def add_ownerships(spec, dbcontext): for objkind in PRIVILEGE_MAP.keys(): if objkind == 'schemas': spec = add_schema_ownerships(spec, dbcontext) else: spec = add_nonschema_ownerships(spec, dbcontext, objkind) return spec
def add_privileges(spec, dbcontext): """ Add role privileges to the spec file """ for role in spec.keys(): role_privileges = {} for objkind in PRIVILEGE_MAP.keys(): if objkind == 'schemas': schemas_privs = determine_schema_privileges(role, dbcontext) if schemas_privs: role_privileges['schemas'] = schemas_privs else: obj_privs = {} writes, reads = determine_all_nonschema_privileges( role, objkind, dbcontext) if writes: collapsed_writes = collapse_personal_schemas( role, writes, objkind, dbcontext) obj_privs['write'] = collapsed_writes if reads: collapsed_reads = collapse_personal_schemas( role, reads, objkind, dbcontext) obj_privs['read'] = collapsed_reads if obj_privs: role_privileges[objkind] = obj_privs if role_privileges: spec[role]['privileges'] = role_privileges return spec
def analyze_privileges(spec, cursor, verbose): logger.debug('Starting analyze_privileges()') dbcontext = DatabaseContext(cursor, verbose) # We disable the progress bar when showing verbose output (using '' as our bar_template) # or # the bar will get lost in the # output bar_template = '' if verbose else common.PROGRESS_TEMPLATE with click.progressbar(spec.items(), label='Analyzing privileges: ', bar_template=bar_template, show_eta=False, item_show_func=common.item_show_func) as all_roles: schema_writers = determine_schema_writers(spec) personal_schemas = determine_personal_schemas(spec) all_sql_to_run = [] for rolename, config in all_roles: config = config or {} if dbcontext.is_superuser(rolename): all_sql_to_run.append( SKIP_SUPERUSER_PRIVILEGE_CONFIGURATION_MSG.format( rolename)) continue all_desired_privs = config.get('privileges', {}) for object_kind in PRIVILEGE_MAP.keys(): desired_items_this_obj = all_desired_privs.get(object_kind, {}) excepted_items_this_obj = desired_items_this_obj.get( 'except', []) for access in ('read', 'write'): desired_items = desired_items_this_obj.get(access, []) # If a write privilege is desired then read access is as well if access == 'read': desired_items += desired_items_this_obj.get( 'write', []) privconf = PrivilegeAnalyzer( rolename=rolename, access=access, object_kind=object_kind, desired_items=desired_items, dbcontext=dbcontext, schema_writers=schema_writers, personal_schemas=personal_schemas, excepted_items=excepted_items_this_obj) role_sql_to_run = privconf.analyze() all_sql_to_run += role_sql_to_run return all_sql_to_run