From 5e1f05db898431b3c9a161b6720f5d45f5b3434a Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Thu, 11 Jul 2024 03:03:09 +0200 Subject: [PATCH] chore(postgres): dump new findings --- knowledge base/cloud computing/aws/rds.md | 23 +++++++++++++++-------- knowledge base/postgresql.md | 6 ++++++ snippets/postgresql.sql | 11 ++++++++++- 3 files changed, 31 insertions(+), 9 deletions(-) diff --git a/knowledge base/cloud computing/aws/rds.md b/knowledge base/cloud computing/aws/rds.md index dd6d5df..e0a03f9 100644 --- a/knowledge base/cloud computing/aws/rds.md +++ b/knowledge base/cloud computing/aws/rds.md @@ -1,6 +1,8 @@ # Amazon Relational Database Service 1. [TL;DR](#tldr) +1. [Engine](#engine) + 1. [PostgreSQL](#postgresql) 1. [Storage](#storage) 1. [Parameter Groups](#parameter-groups) 1. [Option Groups](#option-groups) @@ -11,11 +13,10 @@ 1. [Restore](#restore) 1. [Encryption](#encryption) 1. [Operations](#operations) - 1. [PostgreSQL](#postgresql) - 1. [Reduce allocated storage by migrating using transportable databases](#reduce-allocated-storage-by-migrating-using-transportable-databases) + 1. [PostgreSQL: reduce allocated storage by migrating using transportable databases](#postgresql-reduce-allocated-storage-by-migrating-using-transportable-databases) 1. [Troubleshooting](#troubleshooting) - 1. [ERROR: extension must be loaded via shared\_preload\_libraries](#error-extension-must-be-loaded-via-shared_preload_libraries) - 1. [ERROR: must be superuser to alter superuser roles or change superuser attribute](#error-must-be-superuser-to-alter-superuser-roles-or-change-superuser-attribute) + 1. [ERROR: extension must be loaded via shared\_preload\_libraries](#error-extension-must-be-loaded-via-shared_preload_libraries) + 1. [ERROR: must be superuser to alter _X_ roles or change _X_ attribute](#error-must-be-superuser-to-alter-x-roles-or-change-x-attribute) 1. [Further readings](#further-readings) 1. [Sources](#sources) @@ -83,6 +84,12 @@ One can choose any of the following retention periods for instances' Performance - _n_ months, where n is a number from 1 to 24.
In CLI and IaC, this number must be _n*31_. +## Engine + +### PostgreSQL + +Refer [Understanding PostgreSQL roles and permissions]. + ## Storage Refer [Amazon RDS DB instance storage]. @@ -365,9 +372,7 @@ latest available backup. ## Operations -### PostgreSQL - -#### Reduce allocated storage by migrating using transportable databases +### PostgreSQL: reduce allocated storage by migrating using transportable databases Refer [Migrating databases using RDS PostgreSQL Transportable Databases], [Transporting PostgreSQL databases between DB instances] and @@ -632,7 +637,7 @@ Refer [How can I resolve the "ERROR: must be loaded via share 1. Reboot the instance to apply the change. 1. Try reloading it again. -### ERROR: must be superuser to alter superuser roles or change superuser attribute +### ERROR: must be superuser to alter _X_ roles or change _X_ attribute Error message examples: @@ -647,6 +652,7 @@ Actions involving altering protected roles or changing protected attributes are - [Working with DB instance read replicas] - [Working with parameter groups] - [How can I resolve the "ERROR: must be loaded via shared_preload_libraries" error?] +- [Understanding PostgreSQL roles and permissions] ### Sources @@ -689,6 +695,7 @@ Actions involving altering protected roles or changing protected attributes are [restoring from a db snapshot]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RestoreFromSnapshot.html [transport postgresql databases between two amazon rds db instances using pg_transport]: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/transport-postgresql-databases-between-two-amazon-rds-db-instances-using-pg_transport.html [transporting postgresql databases between db instances]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/PostgreSQL.TransportableDB.html +[understanding postgresql roles and permissions]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.Roles.html [what is aws database migration service?]: https://docs.aws.amazon.com/dms/latest/userguide/Welcome.html [working with db instance read replicas]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html [working with parameter groups]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html diff --git a/knowledge base/postgresql.md b/knowledge base/postgresql.md index 261eb80..363c1eb 100644 --- a/knowledge base/postgresql.md +++ b/knowledge base/postgresql.md @@ -17,6 +17,12 @@ postgres.lan:5643:postgres:postgres:BananaORama The credential file's permissions must be `0600`, or it will be ignored. +Database roles represent both users and groups.
+Roles are **distinct** from the OS' users and groups, and are global across the whole installation (there are **no** +DB-specific roles). + +Extensions in PostgreSQL are managed per database. + ```sh # Installation. brew install 'postgresql@14' diff --git a/snippets/postgresql.sql b/snippets/postgresql.sql index e18a0b4..90f81bd 100644 --- a/snippets/postgresql.sql +++ b/snippets/postgresql.sql @@ -60,6 +60,11 @@ DROP SCHEMA IF EXISTS mundane CASCADE; \dt+ +-- Revoke *default* privileges +ALTER DEFAULT PRIVILEGES IN SCHEMA cache REVOKE select ON TABLES FROM sales; +ALTER DEFAULT PRIVILEGES FOR ROLE juan IN SCHEMA cache REVOKE all ON TABLES FROM sales; + + -- List users with respective roles \du \du+ @@ -83,10 +88,14 @@ CREATE USER mike; ALTER USER joel WITH SUPERUSER; -- Revoke SuperUser permissions ALTER USER joel WITH NOSUPERUSER; --- Allow users to create databases +-- Grant privileges to users ALTER USER mark CREATEDB; +ALTER ROLE miriam CREATEROLE CREATEDB; -- Change passwords ALTER USER jonathan WITH PASSWORD 'seagull5-pantomime-Resting'; +ALTER ROLE samantha WITH PASSWORD 'Wing5+Trunks3+Relic2' VALID UNTIL 'August 4 12:00:00 2024 +1'; +-- Change password's validity +ALTER ROLE fred VALID UNTIL 'infinity'; -- Close the connection to the current DB