diff --git a/database_admin/migrations/145_update_manager_privileges.down.sql b/database_admin/migrations/145_update_manager_privileges.down.sql new file mode 100644 index 000000000..87faa9190 --- /dev/null +++ b/database_admin/migrations/145_update_manager_privileges.down.sql @@ -0,0 +1,14 @@ +REVOKE UPDATE ON system_inventory FROM manager; +GRANT UPDATE ON system_inventory (stale) TO manager; + +REVOKE UPDATE ON system_patch FROM manager; +GRANT UPDATE ON system_patch ( + installable_advisory_count_cache, + installable_advisory_enh_count_cache, + installable_advisory_bug_count_cache, + installable_advisory_sec_count_cache, + applicable_advisory_count_cache, + applicable_advisory_enh_count_cache, + applicable_advisory_bug_count_cache, + applicable_advisory_sec_count_cache, + template_id) TO manager; diff --git a/database_admin/migrations/145_update_manager_privileges.up.sql b/database_admin/migrations/145_update_manager_privileges.up.sql new file mode 100644 index 000000000..0ca290a44 --- /dev/null +++ b/database_admin/migrations/145_update_manager_privileges.up.sql @@ -0,0 +1,2 @@ +GRANT UPDATE ON system_inventory TO manager; +GRANT UPDATE ON system_patch TO manager; diff --git a/database_admin/schema/create_schema.sql b/database_admin/schema/create_schema.sql index 9e79bd882..1b67552e0 100644 --- a/database_admin/schema/create_schema.sql +++ b/database_admin/schema/create_schema.sql @@ -7,7 +7,7 @@ CREATE TABLE IF NOT EXISTS schema_migrations INSERT INTO schema_migrations -VALUES (144, false); +VALUES (145, false); -- --------------------------------------------------------------------------- -- Functions @@ -698,6 +698,7 @@ SELECT create_table_partitions('system_inventory', 16, GRANT SELECT, INSERT, UPDATE ON system_inventory TO listener; GRANT SELECT, UPDATE, DELETE ON system_inventory TO vmaas_sync; -- vmaas_sync performs system culling GRANT SELECT, UPDATE (stale) ON system_inventory TO manager; -- manager needs to be able to update opt_out column +GRANT SELECT, UPDATE ON system_inventory TO manager; -- manager needs to be able to update opt_out column GRANT SELECT, UPDATE ON system_inventory TO evaluator; SELECT create_table_partition_triggers('system_inventory_set_last_updated', @@ -1063,6 +1064,7 @@ GRANT SELECT, UPDATE (installable_advisory_count_cache, applicable_advisory_bug_count_cache, applicable_advisory_sec_count_cache, template_id) ON system_patch TO manager; +GRANT SELECT, UPDATE ON system_patch TO manager; GRANT SELECT, UPDATE, DELETE ON system_patch to vmaas_sync; -- vmaas_sync performs system culling -- system_platform diff --git a/manager/controllers/template_systems_update.go b/manager/controllers/template_systems_update.go index f9ce4fd64..5f8581fd3 100644 --- a/manager/controllers/template_systems_update.go +++ b/manager/controllers/template_systems_update.go @@ -139,6 +139,9 @@ func assignTemplateSystems(c *gin.Context, db *gorm.DB, accountID int, template templateID = &template.ID } + // TODO: once SystemPlatform model is removed, revoke unnecessary manager privileges to system_inventory and + // system_patch tables. They were granted in migration 145 as a temporary fix to solve system_platform view instead + // of update trigger issues. Hint: have a look at 145_update_manager_privileges.down.sql tx = tx.Model(models.SystemPlatform{}). Where("rh_account_id = ? AND inventory_id IN (?::uuid)", accountID, inventoryIDs).