Added more privilege to user (#8)

SPHTech-Platform · Aug 4, 2023 · de0c2d9 · de0c2d9
1 parent 46979a9
commit de0c2d9
Showing 1 changed file with 32 additions and 19 deletions.
diff --git a/lambda/index.py b/lambda/index.py
@@ -59,44 +59,38 @@ def provision_db_and_user(master_secrets_json, secret_json):
     master_password = master_secrets_json['password']
 
     try:
+        # Create database
+        create_database_flag = os.environ['CREATE_DATABASE']
+        if create_database_flag == "true":
+            create_database(master_username, master_password, rds_host, rds_port, "postgres")
+
+        # Connect to newly created database
         conn = psycopg2.connect(user=master_username, password=master_password,
-                                host=rds_host, port=rds_port, database="postgres")
+                                host=rds_host, port=rds_port, dbname=database_name)
         conn.autocommit = True
         cursor = conn.cursor()
 
-        # Create database
-        create_database = os.environ['CREATE_DATABASE']
-        if create_database == "true":
-            try:
-                sql = "CREATE DATABASE {};".format(database_name)
-                cursor.execute(sql)
-            except errors.DuplicateDatabase as e:
-                print('Database already exists')
-                pass
-
         # Create user
         usernames = get_pg_usernames(cursor)
         if username in usernames:
             print("User already exists - skipping creation of user")
         else:
-            sql = "CREATE USER {} WITH PASSWORD '{}' CREATEDB;".format(username, password)
+            sql = "CREATE USER {} WITH PASSWORD '{}';".format(username, password)
             cursor.execute(sql)
 
         # Grant privileges
-        grant_sql = "GRANT CONNECT ON DATABASE {} TO {};".format(
-            database_name, username)
-        grant_sql += "GRANT ALL PRIVILEGES ON DATABASE {} TO {};".format(
-            database_name, username)
-        grant_sql += "GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO {};".format(
-            username)
+        grant_sql = "GRANT CONNECT ON DATABASE {} TO {};".format(database_name, username)
+        grant_sql += "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO {};".format(username)
+        grant_sql += "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO {};".format(username)
+        grant_sql += "GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA public TO {};".format(username)
 
         cursor.execute(grant_sql)
 
         # Close communication with the database
         cursor.close()
         conn.close()
     except Exception as e:
-        print('Error performing provisioning: ', str(e))
+        print('Error while performing provisioning: ', str(e))
         raise e
 # end def
 
@@ -107,6 +101,25 @@ def get_pg_usernames(cursor):
     for row in cursor:
         rows.append(row[0])
     return rows
+# end def
+
+def create_database(master_username, master_password, rds_host, rds_port, database_name):
+    conn = psycopg2.connect(user=master_username, password=master_password,
+                                host=rds_host, port=rds_port, dbname=database_name)
+    conn.autocommit = True
+    cursor = conn.cursor()
+
+    # Create database
+    try:
+        sql = "CREATE DATABASE {};".format(database_name)
+        cursor.execute(sql)
+    except errors.DuplicateDatabase as e:
+        print('Database already exists')
+        pass
+
+    cursor.close()
+    conn.close()
+# enbd def
 
 def test_db_connection(username, password, database_name, rds_host, rds_port):
     '''Test if the database can be connected using the new password'''