diff --git a/roles/mailman/files/mailman3_pg-give-rights.py b/roles/mailman/files/mailman3_pg-give-rights.py new file mode 100755 index 0000000000..88b9ad6951 --- /dev/null +++ b/roles/mailman/files/mailman3_pg-give-rights.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 +# vim: et ts=4 sw=4 fileencoding=utf-8 + +""" +Give non-admin rights to the database app user. +""" + +CONFFILE = "/etc/mailman-migration.conf" + + +import site +import yaml +import psycopg2 + + +def give_rights(dbhost, dbuser, dbpasswd, dbname, dbreguser=None): + if dbreguser is None: + dbreguser = dbname + "app" + conn = psycopg2.connect(host=dbhost, user=dbuser, password=dbpasswd, + database=dbname) + cur = conn.cursor() + # Database permissions + dbrightsquery = "GRANT CONNECT,TEMP ON DATABASE %s TO %s;" % (dbname, dbreguser) + print(dbrightsquery) + cur.execute(dbrightsquery) + # Table permissions + cur.execute(""" + SELECT 'GRANT SELECT,INSERT,UPDATE,DELETE,TRUNCATE ON "' || relname || '" TO %s;' + FROM pg_class + JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace + WHERE nspname = 'public' AND relkind IN ('r', 'v'); + """ % dbreguser) + queries = [q[0] for q in cur] + for query in queries: + print(query) + cur.execute(query) + # Sequence permissions + cur.execute(""" + SELECT 'GRANT USAGE,SELECT,UPDATE ON ' || relname || ' TO %s;' + FROM pg_class + JOIN pg_namespace ON pg_namespace.oid = pg_class.relnamespace + WHERE nspname = 'public' AND relkind = 'S'; + """ % dbreguser) + queries = [q[0] for q in cur] + for query in queries: + print(query) + cur.execute(query) + conn.commit() + cur.close() + conn.close() + + +def main(): + with open(CONFFILE) as conffile: + conf = yaml.safe_load(conffile) + site.addsitedir(conf["confdir"]) + import settings_admin + + ## KittyStore + #dbspec = re.match(""" + # postgresql:// + # (?P[a-z]+) + # : + # (?P[^@]+) + # @ + # (?P[^/]+) + # / + # (?P[^/?]+) + # """, settings_admin.KITTYSTORE_URL, re.X) + #give_rights(dbspec.group("host"), + # dbspec.group("user"), + # dbspec.group("password"), + # dbspec.group("database") + # ) + + # HyperKitty + give_rights( + settings_admin.DATABASES["default"]["HOST"], + settings_admin.DATABASES["default"]["USER"], + settings_admin.DATABASES["default"]["PASSWORD"], + settings_admin.DATABASES["default"]["NAME"], + ) + + +if __name__ == "__main__": main() diff --git a/roles/mailman/tasks/main.yml b/roles/mailman/tasks/main.yml index cfd1cb6c0f..be3072e682 100644 --- a/roles/mailman/tasks/main.yml +++ b/roles/mailman/tasks/main.yml @@ -357,7 +357,6 @@ tags: - config - mailman - when: env == 'production' - name: install the fedora-specific modules copy: src={{ item }}.py @@ -568,6 +567,12 @@ tags: mailman when: env == 'staging' +- name: install the updated pg-give-rights script + copy: src=mailman3_pg-give-rights.py dest="{{ mailman_webui_basedir }}/bin/pg-give-rights.py" + owner=root group=root mode=0755 + tags: mailman + when: env == 'staging' + - name: install the templatized scripts template: src={{ item }}.j2 dest="{{ mailman_webui_basedir }}/bin/{{ item }}" owner=root group=root mode=0755