Created
November 12, 2018 22:35
-
-
Save nZac/e110a6da34dbb3860b7b7104a6934cb9 to your computer and use it in GitHub Desktop.
Permissioned Template Based PG Database Creation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --------------------------- | |
| -- SERVER LEVEL COMMANDS -- | |
| --------------------------- | |
| -- Create a new template database (we could alter template1 as well). | |
| CREATE DATABASE "template2"; | |
| -- This avoids possibly droping the template table | |
| UPDATE pg_database SET datistemplate = true WHERE datname='template2'; | |
| -- Revoke CONNECT on template2.public from default permission set | |
| REVOKE ALL ON SCHEMA public FROM public; | |
| ---------------- | |
| -- NEW APP DB -- | |
| ---------------- | |
| -- Create a new group for the application | |
| CREATE ROLE "app-group"; | |
| -- Create a new user for DDL | |
| CREATE USER "app-ddl" IN ROLE "app-group" PASSWORD 'x' CREATEDB INHERIT; | |
| -- Create a new user for application | |
| CREATE USER "app-user" IN ROLE "app-group" PASSWORD 'x' INHERIT; | |
| -- Create a non-user for application | |
| CREATE USER "non-app-user" PASSWORD 'x'; | |
| -- Create a new application database | |
| CREATE DATABASE "app-db" OWNER "app-group" TEMPLATE "template2"; | |
| -- REVOKE connect on the DATABASE | |
| REVOKE CONNECT ON DATABASE "app-db" FROM PUBLIC; | |
| GRANT CONNECT ON DATABASE "app-db" TO "app-ddl", "app-user"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment