chore: Add grants for appsmith user for embedded postgres

[abhvsn]

Description

PR to add the necessary grants to appsmith user when user opts for Postgres embedded DB.

fixes #36661

Automation

/test Sanity

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/11155064003
Commit: 1fb82e5
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Thu, 03 Oct 2024 04:22:54 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• New Features

  • Introduced default values for PostgreSQL database connection parameters.
  • Added a new function to manage user permissions on database schemas.

• Improvements

  • Enhanced the existing database initialization process to include permission granting after schema verification.
  • Updated documentation within the script for better clarity on new functionalities.

[coderabbitai]

Walkthrough

The pull request modifies the pg-utils.sh script to enhance PostgreSQL database management functionalities. It introduces default values for database connection parameters and adds a new function, grant_permissions_for_schema, to manage user permissions on schemas. The existing init_pg_db function is updated to include calls to this new function after verifying the existence of the database and schema, ensuring that the necessary permissions are granted to users.

Changes

File	Change Summary
deploy/docker/fs/opt/appsmith/pg-utils.sh	Added default values for DB_USER, DB_HOST, DB_PORT, DB_SCHEMA, DB_NAME, and postgres_admin_user. Introduced grant_permissions_for_schema function for managing schema permissions. Updated init_pg_db to call the new function after checking database and schema existence. Enhanced documentation with comments.

Assessment against linked issues

Objective	Addressed	Explanation
Add explicit permissions for appsmith user to create tables (#[36661])	✅

Possibly related PRs

• chore: Add postgres dependency for server to startup #36585: This PR adds new functions to pg-utils.sh for managing PostgreSQL connections, which directly relates to the modifications made in the main PR that also involves changes to pg-utils.sh.
• chore: create appsmith schema for postgres #36591: This PR introduces a new function init_pg_db in pg-utils.sh, which is closely related to the changes in the main PR that also updates this script with new functionalities for PostgreSQL management.

Suggested labels

Task

Suggested reviewers

• sharat87
• pratapaprasanna
• AnaghHegde

In the script of PostgreSQL delight,
New functions and defaults take flight.
Granting permissions, oh what a sight,
For appsmith users, all feels just right!
With every change, the database sings,
A world of access and joy it brings! 🎉

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[abhvsn]

/build-deploy-preview skip-tests=true

[github-actions]

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/11148781575.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 36664.
recreate: .

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 25e83f6 and e625844.

📒 Files selected for processing (1)

• deploy/docker/fs/opt/appsmith/pg-utils.sh (3 hunks)

[github-actions]

Deploy-Preview-URL: https://ce-36664.dp.appsmith.com

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (4)

deploy/docker/fs/opt/appsmith/pg-utils.sh (4)

3-9: Well done, class! Let's add a small improvement.

Good job setting up default values for our database connection parameters. This will make our script more flexible and easier to configure. However, let's make a small enhancement to improve clarity.

Consider adding a comment to explain the purpose of the postgres_admin_user variable. For example:

 DB_NAME="appsmith"
+# User with administrative privileges for PostgreSQL operations
 postgres_admin_user="postgres"

This will help other developers understand the role of this variable in our script. Remember, clear documentation is key to maintaining good code!

---

130-131: Excellent addition, but let's make it more consistent!

I'm pleased to see you've added the grant_permissions_for_schema function call. This is a crucial step in ensuring our database user has the necessary permissions. However, let's make a small adjustment for consistency.

Instead of hardcoding the schema name, let's use the DB_SCHEMA variable we defined earlier. This will make our code more maintainable and less prone to errors. Here's how we can improve it:

-      USER=$PG_DB_USER SCHEMA="appsmith" DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_schema
+      USER=$PG_DB_USER SCHEMA=$DB_SCHEMA DB=$PG_DB_NAME HOST=$PG_DB_HOST PORT=$PG_DB_PORT grant_permissions_for_schema

Remember, consistency is key in programming. By using our predefined variables, we ensure that any future changes to the schema name only need to be made in one place.

---

148-166: Excellent work on the new function! Let's add a bit of error handling.

I'm impressed with your grant_permissions_for_schema function. The documentation is clear, and the use of local variables with defaults is a smart approach. You've covered all the necessary permissions for our application to function correctly.

To make this function even more robust, let's add some basic error handling. This will help us identify and troubleshoot any issues that might occur during the permission granting process. Here's a suggestion:

 grant_permissions_for_schema() {
   local user=${USER-$DB_USER} schema=${SCHEMA-$DB_SCHEMA} db=${DB-$DB_NAME} host=${HOST-$DB_HOST} port=${PORT-$DB_PORT}
   tlog "Granting permissions to user '${user}' on schema '$schema' in database '$db' on host '$host' and port '$port'..."
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON SCHEMA ${schema} TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ${schema} TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "ALTER DEFAULT PRIVILEGES IN SCHEMA ${schema} GRANT ALL PRIVILEGES ON TABLES TO ${user};"
-  psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT CONNECT ON DATABASE ${db} TO ${user};"
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON SCHEMA ${schema} TO ${user};" ; then
+    tlog "Error granting schema privileges to user '${user}'"
+    return 1
+  fi
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA ${schema} TO ${user};" ; then
+    tlog "Error granting table privileges to user '${user}'"
+    return 1
+  fi
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "ALTER DEFAULT PRIVILEGES IN SCHEMA ${schema} GRANT ALL PRIVILEGES ON TABLES TO ${user};" ; then
+    tlog "Error altering default privileges for user '${user}'"
+    return 1
+  fi
+  if ! psql -h ${host} -p ${port} -U ${postgres_admin_user} -d ${db} -c "GRANT CONNECT ON DATABASE ${db} TO ${user};" ; then
+    tlog "Error granting connect privilege to user '${user}'"
+    return 1
+  fi
+  tlog "Successfully granted all permissions to user '${user}'"
 }

This modification will help us identify which specific permission grant failed, if any. It's always good practice to handle potential errors in our scripts. Keep up the great work!

---

171-172: Good job on adding examples! Let's make them even clearer.

I appreciate your effort in providing example usage for our functions. This will be very helpful for other developers who might use this script in the future. Well done!

To make these examples even more clear and educational, let's add a brief comment explaining what each example does. Here's a suggestion:

-# init_pg_db
-# USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_schema
+# Initialize the PostgreSQL database:
+# init_pg_db
+
+# Grant permissions for a specific user on a schema:
+# USER="user" SCHEMA="schema" DB="db" HOST="host" PORT="port" grant_permissions_for_schema

Remember, good documentation is like a good lesson plan - it helps others understand and learn from our work. Keep up the excellent work in making our code more accessible!

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between e625844 and 1fb82e5.

📒 Files selected for processing (1)

• deploy/docker/fs/opt/appsmith/pg-utils.sh (3 hunks)

🧰 Additional context used

📓 Learnings (1)

deploy/docker/fs/opt/appsmith/pg-utils.sh (1)

Learnt from: abhvsn
PR: appsmithorg/appsmith#36664
File: deploy/docker/fs/opt/appsmith/pg-utils.sh:130-131
Timestamp: 2024-10-03T02:38:50.045Z
Learning: In `pg-utils.sh`, the schema is not part of the connection string and isn't available as an environment variable after `extract_postgres_db_params`.

[AnaghHegde]

Minor nit, rest looks good to me

[AnaghHegde]

Why is the schema hardcoded here? Can you use the DB_SCHEMA here?

[abhvsn]

Can be used, but kept it hardcoded as the other vars are exported env variables and don't wanted to mixup.

[AnaghHegde]

If they can be modified then the concern is valid for the other fields as well like - user, database name

[abhvsn]

Yeah that's why I'm using the env vars extracted from the other method.