From 3176fc42b619bd7d0a326abd1c884a9488bf8945 Mon Sep 17 00:00:00 2001 From: Pablo Martin Date: Fri, 9 Feb 2024 15:47:26 +0100 Subject: [PATCH] user permissions --- human-script.md | 54 +++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 4 deletions(-) diff --git a/human-script.md b/human-script.md index 324a496..c6d44b4 100644 --- a/human-script.md +++ b/human-script.md @@ -380,7 +380,6 @@ Follow this to deploy the entire data infra. - In the Jumphost, run the following command to disable password based SSH authentication fully. This way, access can only be granted with SSH key pairs, which is way more secure: `sudo sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config; sudo systemctl restart ssh`. - Remove the AllowSSHInboundTemporarily rule that you added to the NSG `superhog-data-nsg-jumphost-`. We don't need that anymore since we can SSH through the VPN tunnel. - ## 4. DWH ### 4.1 Deploy PostgreSQL Server @@ -407,11 +406,58 @@ Follow this to deploy the entire data infra. - Validate the deployment by trying to log into the database with the `dwh_admin_` user from your favourite SQL client (you can use DBeaver, for example). Be aware that your VPN connection should be active so that the DWH is reachable from your device. -### 4.2 Create users and roles +### 4.2 Create database and schemas -### 4.3 Create schemas +- Run the following script to create a new database and the needed schemas -### 4.4 Create permissions + ```sql + CREATE DATABASE dwh; + \connect dwh; + CREATE SCHEMA staging; + CREATE SCHEMA intermediate; + CREATE SCHEMA reporting; + ``` + +### 4.3 Create users and roles + +- Run the following script to create: + - A `modeler` role, owner of the `staging`, `intermediate` and `reporting` schemas. + - A `consumer` role, capable of reading the `reporting` schema. + - A dbt user, with `modeler` role. + - An airbyte user, with permission to create new schemas. + - A Power BI user, with `consumer` role. + - *Note: replace the password fields with serious passwords and note them down.* + + ```bash + GRANT pg_read_all_data TO dwh_admin_infratest; + + CREATE ROLE airbyte_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity'; + GRANT CREATE ON DATABASE dwh TO airbyte_user; + + CREATE ROLE modeler INHERIT; + GRANT USAGE ON SCHEMA staging TO modeler; + GRANT USAGE ON SCHEMA intermediate TO modeler; + GRANT USAGE ON SCHEMA reporting TO modeler; + GRANT ALL ON ALL TABLES IN SCHEMA staging TO modeler; + GRANT ALL ON ALL TABLES IN SCHEMA intermediate TO modeler; + GRANT ALL ON ALL TABLES IN SCHEMA reporting TO modeler; + ALTER SCHEMA staging OWNER TO modeler; + ALTER SCHEMA intermediate OWNER TO modeler; + ALTER SCHEMA reporting OWNER TO modeler; + + CREATE ROLE dbt_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity'; + GRANT modeler to dbt_user; + + CREATE ROLE consumer INHERIT; + GRANT USAGE ON SCHEMA reporting TO consumer; + GRANT SELECT ON ALL TABLES IN SCHEMA reporting TO consumer; + ALTER DEFAULT PRIVILEGES IN SCHEMA reporting GRANT SELECT ON TABLES TO consumer; + + CREATE ROLE powerbi_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity'; + GRANT consumer to powerbi_user; + ``` + +- If you want, you might also want to create more users depending on your needs. Typically, date team members should also have the `modeler` role. ## 5. Airbyte