diff --git a/core/src/main/java/google/registry/privileges/secretmanager/SqlUser.java b/core/src/main/java/google/registry/privileges/secretmanager/SqlUser.java index 7b168e21f..a9e2d5213 100644 --- a/core/src/main/java/google/registry/privileges/secretmanager/SqlUser.java +++ b/core/src/main/java/google/registry/privileges/secretmanager/SqlUser.java @@ -49,6 +49,7 @@ public abstract class SqlUser { /** Enumerates the {@link RobotUser RobotUsers} in the system. */ public enum RobotId { NOMULUS, + SCHEMA_DEPLOYER, /** * Credential for RegistryTool. This is temporary, and will be removed when tool users are * assigned their personal credentials. diff --git a/core/src/main/java/google/registry/tools/GetSqlCredentialCommand.java b/core/src/main/java/google/registry/tools/GetSqlCredentialCommand.java index 0a56c4cc1..775df6cfe 100644 --- a/core/src/main/java/google/registry/tools/GetSqlCredentialCommand.java +++ b/core/src/main/java/google/registry/tools/GetSqlCredentialCommand.java @@ -17,6 +17,7 @@ package google.registry.tools; import com.beust.jcommander.Parameter; import com.beust.jcommander.Parameters; import com.google.common.base.Ascii; +import google.registry.config.RegistryConfig.Config; import google.registry.privileges.secretmanager.SecretManagerClient.SecretManagerException; import google.registry.privileges.secretmanager.SqlCredential; import google.registry.privileges.secretmanager.SqlCredentialStore; @@ -31,13 +32,19 @@ import javax.inject.Inject; /** * Command to get a Cloud SQL credential in the Secret Manager. * - *

This command is a short-term tool that will be deprecated by the planned privilege server. + *

The schema deployment process will use this command's output. Coordinate with the schema + * deployment script before making changes to the output. */ @Parameters(separators = " =", commandDescription = "Get the Cloud SQL Credential for a given user") public class GetSqlCredentialCommand implements Command { @Inject SqlCredentialStore store; + @Inject + @Config("cloudSqlInstanceConnectionName") + String cloudSqlInstanceConnectionName; + @Parameter(names = "--user", description = "The Cloud SQL user.", required = true) private String user; @@ -62,12 +69,17 @@ public class GetSqlCredentialCommand implements Command { return; } + // Output format is important. Check class level javadoc before making changes. + String outputText = + String.format( + "%s %s %s", cloudSqlInstanceConnectionName, credential.login(), credential.password()); + if (outputPath == null) { - System.out.printf("[%s]\n", credential.toFormattedString()); + System.out.printf(outputText); return; } try (FileOutputStream out = new FileOutputStream(outputPath.toFile())) { - out.write(credential.toFormattedString().getBytes(StandardCharsets.UTF_8)); + out.write(outputText.getBytes(StandardCharsets.UTF_8)); } } } diff --git a/db/src/main/resources/sql/user/create_schema_deployer_user.sql b/db/src/main/resources/sql/user/create_schema_deployer_user.sql new file mode 100644 index 000000000..535a91d1c --- /dev/null +++ b/db/src/main/resources/sql/user/create_schema_deployer_user.sql @@ -0,0 +1,24 @@ +-- Copyright 2019 The Nomulus Authors. All Rights Reserved. +-- +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +-- +-- Script to create a user with read-only permission to all tables. The +-- initialize_roles.sql script creates the readonly role used here. + +-- Comment out line below if user already exists: +CREATE USER schema_deployer ENCRYPTED PASSWORD :'password'; +-- Comment out line above and uncomment line below if user has been created +-- from Cloud Dashboard: +-- ALTER USER :username NOCREATEDB NOCREATEROLE; +GRANT CONNECT ON DATABASE postgres TO schema_deployer; +GRANT CREATE, USAGE ON SCHEMA public TO schema_deployer;