fix(generate_config): correct migration template grants#48
Merged
Conversation
Migration 010 (a33fc90) retroactively fixed the two grant bugs for ctu_cz_tmobile, which was added by the generator in migration 009: Bug 1: migration 009 granted SELECT, INSERT, UPDATE on the security-barrier view cml_data_secure instead of the underlying hypertable cml_data. write_rawdata() inserts directly into cml_data, so the parser raised a permission error and silently dropped all CTU rows until migration 010 added the missing table grant. Bug 2: migration 009 did not grant EXECUTE on update_cml_stats(TEXT, TEXT). The stats background thread calls this function as the user's PG role, so stats were never computed for CTU until migration 010 added the EXECUTE grant. This commit fixes the generator template so that any future user added via generate_config.py receives the correct grants from the start and does not require a follow-up migration. The fix mirrors exactly what migration 010 applied by hand: - GRANT SELECT, INSERT, UPDATE ON cml_data (not cml_data_secure) - GRANT SELECT ON cml_data_secure (read isolation for webserver/Grafana) - GRANT EXECUTE ON FUNCTION update_cml_stats(TEXT, TEXT) Also corrects the stale comment that incorrectly claimed all access goes through the security-barrier views.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #48 +/- ##
=======================================
Coverage 82.63% 82.63%
=======================================
Files 28 28
Lines 2920 2920
=======================================
Hits 2413 2413
Misses 507 507
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
generate_config.py emits a DB migration for every new user. The template had two bugs that silently broke any user added via the script:
Bug 1 — wrong table grant: The template granted SELECT, INSERT, UPDATE on the security-barrier view cml_data_secure instead of the underlying hypertable cml_data. Since write_rawdata() and update_cml_stats() both write directly to cml_data, the parser silently dropped all data for the new user.
Bug 2 — missing EXECUTE grant: The template omitted GRANT EXECUTE ON FUNCTION update_cml_stats(TEXT, TEXT). The stats background thread calls this function as the user's PG role, so stats were never computed and map line colouring showed no colour for that user's CMLs.
Also fixes a stale comment that incorrectly stated "all access goes through the security-barrier views."