From ab32c36c987ff2605a6f6328810f9db8b6173d6b Mon Sep 17 00:00:00 2001 From: Tom Russell Date: Tue, 25 Sep 2018 20:46:05 +0100 Subject: [PATCH] Update database notes (single app user required) --- migrations/002.index-core.up.sql | 2 +- migrations/README.md | 56 +++++++++----------------------- 2 files changed, 17 insertions(+), 41 deletions(-) diff --git a/migrations/002.index-core.up.sql b/migrations/002.index-core.up.sql index 9964b45e..0d481d34 100644 --- a/migrations/002.index-core.up.sql +++ b/migrations/002.index-core.up.sql @@ -1,4 +1,4 @@ - +-- Create indexes after bulk loading geometries and building records -- Spatial index over building outlines CREATE INDEX geometries_idx ON geometries USING GIST ( geometry_geom ); diff --git a/migrations/README.md b/migrations/README.md index 45337ef1..17aff6b2 100644 --- a/migrations/README.md +++ b/migrations/README.md @@ -1,64 +1,40 @@ -# Database details +# Database setup -Initial setup, on first connection (replacing hostname and username): +Initial setup, on first connection (replacing hostname, username, port, dbname as required): ```bash -$ psql "host={hostname} user={username} port=5432 sslmode=require dbname=postgres" +$ psql "host={hostname} user={username} port={port} sslmode=require dbname=postgres" > create database colouringlondon; > \c colouringlondon > create extension postgis; > create extension pgcrypto; > \q -$ psql "host={hostname} user={username} port=5432 sslmode=require dbname=colouringlondon" < 001.create-core.up.sql +$ psql "host={hostname} user={username} port={port} sslmode=require dbname=colouringlondon" < 001.create-core.up.sql ``` -Create app users +Create an app user: ```sql -- role for server-side of front end (HTTP POST) -CREATE ROLE frontend WITH LOGIN; +CREATE ROLE appusername WITH LOGIN; -- create/update, authenticate and authorise users -GRANT SELECT, UPDATE, INSERT ON TABLE users TO frontend; +GRANT SELECT, UPDATE, INSERT, DELETE ON TABLE users TO appusername; +-- join users against categories and access levels +GRANT SELECT ON TABLE user_access_levels, user_categories TO appusername; -- read/write building data -GRANT SELECT, UPDATE, INSERT ON TABLE buildings TO frontend; +GRANT SELECT, UPDATE ON TABLE buildings TO appusername; -- read geometry data -GRANT SELECT ON TABLE geometries TO frontend; +GRANT SELECT ON TABLE geometries TO appusername; -- read/append to logs -GRANT SELECT, INSERT ON TABLE log to frontend; +GRANT SELECT, INSERT ON TABLE logs to appusername; -- use id sequences -GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to frontend; +GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to appusername; -- use postgis/pgcrypto functions -GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO frontend; - --- role for /api routes (may be AJAX from web client, or 3rd-party client with key) -CREATE ROLE apiserver WITH LOGIN; --- need to authenticate and authorize users -GRANT SELECT ON TABLE users TO apiserver; --- read/write building data -GRANT SELECT, UPDATE, INSERT ON TABLE buildings TO apiserver; --- read geometry data -GRANT SELECT ON TABLE geometries TO apiserver; --- read/append to logs -GRANT SELECT, INSERT ON TABLE log to apiserver; --- use id sequences -GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to apiserver; --- use postgis/pgcrypto functions -GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO apiserver; - --- role for /tiles routes -CREATE ROLE tileserver WITH LOGIN; --- read building and geometry data -GRANT SELECT ON TABLE geometries, buildings TO tileserver; --- use id sequences -GRANT USAGE ON ALL SEQUENCES IN SCHEMA public to tileserver; --- use postgis functions -GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO tileserver; +GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO appusername; ``` -Set or update passwords +Set or update passwords: ```bash -psql -c "ALTER USER frontend WITH PASSWORD 'longsecurerandompassword1';" -psql -c "ALTER USER apiserver WITH PASSWORD 'longsecurerandompassword2';" -psql -c "ALTER USER tileserver WITH PASSWORD 'longsecurerandompassword3';" +psql -c "ALTER USER appusername WITH PASSWORD 'longsecurerandompassword';" ```