docs: add section for managed databases and related perms (close #1677, close #3783) (#5228)

This commit is contained in:
Tirumarai Selvan 2020-06-29 18:58:03 +05:30 committed by GitHub
parent 1ff660d7d6
commit 4de8f912bb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 55 additions and 7 deletions

View File

@ -2,6 +2,15 @@
## Next release
### Bug fixes and improvements
(Add entries here in the order of: server, console, cli, docs, others)
- docs: add note for managed databases in postgres requirements (close #1677, #3783) (#5228)
## `v1.3.0-beta.3`
### Bug fixes and improvements

View File

@ -9,7 +9,7 @@ Postgres requirements
.. contents:: Table of contents
:backlinks: none
:depth: 1
:depth: 2
:local:
.. _postgres_version_support:
@ -36,13 +36,13 @@ The Hasura GraphQL engine needs access to your Postgres database with the follow
- (required) Read & write access on 2 schemas: ``hdb_catalog`` and ``hdb_views``.
- (required) Read access to the ``information_schema`` and ``pg_catalog`` schemas, to query for list of tables.
Note that these permissions are usually available by default to all postgres users via `PUBLIC <https://www.postgresql.org/docs/current/sql-grant.html>`_ grant.
- (required) Read access to the schemas (public or otherwise) if you only want to support queries.
- (optional) Write access to the schemas if you want to support mutations as well.
- (optional) To create tables and views via the Hasura console (the admin UI) you'll need the privilege to create
tables/views. This might not be required when you're working with an existing database.
Here's a sample SQL block that you can run on your database to create the right credentials:
Here's a sample SQL block that you can run on your database (as a **superuser**) to create the right credentials for a sample Hasura user:
.. code-block:: sql
@ -66,12 +66,13 @@ Here's a sample SQL block that you can run on your database to create the right
ALTER SCHEMA hdb_views OWNER TO hasurauser;
-- grant select permissions on information_schema and pg_catalog. This is
-- required for hasura to query list of available tables
-- required for hasura to query the list of available tables.
-- NOTE: these permissions are usually available by default to all users via PUBLIC grant
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO hasurauser;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO hasurauser;
-- Below permissions are optional. This is dependent on what access to your
-- tables/schemas - you want give to hasura. If you want expose the public
-- The below permissions are optional. This is dependent on what access to your
-- tables/schemas you want give to hasura. If you want expose the public
-- schema for GraphQL query then give permissions on public schema to the
-- hasura user.
-- Be careful to use these in your production db. Consult the postgres manual or
@ -85,10 +86,48 @@ Here's a sample SQL block that you can run on your database to create the right
GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO hasurauser;
GRANT ALL ON ALL FUNCTIONS IN SCHEMA public TO hasurauser;
-- Similarly add this for other schemas, if you have any.
-- Similarly add these for other schemas as well, if you have any.
-- GRANT USAGE ON SCHEMA <schema-name> TO hasurauser;
-- GRANT ALL ON ALL TABLES IN SCHEMA <schema-name> TO hasurauser;
-- GRANT ALL ON ALL SEQUENCES IN SCHEMA <schema-name> TO hasurauser;
-- GRANT ALL ON ALL FUNCTIONS IN SCHEMA <schema-name> TO hasurauser;
Notes for managed databases (AWS RDS, GCP Cloud SQL, etc.)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Hasura works out of the box with the default superuser, usually called "postgres", created by most managed cloud database providers.
On some cloud providers, like **Google Cloud SQL**, if you are creating a new user and giving the :ref:`above <postgres_permissions>` privileges,
then you may notice that the following commands may throw warnings/errors:
.. code-block:: sql
postgres=> ALTER SCHEMA hdb_catalog OWNER TO hasurauser;
ERROR: must be member of role "hasurauser"
This happens because the superuser created by the cloud provider sometimes has different permissions. To fix this, you can run the following command first:
.. code-block:: sql
-- assuming "postgres" is the superuser that you are running the commands with.
postgres=> GRANT hasurauser to postgres;
GRANT
postgres=> ALTER SCHEMA hdb_catalog OWNER TO hasurauser;
You may also notice the following commands throw warnings/errors:
.. code-block:: sql
postgres=> GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO hasurauser;
WARNING: no privileges were granted for "sql_packages"
WARNING: no privileges were granted for "sql_features"
WARNING: no privileges were granted for "sql_implementation_info"
ERROR: permission denied for table sql_parts
postgres=> GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO hasurauser;
ERROR: permission denied for table pg_statistic
You can **ignore** these warnings/errors or skip granting these permission as usually all users have relevant access to ``information_schema`` and ``pg_catalog`` schemas by default (see keyword `PUBLIC <https://www.postgresql.org/docs/current/sql-grant.html>`_).
**pgcrypto** in PG search path
------------------------------