search

CartoDB / cartodb-postgresql

PostgreSQL extension for CartoDB
BSD 3-Clause "New" or "Revised" License
111 stars 53 forks source link

User defined FDW's #369

Closed rafatower closed 5 years ago

rafatower commented 5 years ago

This adds a couple of functions to ease set up of user foreign servers, mappings and tables.

Sample usage:

-- Create a FDW called "amazon"
SELECT cartodb.CDB_SetUp_User_Foreign_Server('amazon', '{
   "server": {
     "extensions": "postgis",
     "dbname": "testdb",
     "host": "localhost",
     "port": "5433"
   },
   "user_mapping": {
     "user": "fdw_user",
     "password": "secret"
   }
}');

-- Import a foreign table from "amazon"
SELECT cartodb.CDB_SetUp_User_Foreign_Table('amazon', 'carto-lite', 'cliwoc21');

NOTE: it is decoupled from carto-lite

It creates a role with the same name of the fdw (in the example, "amazon") and grants it to the caller of the function. So, by default just the caller can access the server, mappings and anything related to it, but they can also grant it to other users (including publicuser, the org role or even public).

E.g:

-- not the caller role
SELECT * FROM amazon.cliwoc21 limit 1;
ERROR:  permission denied for schema amazon
LINE 1: select * from amazon.cliwoc21 limit 1;

IMPORT FOREIGN SCHEMA carto_lite LIMIT TO (cliwoc21) FROM SERVER amazon INTO try_import;
ERROR:  permission denied for foreign server amazon

but we want to grant permissions to it:

GRANT amazon TO "development_cartodb_user_699ab2dc-dd77-4395-8c95-3a8c973dfafe" ;

and from that moment on:

SELECT current_user;
                         current_user                          
---------------------------------------------------------------
 development_cartodb_user_699ab2dc-dd77-4395-8c95-3a8c973dfafe
(1 row)

SELECT count(1) FROM amazon.cliwoc21 ;
 count  
--------
 282322
(1 row)
rafatower commented 5 years ago

@dgaubert to take an early look. Not final, cause it lacks some changes, a couple utility functions and documentation. Hopefully it'll help us decouple set up from other tasks (e.g: testing through SQL API)

rafatower commented 5 years ago

For the record, SECURITY DEFINER cannot be really removed: https://github.com/CartoDB/cartodb-postgresql/commit/67663c79aa48cab8f3d8dd87b7a2a62a157bf0c3 (at least not in an easy and clean way)

rafatower commented 5 years ago

I think this is ready for a review. It lacks documentation but I'd rather write and "beta test" it through the "operations manual" than document here yet. No strong opinion, though.