table unless the 'grant schema access' command is run again. This is a pattern/problem, I'm hoping we can help smooth out, but I have to great thoughts how to attack as of yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrmerz jrmerz

@wrenaria wrenaria

@UcDust UcDust

Labels
website Website task
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jrmerz @wrenaria @UcDust