Octolis needs to access your databases for two distinct reasons:
Using a DB as Datawarehouse (we will create three schemas for our own usage and tables for Sources, Datasets, and Syncs inside of them, see ).
If your want to plug your DB as Connection from which Octolis needs to retrieve data.
In the first case, Octolis will need read & write access to your DB: create schemas, tables, functions, sequences...
In the second case, Octolis only needs to read some tables inside of your database.
We promise we will never write/modify anything outside of the three schemas we manage, but you might still want to create specific users for us to make sure we can’t. Here below is an example of how you can achieve this with PostgreSQL.
Create a readwrite role & user (for the Datawarehouse or for a Connection used as a Source & Destination).
Create role, user & grant rights
Don’t forget to replace {{adminuser}}, {{dbname}} and {{user_password}}.
javascript
-- Create role client_readwrite
CREATEROLE client_readwrite;-- Grant rights to role to access the DB and create schemas
GRANTCONNECTONDATABASE"{{dbname}}"TO client_readwrite;GRANTCREATEONDATABASE"{{dbname}}"TO client_readwrite;-- Grant rights to role to do anything on existing tables, sequences, functions in the public schema
GRANTALLONALLTABLESINSCHEMApublicTO client_readwrite;GRANTALLONALLSEQUENCESINSCHEMApublicTO client_readwrite;GRANTALLONALLFUNCTIONSINSCHEMApublicTO client_readwrite;-- Grant rights to role to do anything on tables, sequences, functions in that will be created later in the public schema
ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMApublicGRANTALLONTABLESTO client_readwrite;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMApublicGRANTALLONSEQUENCESTO client_readwrite;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMApublicGRANTALLONFUNCTIONSTO client_readwrite;-- Create user in role client_readwrite
CREATEUSER octolis_readwrite INROLE client_readwrite PASSWORD'{{user_password}}';
Revoke rights & delete role & user
javascript
-- Revoke everything
REVOKEALLONDATABASE"{{dbname}}"FROM client_readwrite;REVOKEALLONALLTABLESINSCHEMApublicFROM client_readwrite;REVOKEALLONALLSEQUENCESINSCHEMApublicFROM client_readwrite;REVOKEALLONALLFUNCTIONSINSCHEMApublicFROM client_readwrite;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMApublicREVOKEALLONTABLESFROM client_readwrite;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMApublicREVOKEALLONSEQUENCESFROM client_readwrite;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMApublicREVOKEALLONFUNCTIONSFROM client_readwrite;-- Reassign user's ownership,delete user &role(reassign does not always work, especially on AWSRDS)--REASSIGNOWNEDBY octolis_readwrite TO{{adminuser}}--REASSIGNOWNEDBY client_readwrite TO{{adminuser}}DROPUSER octolis_readwrite;DROPROLE client_readwrite;
Create a readonly role & user (for a Connection used as a Source only).
Create role, user & grant rights
Don’t forget to replace {{adminuser}}, {{dbname}} , {{schema_name}} and {{user_password}}.
javascript
-- Create role
CREATEROLE client_readonly;-- Grant rights to role to access the DB and create schemas
GRANTCONNECTONDATABASE"{{dbname}}"TO client_readonly;--GRANT role client_readonly to read a schema
GRANTUSAGEONSCHEMA{{schema_name}}TO client_readonly;GRANTSELECTONALLTABLESINSCHEMA{{schema_name}}TO client_readonly;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMA{{schema_name}}GRANTSELECTONTABLESTO client_readonly;-- Create user
CREATEUSER octolis_readonlyIN ROLE client_readonly PASSWORD'{{user_password}}';
Revoke rights & delete role & user
javascript
-- Revokes and drops everything
REVOKEALLONSCHEMA{{schema_name}}FROM client_readonly;REVOKEALLONALLTABLESINSCHEMA{{schema_name}}FROM client_readonly;ALTERDEFAULTPRIVILEGESFORUSER{{adminuser}}INSCHEMA{{schema_name}}REVOKEALLONTABLESFROM client_readonly;-- Delete user & role
DROPUSER octolis_readonly;DROPROLE client_readonly;
By the way, if your DB is protected by an IP address whitelist, don’t forget to add our IP! (see ).
