liderra/portal
1
0
Fork 0
Code Issues Pull Requests Actions 61 Packages Projects Releases Wiki Activity
Files
d82b1bf17c2e4b8ff7f2e65d65700cf323c4b57a
portal/db/02_grants.sql
T
Дмитрий d4b1e03e1c chore(db): document partition-maintenance privilege model in 02_grants.sql 
Sync deployment-скрипта с прод-DB-состоянием после 23.05.2026 partition fix:
ALTER TABLE OWNER → crm_migrator на 7 audit-таблицах (выравнивает дрейф;
prod уже в этом состоянии) + GRANT crm_migrator TO crm_supplier_worker
WITH INHERIT TRUE — даёт maintenance-роли права создавать/дропать партиции
через MonthlyPartitionManager::DDL_CONNECTION = pgsql_supplier (commit
fd660da4). Web-роль crm_app_user остаётся least-privilege — членства не
получает.

Идемпотентно: повторный запуск 02_grants.sql безопасен.

Связано: fd660da4 (код-фикс).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-23 20:25:11 +03:00

174 lines
10 KiB
SQL
Raw Blame History

-- =============================================================================
-- 02_grants.sql — GRANT/REVOKE для 4 ролей Лидерры
-- =============================================================================
-- Версия: 1.0 (08.05.2026, фаза 1 backend multi-tenant фундамент)
-- Источник: schema.sql v8.5 §13 «Роли БД (CTO-5)» + §14 «АУДИТ APPEND-ONLY»
-- =============================================================================
--
-- НАЗНАЧЕНИЕ: deployment-скрипт для production. Запускается ПОСЛЕ:
-- 1. db/00_create_roles.sql — роли созданы
-- 2. db/schema.sql — таблицы/индексы/RLS-политики созданы (через `php artisan migrate`)
--
-- ЗАПУСК:
-- psql -U postgres -h <host> -d liderra -f db/02_grants.sql
-- (требуется superuser, т.к. GRANT/REVOKE на чужие объекты)
--
-- ВНИМАНИЕ: на **dev-машине** этот файл НЕ запускается — schema.sql §13 разрешает
-- использовать суперпользователя `postgres` для разработки. RLS-политики работают
-- через `current_setting('app.current_tenant_id')::bigint` — независимо от роли.
-- =============================================================================
-- =============================================================================
-- 1. crm_app_user — tenant-уровень приложения (RLS активна)
-- =============================================================================
GRANT USAGE ON SCHEMA public TO crm_app_user;
-- SELECT/INSERT/UPDATE/DELETE на ВСЕ таблицы (RLS-политики ограничат доступ
-- к чужим tenant-данным; saas-таблицы дополнительно закрыты REVOKE ниже)
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO crm_app_user;
-- USAGE на sequences (для BIGSERIAL nextval)
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO crm_app_user;
-- Default privileges для будущих таблиц/sequences (после миграций)
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO crm_app_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT USAGE, SELECT ON SEQUENCES TO crm_app_user;
-- v8.5 (OPEN-И-14) defense-in-depth: REVOKE ALL на 6 saas-таблицах.
-- К этим таблицам tenant-приложение НЕ должно иметь доступа даже теоретически
-- (RLS + REVOKE = 2 барьера).
REVOKE ALL ON saas_admin_users FROM crm_app_user;
REVOKE ALL ON saas_admin_sessions FROM crm_app_user;
REVOKE ALL ON saas_admin_audit_log FROM crm_app_user;
REVOKE ALL ON incidents_log FROM crm_app_user;
REVOKE ALL ON pd_subject_requests FROM crm_app_user;
REVOKE ALL ON impersonation_tokens FROM crm_app_user;
-- =============================================================================
-- 2. crm_admin_user — администрирование SaaS (BYPASSRLS)
-- =============================================================================
GRANT USAGE ON SCHEMA public TO crm_admin_user;
-- ВСЕ права crm_app_user + доступ к saas_admin_*, supplier_*, system_settings,
-- tariff_plans, legal_entities, payment_gateways
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO crm_admin_user;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO crm_admin_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO crm_admin_user;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT USAGE, SELECT ON SEQUENCES TO crm_admin_user;
-- Запрет DELETE на финансовых таблицах (только soft markers через UPDATE):
REVOKE DELETE ON balance_transactions FROM crm_admin_user;
REVOKE DELETE ON supplier_invoices FROM crm_admin_user;
REVOKE DELETE ON supplier_lead_costs FROM crm_admin_user;
REVOKE DELETE ON tenant_subscriptions FROM crm_admin_user;
-- =============================================================================
-- 3. crm_audit_writer — append-only audit (INSERT-only)
-- =============================================================================
-- UPDATE/DELETE дополнительно блокируются триггерами audit_block_mutation
-- (schema.sql §14). Двухслойная защита от tampering.
GRANT USAGE ON SCHEMA public TO crm_audit_writer;
GRANT INSERT ON auth_log TO crm_audit_writer;
GRANT INSERT ON activity_log TO crm_audit_writer;
GRANT INSERT ON pd_processing_log TO crm_audit_writer;
GRANT INSERT ON saas_admin_audit_log TO crm_audit_writer;
GRANT INSERT ON balance_transactions TO crm_audit_writer;
GRANT USAGE ON SEQUENCE auth_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE activity_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE pd_processing_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE saas_admin_audit_log_id_seq TO crm_audit_writer;
GRANT USAGE ON SEQUENCE balance_transactions_id_seq TO crm_audit_writer;
-- crm_audit_writer НЕ имеет SELECT/UPDATE/DELETE/TRUNCATE — это специально.
-- Явно отзываем дефолтные привилегии PUBLIC, если такие есть:
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON auth_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON activity_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON pd_processing_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON saas_admin_audit_log FROM crm_audit_writer;
REVOKE SELECT, UPDATE, DELETE, TRUNCATE ON balance_transactions FROM crm_audit_writer;
-- =============================================================================
-- 4. crm_migrator — runtime миграций (BYPASSRLS, CREATEDB)
-- =============================================================================
-- Для запуска `php artisan migrate` в production без ослабления RLS.
GRANT USAGE, CREATE ON SCHEMA public TO crm_migrator;
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO crm_migrator;
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO crm_migrator;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL PRIVILEGES ON TABLES TO crm_migrator;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL PRIVILEGES ON SEQUENCES TO crm_migrator;
-- =============================================================================
-- 5. crm_supplier_worker — backend queue worker (BYPASSRLS) — Plan 2.6 fix #iv
-- =============================================================================
-- Для запуска `php artisan queue:work` под отдельным .env (отдельным от web).
-- Cross-tenant операции: sharing-flow webhook routing (RouteSupplierLeadJob),
-- global crons (projects:reset-delivered-today, supplier:check-webhook-secret).
-- Web worker остаётся под crm_app_user (RLS-enforce). WHERE(tenant_id=) фильтры
-- в коде сохраняются как defense-in-depth даже под BYPASSRLS-ролью.
--
-- Brainstorm decision (10.05.2026 поздняя ночь): вариант C из 3 опций
-- (A=elevated DB-connection / B=RLS WITH-CHECK exception / C=BYPASSRLS-роль).
GRANT USAGE ON SCHEMA public TO crm_supplier_worker;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO crm_supplier_worker;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO crm_supplier_worker;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO crm_supplier_worker;
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT USAGE, SELECT ON SEQUENCES TO crm_supplier_worker;
-- =============================================================================
-- v8.19 (Plan 4): supplier_csv_reconcile_log — SaaS-уровневый журнал CSV recon.
-- Используется CsvReconcileJob под crm_supplier_worker (BYPASSRLS).
-- =============================================================================
GRANT SELECT, INSERT, UPDATE ON TABLE supplier_csv_reconcile_log TO crm_supplier_worker;
GRANT USAGE, SELECT ON SEQUENCE supplier_csv_reconcile_log_id_seq TO crm_supplier_worker;
-- =============================================================================
-- 23.05.2026 (post hole #2): partition-maintenance privilege model
-- =============================================================================
-- `partitions:create-months` / `partitions:drop-expired` теперь идут через
-- `pgsql_supplier` connection (MonthlyPartitionManager::DDL_CONNECTION). Чтобы
-- `crm_supplier_worker` мог CREATE/DROP партиции партиционированных родителей,
-- нужны два условия:
-- 1. Единый владелец всех 9 партиционированных родителей — `crm_migrator`.
-- По умолчанию `schema.sql` создаёт audit-таблицы под `postgres` (load
-- выполняется суперпользователем при `migrate:fresh`); явный ALTER OWNER
-- ниже выравнивает прод (где это уже сделано вживую 23.05.2026) и
-- гарантирует, что fresh-deploy не разойдётся.
-- 2. `crm_supplier_worker` — член `crm_migrator` (INHERIT TRUE), чтобы
-- ownership-операции (CREATE TABLE ... PARTITION OF, DROP TABLE) проходили
-- проверку владельца. Web-роль `crm_app_user` остаётся least-privilege —
-- она НЕ получает crm_migrator-членство и НЕ может делать partition DDL.
--
-- Идемпотентно — повторный запуск 02_grants.sql после первого применения
-- безопасен.
-- =============================================================================
ALTER TABLE auth_log OWNER TO crm_migrator;
ALTER TABLE activity_log OWNER TO crm_migrator;
ALTER TABLE tenant_operations_log OWNER TO crm_migrator;
ALTER TABLE webhook_log OWNER TO crm_migrator;
ALTER TABLE balance_transactions OWNER TO crm_migrator;
ALTER TABLE pd_processing_log OWNER TO crm_migrator;
ALTER TABLE saas_admin_audit_log OWNER TO crm_migrator;
GRANT crm_migrator TO crm_supplier_worker WITH INHERIT TRUE;
Reference in New Issue View Git Blame Copy Permalink