counterweight/superhog-infra-repo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

user permissions

Browse source
This commit is contained in:
Pablo Martin 2024-02-09 15:47:26 +01:00
parent 912e597915
commit 3176fc42b6
1 changed files with 50 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

54
human-script.md
View file

@ -380,7 +380,6 @@ Follow this to deploy the entire data infra.
- In the Jumphost, run the following command to disable password based SSH authentication fully. This way, access can only be granted with SSH key pairs, which is way more secure: `sudo sed -i -e 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config; sudo systemctl restart ssh`.
- Remove the AllowSSHInboundTemporarily rule that you added to the NSG `superhog-data-nsg-jumphost-<your-env>`. We don't need that anymore since we can SSH through the VPN tunnel.
## 4. DWH
### 4.1 Deploy PostgreSQL Server
@ -407,11 +406,58 @@ Follow this to deploy the entire data infra.
- Validate the deployment by trying to log into the database with the `dwh_admin_<your-env>` user from your favourite SQL client (you can use DBeaver, for example). Be aware that your VPN connection should be active so that the DWH is reachable from your device.
### 4.2 Create users and roles
### 4.2 Create database and schemas
### 4.3 Create schemas
- Run the following script to create a new database and the needed schemas
### 4.4 Create permissions
```sql
CREATE DATABASE dwh;
\connect dwh;
CREATE SCHEMA staging;
CREATE SCHEMA intermediate;
CREATE SCHEMA reporting;
```
### 4.3 Create users and roles
- Run the following script to create:
- A `modeler` role, owner of the `staging`, `intermediate` and `reporting` schemas.
- A `consumer` role, capable of reading the `reporting` schema.
- A dbt user, with `modeler` role.
- An airbyte user, with permission to create new schemas.
- A Power BI user, with `consumer` role.
- *Note: replace the password fields with serious passwords and note them down.*
```bash
GRANT pg_read_all_data TO dwh_admin_infratest;
CREATE ROLE airbyte_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
GRANT CREATE ON DATABASE dwh TO airbyte_user;
CREATE ROLE modeler INHERIT;
GRANT USAGE ON SCHEMA staging TO modeler;
GRANT USAGE ON SCHEMA intermediate TO modeler;
GRANT USAGE ON SCHEMA reporting TO modeler;
GRANT ALL ON ALL TABLES IN SCHEMA staging TO modeler;
GRANT ALL ON ALL TABLES IN SCHEMA intermediate TO modeler;
GRANT ALL ON ALL TABLES IN SCHEMA reporting TO modeler;
ALTER SCHEMA staging OWNER TO modeler;
ALTER SCHEMA intermediate OWNER TO modeler;
ALTER SCHEMA reporting OWNER TO modeler;
CREATE ROLE dbt_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
GRANT modeler to dbt_user;
CREATE ROLE consumer INHERIT;
GRANT USAGE ON SCHEMA reporting TO consumer;
GRANT SELECT ON ALL TABLES IN SCHEMA reporting TO consumer;
ALTER DEFAULT PRIVILEGES IN SCHEMA reporting GRANT SELECT ON TABLES TO consumer;
CREATE ROLE powerbi_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
GRANT consumer to powerbi_user;
```
- If you want, you might also want to create more users depending on your needs. Typically, date team members should also have the `modeler` role.
## 5. Airbyte