[Django] #34200: Allow setting postgres role during connection setup

Mon, 05 Dec 2022 19:42:04 -0800 

#34200: Allow setting postgres role during connection setup
-------------------------------------+-------------------------------------
               Reporter:  mcrute     |          Owner:  nobody
                   Type:  New        |         Status:  new
  feature                            |
              Component:  Database   |        Version:  4.1
  layer (models, ORM)                |
               Severity:  Normal     |       Keywords:
           Triage Stage:             |      Has patch:  0
  Unreviewed                         |
    Needs documentation:  0          |    Needs tests:  0
Patch needs improvement:  0          |  Easy pickings:  0
                  UI/UX:  0          |
-------------------------------------+-------------------------------------
 When attempting to mutate database objects (tables, enumerations, etc...)
 Postgres requires that the logged-in role match the owning role for those
 objects. Typically the owning role of an object is the role that created
 it. This is a problem when using systems such as
 [[https://www.hashicorp.com/products/vault|Hashicorp Vault]] which create
 ephemeral single-use roles for applications since those roles will, by
 definition, never match the creating role. This results in permission
 errors during structural changes such as migrations. These errors are of
 the general form "sequence must have same owner as table it is linked to".

 The solution to this problem is pretty straightforward. First create a
 grouping role for the application (roles do not distinguish between being
 a user or a group) that can become the owner of the database objects. Then
 create the temporary roles generated by the credential management system
 as members of this grouping role. Finally, assume that grouping role
 before performing actions on the database using the
 [[https://www.postgresql.org/docs/8.4/sql-set-role.html|SET ROLE]]
 statement during connection setup. This will cause all of the temporary
 roles to act as the grouping role which has ownership of all of these
 objects and eliminate the permission issues.

 I propose adding a postgres-specific driver option in the settings called
 `role` which, if present, will cause the connection setup code to issue
 the appropriate `SET ROLE` statement at connection creation.

 I have a patch for this that I'm testing and will submit soon.

-- 
Ticket URL: <https://code.djangoproject.com/ticket/34200>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/01070184e586ab28-dc6d0c07-fe9b-4351-9507-6d98c2b3b62c-000000%40eu-central-1.amazonses.com.

Reply via email to