Open gronka opened 1 month ago
Similar issue on AWS RDS, 👍
Things can/will fail if the tethys_super
user can't for example create tables and databases (this can be worked around by having all that precreated, but that's likely to be fragile and will I think prevent things such as migrations from working). But no, it doesn't have to be SUPERUSER
strictly speaking.
I worked around it by pre-creating the tethys_super
user with the rds_superuser
instead, similar to below:
# This has to happen for RDS to work, and if it fails, we must not be using RDS...
#TODO: Any reason to be concerned about injection here? Just strip all non-word characters?
psql -h ${TETHYS_DB_HOST} -U postgres -c "CREATE ROLE ${TETHYS_DB_SUPERUSER} NOSUPERUSER IN ROLE rds_superuser INHERIT CREATEDB CREATEROLE NOREPLICATION VALID UNTIL 'infinity' LOGIN PASSWORD '${TETHYS_DB_SUPERUSER_PASS}'" \
|| true
(The || true
is a bit of a hack but is minimally sufficient for this to be runable in a script whether I'm on RDS or a local dev env.)
The tethys db
commands use IF NOT EXISTS
for creating users so this threads the needle. Notably, you must not precreate the tethys_super database, because tethys db
fails if it already exists (this might be worth changing/fixing also)--my original attempt just created tethys_super
as the RDS master user but the precreation of the user's DB made that approach infeasible.
You could add an optional option/switch to let the user specify a different role to grant tethys_super
and use that instead of SUPERUSER
... not sure about Azure, but I think this would be sufficient for RDS. And/or, allow tethys db
to proceed if the user database already exists, and then for RDS making tethys_super
as the master user will I think be sufficient. Additionally there could be some kind of check to make sure that the tethys_super
user can create tables or whatnot after creation, but that's gravy.
I removed the SUPERUSER role from create user command but it caused automated github action tests to fail. Below is the screenshot of the test and here is a link to the actual tests if you want to take a closer look. I am going to add the SUPERUSER role back into my PR for now so that we can get that merged.
I would like to use Azure PostgreSQL, but if Tethys requires the SUPERUSER role to work, then it's not possible.
Is your feature request related to a problem? Please describe. Azure has a PostgreSQL service which does not allow the creation of a SUPERUSER. Azure keeps that role for themselves. I imagine other PostgreSQL PaaS would make the same decision.
Describe the solution you'd like Remove the
SUPERUSER
assignment from line 281 oftethys_cli/db_commands.py
. Tethys seems to run fine if the superuser is not actually a superuser - but I could easily be missing something.Describe alternatives you've considered The alternative offered by Tethys is to set
SKIP_DB_SETUP=true
, and Tethys seems to run fine after running the following commands with psql: