Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fdc sql perms #7578

Merged
merged 15 commits into from
Aug 29, 2024
Merged

Fdc sql perms #7578

merged 15 commits into from
Aug 29, 2024

Conversation

tammam-g
Copy link
Contributor

@tammam-g tammam-g commented Aug 21, 2024
edited
Loading

Description

This pull request changes how we setup SQL permissions inside postgres as part of the dataconnect:migrate command. The purpose of this change is to reduce the radius of permissions we grant to improve the database security.

The new migration flow is the following:

  • Revoke cloudsqlsuperuser from firebase owner provide backward compatibility.
  • Creates and sets up owner/writer/reader firebase SQL roles.
  • Grant cloudsqlsuperuser access to these roles.
  • Grant dataconnect P4SA access to the writer role.
  • Execute Create Extension commands with "cloudsqlsuperuser" role.
  • Execute remaining diffs under the IAM user firebaseowner_* role .

This change is backward compatible and effects already existing users minimally. We automatically revoke the cloudsqlsuperuser permission from firebaseowner to avoid cyclic dependencies/errors with the new roles setup but we don't revoke any other permissions that have been granted to PUBLIC.

Note, downgrading CLI version will require manual intervention, specifically users will need to manually run REVOKE "firebaseowner_postgres_public" FROM "cloudsqlsuperuser".

Scenarios Tested

Test 1

  1. Setup new SQL instance and FDC service.
  2. Ran the original firebase dataconnect:sql:migrate to apply schema changes and extensions.
  3. Dropped extensions and schema changes from CloudSQL console.
  4. Ran the new firebase dataconnect:sql:migrate and confirmed diffs applied with no errors.

Test 2

  1. Created a new SQL instance and FDC service.
  2. Ran the new firebase dataconnect:sql:migrate and confirmed diffs applied, extensions installed with no errors.
  3. Confirmed dataconnect P4SA can still read and write to the db and use vector extension search.

Sample Commands

No changes.

@tammam-g tammam-g added the api: dataconnect Issues related to dataconnect label Aug 21, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 21, 2024
View reviewed changes
src/gcp/cloudsql/connect.ts Dismissed Show dismissed Hide dismissed
src/gcp/cloudsql/permissions.ts Fixed Show fixed Hide fixed
@codecov-commenter
Copy link

Codecov Report

Attention: Patch coverage is 23.71134% with 74 lines in your changes missing coverage. Please review.

Project coverage is 52.96%. Comparing base (8f34600) to head (e002252).
Report is 25 commits behind head on master.

Files Patch % Lines
src/gcp/cloudsql/permissions.ts 28.00% 36 Missing ⚠️
src/dataconnect/schemaMigration.ts 9.52% 19 Missing ⚠️
src/gcp/cloudsql/connect.ts 25.00% 18 Missing ⚠️
src/api.ts 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #7578      +/-   ##
==========================================
- Coverage   53.06%   52.96%   -0.11%     
==========================================
  Files         391      392       +1     
  Lines       27003    27112     +109     
  Branches     5571     5593      +22     
==========================================
+ Hits        14330    14360      +30     
- Misses      11393    11471      +78     
- Partials     1280     1281       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@tammam-g tammam-g self-assigned this Aug 21, 2024
@tammam-g tammam-g marked this pull request as ready for review August 21, 2024 22:44
fredzqm
fredzqm reviewed Aug 22, 2024
View reviewed changes
Copy link
Contributor

@fredzqm fredzqm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really good! High code standard! I only have minor nits left.

Do you think it is safe to release this regularly?
Can you test it with an database setup using old CLI and verify the upgrade process?

After that, LGTM

src/gcp/cloudsql/connect.ts Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Outdated Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Outdated Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Outdated Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Outdated Show resolved Hide resolved
src/gcp/cloudsql/connect.ts Outdated Show resolved Hide resolved
@tammam-g
Copy link
Contributor Author

Do you think it is safe to release this regularly? Can you test it with an database setup using old CLI and verify the upgrade process?

It should be safe. I tried it on a new database, used the current latest version of firebase deploy, then changed the schema a bit and ran the new version fb deploy. A message saying Detected cloudsqlsuperuser was previously given to firebase owner, revoking to improve database security. is printed (silently the setup runs) and the diff is then executed.

@tammam-g tammam-g requested a review from fredzqm August 26, 2024 16:34
@fredzqm
Copy link
Contributor

fredzqm commented Aug 27, 2024

Looks good to me~ Left one comment on cloudsql.instances.login.

@tammam-g Can you update CHANGELOG?

cc @joehan in case you want to take a look. Optional though.

joehan
joehan reviewed Aug 27, 2024
View reviewed changes
src/api.ts
@@ -151,6 +151,11 @@ export const githubClientSecret = () =>

export const dataconnectOrigin = () =>
utils.envOverride("FIREBASE_DATACONNECT_URL", "https://firebasedataconnect.googleapis.com");
export const dataconnectP4SADomain = () =>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not blocking: Is this something that will need to be overridden ever? It seems like all p4sas will have this domain. If it won't be overridden, you could simplify this to just a normal constant in schemaMigration.ts

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if it will be overridden, possibly if testing internally. But this is the pattern I saw other firebase products use for setting the P4SA domain so I feel sticking with how the rest of the CLI does this makes sense.

joehan
joehan approved these changes Aug 28, 2024
View reviewed changes
Copy link
Contributor

@joehan joehan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some messaging suggestions but this mostly lgtm

src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
src/dataconnect/schemaMigration.ts Outdated Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Outdated Show resolved Hide resolved
src/gcp/cloudsql/permissions.ts Show resolved Hide resolved
@tammam-g tammam-g merged commit fb17e78 into master Aug 29, 2024
41 checks passed
hlshen pushed a commit that referenced this pull request Sep 3, 2024
@tammam-g @hlshen
Fdc sql perms (#7578)
bee3847 
* Improve SQL permissions setup and security in dataconnenct:sql:migrate command

* Improve sql role grant checks

* redeuce required iam perms to perform sql setup and remove cloudsql.users.create requirement for migrate

* Move P4SA user creation and grants to setupIAMUsers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fredzqm fredzqm fredzqm approved these changes

@joehan joehan joehan approved these changes

Assignees

@tammam-g tammam-g

Labels
api: dataconnect Issues related to dataconnect
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tammam-g @codecov-commenter @fredzqm @joehan