Add schema_deployer SQL user to SecretManager (#1018)

* Add schema_deployer SQL user to SecretManager Add the 'schema_deployer' user to the SecretManager so that its credential can be set up. The schema deployment process will use this user instead of the 'postgres' user. Changed the output of the get_sql_credential command for the schema deployment process. Added a sql script that documents the privileges granted to 'schema_deployer'.
2025-04-30 12:07:51 +02:00 · 2021-03-17 19:31:44 -04:00 · 2021-03-17 19:31:44 -04:00 · 49183db199
commit 49183db199
parent 1132b29679
3 changed files with 40 additions and 3 deletions
--- a/core/src/main/java/google/registry/privileges/secretmanager/SqlUser.java
+++ b/core/src/main/java/google/registry/privileges/secretmanager/SqlUser.java
@ -49,6 +49,7 @@ public abstract class SqlUser {
  /** Enumerates the {@link RobotUser RobotUsers} in the system. */
  public enum RobotId {
    NOMULUS,
+    SCHEMA_DEPLOYER,
    /**
     * Credential for RegistryTool. This is temporary, and will be removed when tool users are
     * assigned their personal credentials.
--- a/core/src/main/java/google/registry/tools/GetSqlCredentialCommand.java
+++ b/core/src/main/java/google/registry/tools/GetSqlCredentialCommand.java
@ -17,6 +17,7 @@ package google.registry.tools;
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 import com.google.common.base.Ascii;
+import google.registry.config.RegistryConfig.Config;
 import google.registry.privileges.secretmanager.SecretManagerClient.SecretManagerException;
 import google.registry.privileges.secretmanager.SqlCredential;
 import google.registry.privileges.secretmanager.SqlCredentialStore;
@ -31,13 +32,19 @@ import javax.inject.Inject;
 /**
 * Command to get a Cloud SQL credential in the Secret Manager.
 *
- * <p>This command is a short-term tool that will be deprecated by the planned privilege server.
+ * <p>The schema deployment process will use this command's output. Coordinate with <a
+ * href="https://github.com/google/nomulus/release/cloudbuild-schema-deploy.yaml">the schema
+ * deployment script</a> before making changes to the output.
 */
@Parameters(separators = " =", commandDescription = "Get the Cloud SQL Credential for a given user")
 public class GetSqlCredentialCommand implements Command {

  @Inject SqlCredentialStore store;

+  @Inject
+  @Config("cloudSqlInstanceConnectionName")
+  String cloudSqlInstanceConnectionName;
+
  @Parameter(names = "--user", description = "The Cloud SQL user.", required = true)
  private String user;

@ -62,12 +69,17 @@ public class GetSqlCredentialCommand implements Command {
      return;
    }

+    // Output format is important. Check class level javadoc before making changes.
+    String outputText =
+        String.format(
+            "%s %s %s", cloudSqlInstanceConnectionName, credential.login(), credential.password());
+
    if (outputPath == null) {
-      System.out.printf("[%s]\n", credential.toFormattedString());
+      System.out.printf(outputText);
      return;
    }
    try (FileOutputStream out = new FileOutputStream(outputPath.toFile())) {
-      out.write(credential.toFormattedString().getBytes(StandardCharsets.UTF_8));
+      out.write(outputText.getBytes(StandardCharsets.UTF_8));
    }
  }
 }
--- a/db/src/main/resources/sql/user/create_schema_deployer_user.sql
+++ b/db/src/main/resources/sql/user/create_schema_deployer_user.sql
@ -0,0 +1,24 @@
+-- Copyright 2019 The Nomulus Authors. All Rights Reserved.
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--     http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+--
+-- Script to create a user with read-only permission to all tables. The
+-- initialize_roles.sql script creates the readonly role used here.
+
+-- Comment out line below if user already exists:
+CREATE USER schema_deployer ENCRYPTED PASSWORD :'password';
+-- Comment out line above and uncomment line below if user has been created
+-- from Cloud Dashboard:
+-- ALTER USER :username NOCREATEDB NOCREATEROLE;
+GRANT CONNECT ON DATABASE postgres TO schema_deployer;
+GRANT CREATE, USAGE ON SCHEMA public TO schema_deployer;