diff --git a/deployment/secure_research_environment/cloud_init/cloud-init-postgres.mustache.yaml b/deployment/secure_research_environment/cloud_init/cloud-init-postgres.mustache.yaml index 997ea60e68..cdbbb62b41 100644 --- a/deployment/secure_research_environment/cloud_init/cloud-init-postgres.mustache.yaml +++ b/deployment/secure_research_environment/cloud_init/cloud-init-postgres.mustache.yaml @@ -60,6 +60,13 @@ write_files: # Run user synchronisation every 10 minutes */10 * * * * postgres /usr/local/bin/pg_ldap_sync -vvv -c /etc/postgresql/12/main/pg-ldap-sync.yaml 2>&1 | logger -t SafeHaven + - path: "/etc/cron.d/db-role-update" + permissions: "0644" + content: | + # Trigger role updates every 10 minutes by writing a comment to the data schema + # Run at 1, 11, 21, 31, 41, 51 minutes past the hour so always after the user sync + 1-59/10 * * * * postgres /usr/bin/psql -q -c "comment on schema data is 'Data schema can only be modified by Data Admins or System Admins';" + - path: "/etc/cron.d/runonce" permissions: "0644" content: | @@ -158,7 +165,7 @@ write_files: - path: "/opt/configuration/create-postgres-triggers.sql" permissions: "0444" content: | - {{{postgres_create_postgres_triggers.mustache.sql}}} + {{postgres_create_postgres_triggers.mustache.sql}} - path: "/opt/configuration/install-postgres-extensions.sql" permissions: "0444" diff --git a/deployment/secure_research_environment/cloud_init/postgres_create_postgres_triggers.mustache.sql b/deployment/secure_research_environment/cloud_init/resources/postgres_create_postgres_triggers.mustache.sql similarity index 88% rename from deployment/secure_research_environment/cloud_init/postgres_create_postgres_triggers.mustache.sql rename to deployment/secure_research_environment/cloud_init/resources/postgres_create_postgres_triggers.mustache.sql index 6e11a2851d..922db6e148 100644 --- a/deployment/secure_research_environment/cloud_init/postgres_create_postgres_triggers.mustache.sql +++ b/deployment/secure_research_environment/cloud_init/resources/postgres_create_postgres_triggers.mustache.sql @@ -9,8 +9,15 @@ DECLARE obj record; BEGIN IF EXISTS (SELECT usename FROM pg_user WHERE ((usename = CURRENT_USER) AND (usesuper='t'))) THEN - FOR obj in SELECT * FROM pg_user WHERE ((usesuper='t' or usecreatedb='t') AND (usename!='postgres') AND NOT pg_has_role(usesysid, '{{sre.domain.securityGroups.systemAdministrators.name}}', 'member')) LOOP - EXECUTE format('ALTER USER "%s" WITH NOCREATEDB NOCREATEROLE NOSUPERUSER;', obj.usename); + FOR obj in SELECT * FROM pg_user + WHERE usesysid NOT IN ( + SELECT member FROM pg_auth_members + WHERE roleid = ( + SELECT oid FROM pg_roles + WHERE rolname = '{{sre.domain.securityGroups.systemAdministrators.name}}')) + AND NOT usename = 'postgres' + LOOP + EXECUTE format('ALTER USER "%s" WITH NOCREATEDB NOCREATEROLE NOSUPERUSER;', obj.usename); END LOOP; FOR obj in SELECT * FROM pg_user WHERE (pg_has_role(usesysid, '{{sre.domain.securityGroups.systemAdministrators.name}}', 'member')) LOOP EXECUTE format('ALTER USER "%s" WITH CREATEDB CREATEROLE SUPERUSER;', obj.usename); diff --git a/docs/source/roles/researcher/user_guide.md b/docs/source/roles/researcher/user_guide.md index fe9a1af399..565642c1a8 100644 --- a/docs/source/roles/researcher/user_guide.md +++ b/docs/source/roles/researcher/user_guide.md @@ -946,6 +946,9 @@ The database server will use either `Microsoft SQL` or `PostgreSQL`. If you have access to one or more databases, you can access them using the following details, replacing `` with the {ref}`SRE ID ` for your project. +For guidance on how to use the databases, many resources are available on the internet. +Official tutorials for [MSSQL](https://learn.microsoft.com/en-us/sql/sql-server/tutorials-for-sql-server-2016?view=sql-server-ver16) and [PostgreSQL](https://www.postgresql.org/docs/current/tutorial.html) may be good starting points. + ### {{bento_box}} Microsoft SQL - Server name: `MSSQL-` (e.g. `MSSQL-SANDBOX` ) diff --git a/docs/source/roles/system_manager/manage_users.md b/docs/source/roles/system_manager/manage_users.md index c83a2c80f3..e2bac7c6f7 100644 --- a/docs/source/roles/system_manager/manage_users.md +++ b/docs/source/roles/system_manager/manage_users.md @@ -17,10 +17,13 @@ A helper script for doing this is already uploaded to the domain controller - yo ### {{lock}} SRE Security Groups -Each user should be assigned to one or more Active Directory "security groups", which give them access to a given SRE with appropriate privileges. The security groups are named like so: +Each user should be assigned to one or more Active Directory "security groups". The key difference between these groups is the level of privilege they have when manipulating databases within the SRE. -- `SG Research Users`: Default for most researchers. No special permissions. -- `SG Data Administrators`: Researchers who can create/modify/delete database tables schemas. Given to a smaller number of researchers. Restricting this access to most users prevents them creating/deleting arbitrary schemas, which is important because some SREs have their input data in database form. +- `SG Research Users`: Almost all researchers should be in this group. No special permissions. Allows users to log in to ``. +- `SG Data Administrators`: Researchers who can create/modify/delete tables in the `data` schema on databases within ``. `SG Research Users` can only read these tables. Restricting this access prevents most users from creating/deleting arbitrary tables, which is important because some SREs have their input data in database form. +- `SG System Administrators`: Researchers who have full superuser privileges on databases within ``. Users in this group have full access to the databases and can manipulate them in any way they choose. + +Typically, users with either of the latter two roles should also have the `Research Users` role to allow them to log in to the SRDs within the SRE. (generate_user_csv)=