def add_ownerships(spec, dbcontext):
for objkind in PRIVILEGE_MAP.keys():
if objkind == 'schemas':
spec = add_schema_ownerships(spec, dbcontext)
else:
spec = add_nonschema_ownerships(spec, dbcontext, objkind)
return spec
def add_privileges(spec, dbcontext):
"""
Add role privileges to the spec file
"""
for role in spec.keys():
role_privileges = {}
for objkind in PRIVILEGE_MAP.keys():
if objkind == 'schemas':
schemas_privs = determine_schema_privileges(role, dbcontext)
if schemas_privs:
role_privileges['schemas'] = schemas_privs
else:
obj_privs = {}
writes, reads = determine_all_nonschema_privileges(
role, objkind, dbcontext)
if writes:
collapsed_writes = collapse_personal_schemas(
role, writes, objkind, dbcontext)
obj_privs['write'] = collapsed_writes
if reads:
collapsed_reads = collapse_personal_schemas(
role, reads, objkind, dbcontext)
obj_privs['read'] = collapsed_reads
if obj_privs:
role_privileges[objkind] = obj_privs
if role_privileges:
spec[role]['privileges'] = role_privileges
return spec
def analyze_privileges(spec, cursor, verbose):
logger.debug('Starting analyze_privileges()')
dbcontext = DatabaseContext(cursor, verbose)
# We disable the progress bar when showing verbose output (using '' as our bar_template)
# or # the bar will get lost in the # output
bar_template = '' if verbose else common.PROGRESS_TEMPLATE
with click.progressbar(spec.items(),
label='Analyzing privileges: ',
bar_template=bar_template,
show_eta=False,
item_show_func=common.item_show_func) as all_roles:
schema_writers = determine_schema_writers(spec)
personal_schemas = determine_personal_schemas(spec)
all_sql_to_run = []
for rolename, config in all_roles:
config = config or {}
if dbcontext.is_superuser(rolename):
all_sql_to_run.append(
SKIP_SUPERUSER_PRIVILEGE_CONFIGURATION_MSG.format(
rolename))
continue
all_desired_privs = config.get('privileges', {})
for object_kind in PRIVILEGE_MAP.keys():
desired_items_this_obj = all_desired_privs.get(object_kind, {})
excepted_items_this_obj = desired_items_this_obj.get(
'except', [])
for access in ('read', 'write'):
desired_items = desired_items_this_obj.get(access, [])
# If a write privilege is desired then read access is as well
if access == 'read':
desired_items += desired_items_this_obj.get(
'write', [])
privconf = PrivilegeAnalyzer(
rolename=rolename,
access=access,
object_kind=object_kind,
desired_items=desired_items,
dbcontext=dbcontext,
schema_writers=schema_writers,
personal_schemas=personal_schemas,
excepted_items=excepted_items_this_obj)
role_sql_to_run = privconf.analyze()
all_sql_to_run += role_sql_to_run
return all_sql_to_run