2020-01-14 15:57:45 +03:00
.. meta ::
2020-06-02 17:55:40 +03:00
:description: Postgres requirements for Hasura GraphQL engine
:keywords: hasura, docs, deployment, postgres, postgres permissions, postgres version
2020-01-14 15:57:45 +03:00
2020-06-02 17:55:40 +03:00
.. _postgres_requirements:
2020-03-11 22:42:36 +03:00
2020-06-02 17:55:40 +03:00
Postgres requirements
=====================
2018-09-11 14:11:24 +03:00
2018-12-03 15:12:24 +03:00
.. contents :: Table of contents
:backlinks: none
2020-06-29 16:28:03 +03:00
:depth: 2
2018-12-03 15:12:24 +03:00
:local:
2020-06-02 17:55:40 +03:00
.. _postgres_version_support:
Supported Postgres versions
---------------------------
Hasura GraphQL engine supports **Postgres versions 9.5 and above** .
Feature requirements
^^^^^^^^^^^^^^^^^^^^
- :ref: `Hasura actions <actions>` are supported in Postgres 10 and above.
.. _postgres_permissions:
Postgres permissions
--------------------
2019-09-11 10:17:14 +03:00
If you're running in a controlled environment, you might need to configure the Hasura GraphQL engine to use a
2018-09-11 14:11:24 +03:00
specific Postgres user that your DBA gives you.
2019-09-11 10:17:14 +03:00
The Hasura GraphQL engine needs access to your Postgres database with the following permissions:
2018-09-11 14:11:24 +03:00
- (required) Read & write access on 2 schemas: `` hdb_catalog `` and `` hdb_views `` .
- (required) Read access to the `` information_schema `` and `` pg_catalog `` schemas, to query for list of tables.
2020-07-09 11:42:33 +03:00
Note that these permissions are usually available by default to all postgres users via `PUBLIC <https://www.postgresql.org/docs/current/sql-grant.html> `__ grant.
2018-09-11 14:11:24 +03:00
- (required) Read access to the schemas (public or otherwise) if you only want to support queries.
2019-09-11 10:17:14 +03:00
- (optional) Write access to the schemas if you want to support mutations as well.
2018-09-11 14:11:24 +03:00
- (optional) To create tables and views via the Hasura console (the admin UI) you'll need the privilege to create
2019-09-11 10:17:14 +03:00
tables/views. This might not be required when you're working with an existing database.
2018-09-11 14:11:24 +03:00
2020-06-29 16:28:03 +03:00
Here's a sample SQL block that you can run on your database (as a **superuser** ) to create the right credentials for a sample Hasura user:
2018-09-11 14:11:24 +03:00
.. code-block :: sql
-- We will create a separate user and grant permissions on hasura-specific
-- schemas and information_schema and pg_catalog
-- These permissions/grants are required for Hasura to work properly.
-- create a separate user for hasura
CREATE USER hasurauser WITH PASSWORD 'hasurauser';
-- create pgcrypto extension, required for UUID
CREATE EXTENSION IF NOT EXISTS pgcrypto;
-- create the schemas required by the hasura system
-- NOTE: If you are starting from scratch: drop the below schemas first, if they exist.
CREATE SCHEMA IF NOT EXISTS hdb_catalog;
CREATE SCHEMA IF NOT EXISTS hdb_views;
2019-03-19 07:36:40 +03:00
-- make the user an owner of system schemas
ALTER SCHEMA hdb_catalog OWNER TO hasurauser;
ALTER SCHEMA hdb_views OWNER TO hasurauser;
2018-09-11 14:11:24 +03:00
-- grant select permissions on information_schema and pg_catalog. This is
2020-06-29 16:28:03 +03:00
-- required for hasura to query the list of available tables.
-- NOTE: these permissions are usually available by default to all users via PUBLIC grant
2018-09-11 14:11:24 +03:00
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO hasurauser;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO hasurauser;
2020-06-29 16:28:03 +03:00
-- The below permissions are optional. This is dependent on what access to your
-- tables/schemas you want give to hasura. If you want expose the public
2018-09-11 14:11:24 +03:00
-- schema for GraphQL query then give permissions on public schema to the
-- hasura user.
2019-02-06 09:39:36 +03:00
-- Be careful to use these in your production db. Consult the postgres manual or
-- your DBA and give appropriate permissions.
2018-09-11 14:11:24 +03:00
-- grant all privileges on all tables in the public schema. This can be customised:
-- For example, if you only want to use GraphQL regular queries and not mutations,
2019-02-06 09:39:36 +03:00
-- then you can set: GRANT SELECT ON ALL TABLES...
2019-07-02 10:49:29 +03:00
GRANT USAGE ON SCHEMA public TO hasurauser;
2018-09-11 14:11:24 +03:00
GRANT ALL ON ALL TABLES IN SCHEMA public TO hasurauser;
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO hasurauser;
2020-03-30 11:18:13 +03:00
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO hasurauser;
2018-09-11 14:11:24 +03:00
2020-06-29 16:28:03 +03:00
-- Similarly add these for other schemas as well, if you have any.
2019-02-06 09:39:36 +03:00
-- GRANT USAGE ON SCHEMA <schema-name> TO hasurauser;
-- GRANT ALL ON ALL TABLES IN SCHEMA <schema-name> TO hasurauser;
-- GRANT ALL ON ALL SEQUENCES IN SCHEMA <schema-name> TO hasurauser;
2020-06-29 16:28:03 +03:00
-- GRANT ALL ON ALL FUNCTIONS IN SCHEMA <schema-name> TO hasurauser;
Notes for managed databases (AWS RDS, GCP Cloud SQL, etc.)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Hasura works out of the box with the default superuser, usually called "postgres", created by most managed cloud database providers.
On some cloud providers, like **Google Cloud SQL** , if you are creating a new user and giving the :ref: `above <postgres_permissions>` privileges,
then you may notice that the following commands may throw warnings/errors:
.. code-block :: sql
postgres=> ALTER SCHEMA hdb_catalog OWNER TO hasurauser;
ERROR: must be member of role "hasurauser"
This happens because the superuser created by the cloud provider sometimes has different permissions. To fix this, you can run the following command first:
.. code-block :: sql
-- assuming "postgres" is the superuser that you are running the commands with.
postgres=> GRANT hasurauser to postgres;
GRANT
postgres=> ALTER SCHEMA hdb_catalog OWNER TO hasurauser;
You may also notice the following commands throw warnings/errors:
.. code-block :: sql
postgres=> GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO hasurauser;
WARNING: no privileges were granted for "sql_packages"
WARNING: no privileges were granted for "sql_features"
WARNING: no privileges were granted for "sql_implementation_info"
ERROR: permission denied for table sql_parts
postgres=> GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO hasurauser;
ERROR: permission denied for table pg_statistic
You can **ignore** these warnings/errors or skip granting these permission as usually all users have relevant access to `` information_schema `` and `` pg_catalog `` schemas by default (see keyword `PUBLIC <https://www.postgresql.org/docs/current/sql-grant.html> `_ ).
2020-06-02 17:55:40 +03:00
**pgcrypto** in PG search path
------------------------------
Hasura GraphQL engine needs the `` pgcrypto `` Postgres extension to function.
During initialization, Hasura GraphQL engine tries to install the `` pgcrypto `` extension
in the `` public `` schema, if it is not already installed.
It needs to be ensured that `` pgcrypto `` is installed in a schema which is in the Postgres
`search path <https://www.postgresql.org/docs/current/ddl-schemas.html#DDL-SCHEMAS-PATH> `_
for the Postgres user/role that Hasura connects with.
If `` pgcrypto `` is installed in a schema that is not in the search path, the
schema can be added to the search path by executing one of the following SQL commands
depending on your setup:
.. code-block :: sql
-- set search path to include schemas for the entire database
ALTER DATABASE <database_name> SET search_path TO schema1,schema2;
-- OR --
-- set search path to include schemas for a particular role
ALTER ROLE <hasura_role> SET search_path TO schema1,schema2;
