Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Infer roles to verify from roles involved in db objects #122

Open
mzabani opened this issue Jan 18, 2023 · 0 comments
Open

Infer roles to verify from roles involved in db objects #122

mzabani opened this issue Jan 18, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@mzabani
Copy link
Owner

mzabani commented Jan 18, 2023

CODD_EXTRA_ROLES currently is the roles to verify other than the one in the connection string. This is not bad but can be improved substantially. Ideally codd would:

  1. Infer which roles to verify by extracting all roles that are involved with db objects somehow. For example, namespace/table/view/function owners but also roles with explicit permissions granted to any db object.
  2. The role in the connection string would still automatically be included, as migrations run with it by default.
  3. How about roles used in custom connection strings in some migration? Despite the argument that some migration ran/will run with that user (thus it makes sense for it to be included) this might actually be a little unexpected, and can change what roles to consider once migrations are deleted from disk, which can be problematic if someone decides to ship a subset of pending migrations when deploying or other things. So we ignore those. Users can still add them to CODD_EXTRA_ROLES if need be (and if they aren't already related to db objects, of course).
  4. What about roles that roles belong to? For example an admin role being part of the writer role, with writer not explicitly related to any db objects but admin being so. Do we verify writer? Read the docs to learn how things work here.

After implementing this, CODD_EXTRA_ROLES will make a perfectly optional variable and give users liberty to create/manage roles without being worried about changing the env var accordingly.

@mzabani mzabani added the enhancement New feature or request label Jan 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant