This post goes through the steps needed for creating a (fairly) secure link between users, processes and the postgres database of Karttur´s GeoImagine Framework.
Prerequisites
To follow this post you must have the complete Spatial Data Integrated Development Environment (SPIDE) installed as described in the blog Install and setup spatial data IDE.
Connect Python and PostgreSQL
Karttur´s GeoImagine Framework relies on a postgres database that holds information on all processes parameters as well as all data. The installation of the postgres database should already have been done as described in the blogpost Install postgreSQL and postGIS. Then you must also have installed and setup psycopg for connecting Python to postgres. If you followed the post on Conda virtual environments, psycopg will be part of your Python environment.
Principal solution
At this point you need to set the login and password of the users that will access different parts of the postgres database. In principal each schema of the database is managed by a different role (user), but with some exception and some crossover capacity granted to different roles.
At present the Framework contains the following roles (apart from the superusers):
processread
userread
regionread
processmanage
manageregion
manageuserproj
manageancillary
managemodis
managesenitnel
managelandsat
managesmap
managesoilmoisture
managelayout
manageexport
The actual running of the process and setting up of the roles is covered in the setup post on Set up the database (setup_db). And is done from within the Framework itself. This post only describes how to define the roles, both in a json file (that will be accessed from the Framework when defining the roles in the post as explained in the post on Set up the database (setup_db)) and in the system default .netrc file used for storing the passwords associated with each role.
Defining roles
The json file that defines the database roles is included in the GitHub repo geoimagine02-setup_db package under the path doc/jsonsql/general_grant_v090_sql.json. The content of this json file is also available under “Hide/show” button below. You need to create your own copy of this file and set your own passwords for each role. If you want to change the principal system solution with one role for each schema, say to a single role dealing with everything, you can do that by giving all the rights to the same role. And then also give this role as the “HOST” in each module under the package postgresdb.
Note that the process grant is not defined in the database, but a stand alone process and can only be run from the package setup_db. Explained in detail in the setup post on Set up the database (setup_db).
<?xml version='1.0' encoding='utf-8'?>
<sql>
<!-- SQL xml read by geomimagine subpackage db_setup -->
<!-- GRANTS rights to various db users -->
<process processid ='grant'>
<parameters db = 'karttur' user='processread' pswd='jii8ubise'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA process TO processread;
GRANT SELECT ON ALL TABLES IN SCHEMA process TO processread;
GRANT USAGE ON SCHEMA regions TO processread;
GRANT SELECT ON regions.sites, regions.tracts, regions.defregions TO processread;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='processmanage' pswd='31tjiir8ubise'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA process TO processmanage;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA process TO processmanage;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='userread' pswd='jii8iuWH87HUDd'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA userlocale TO userread;
GRANT SELECT ON ALL TABLES IN SCHEMA userlocale TO userread;
GRANT USAGE ON SCHEMA regions TO userread;
GRANT SELECT ON regions.tracts, regions.sites, regions.defregions TO userread;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='manageuserproj' pswd='jWe-TW4-80m-JUH-'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA userlocale TO manageuserproj;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA userlocale TO manageuserproj;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA userlocale TO manageuserproj;
GRANT USAGE ON SCHEMA regions TO manageuserproj;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA regions TO manageuserproj;
GRANT USAGE ON SCHEMA system TO manageuserproj;
GRANT SELECT ON system.regions,system.regioncats,system.defregions TO manageuserproj;
GRANT USAGE ON SCHEMA ancillary TO manageuserproj;
GRANT SELECT ON ALL TABLES IN SCHEMA ancillary TO manageuserproj;
GRANT USAGE ON SCHEMA modis TO manageuserproj;
GRANT SELECT ON modis.tilecoords TO manageuserproj;
GRANT SELECT, INSERT, UPDATE, DELETE ON modis.regions TO manageuserproj;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='managelayout' pswd='jWE-TW4-90m-JUH-'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA layout TO managelayout;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA layout TO ManageLayout;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='managemodis' pswd='95y-tbh-GgG-0BJ'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA modis TO managemodis;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA modis TO managemodis;
GRANT USAGE ON SCHEMA regions TO managemodis;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO managemodis;
GRANT USAGE ON SCHEMA system TO managemodis;
GRANT SELECT ON ALL TABLES IN SCHEMA system TO managemodis;
GRANT USAGE ON SCHEMA regions TO managemodis;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO managemodis;
GRANT USAGE ON SCHEMA ancillary TO managemodis;
GRANT SELECT ON ALL TABLES IN SCHEMA ancillary TO managemodis;
GRANT USAGE ON SCHEMA smap TO managemodis;
GRANT SELECT ON ALL TABLES IN SCHEMA smap TO managemodis;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='manageregion' pswd='w94-388-uhH-5UH'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA regions TO manageregion;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA REGIONS TO manageregion;
GRANT USAGE ON SCHEMA system TO manageregion;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA SYSTEM TO manageregion;
GRANT USAGE ON SCHEMA ancillary TO manageregion;
GRANT SELECT ON ALL TABLES IN SCHEMA ancillary TO manageregion;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='manageancillary' pswd='w94-3R8-uhH-5CH'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA system TO manageancillary;
GRANT SELECT ON ALL TABLES IN SCHEMA SYSTEM TO manageancillary;
GRANT USAGE ON SCHEMA ancillary TO manageancillary;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA ancillary TO manageancillary;
GRANT USAGE ON SCHEMA climateindex TO manageancillary;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA climateindex TO manageancillary;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='formatread' pswd='jii-8ub-ise'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA process TO formatread;
GRANT SELECT ON process.celltypes, process.gdalformat TO formatread;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='regionread' pswd='84i-oOH-thf-tj1'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA regions TO regionread;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO regionread;
GRANT SELECT ON ALL TABLES IN SCHEMA system TO regionread;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='managesoilmoisture' pswd='w84-3R8-uhH-5DH'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA soilmoisture TO managesoilmoisture;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA soilmoisture TO managesoilmoisture;
GRANT USAGE ON SCHEMA climateindex TO manageancillary;
GRANT SELECT ON ALL TABLES IN SCHEMA climateindex TO managesoilmoisture;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='managesentinel' pswd='95d-tBh-GuG-0mJ'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA sentinel TO managesentinel;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA sentinel TO managesentinel;
GRANT USAGE ON SCHEMA regions TO managesentinel;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO managesentinel;
GRANT USAGE ON SCHEMA system TO managesentinel;
GRANT SELECT ON ALL TABLES IN SCHEMA system TO managesentinel;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='managelandsat' pswd='95t-gBh-GuG-1RM'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA landsat TO managelandsat;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA landsat TO managelandsat;
GRANT USAGE ON SCHEMA regions TO managelandsat;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO managelandsat;
GRANT USAGE ON SCHEMA system TO managelandsat;
GRANT SELECT ON ALL TABLES IN SCHEMA system TO managelandsat;
GRANT USAGE ON SCHEMA ancillary TO managelandsat;
GRANT SELECT ON ALL TABLES IN SCHEMA ancillary TO managelandsat;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='managesmap' pswd='95t-gBh-GuG-6RM'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA smap TO managesmap;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA smap TO managesmap;
GRANT USAGE ON SCHEMA regions TO managesmap;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO managesmap;
GRANT USAGE ON SCHEMA system TO managesmap;
GRANT SELECT ON ALL TABLES IN SCHEMA system TO managesmap;
GRANT USAGE ON SCHEMA ancillary TO managesmap;
GRANT SELECT ON ALL TABLES IN SCHEMA ancillary TO managesmap;
</command>
</process>
<process processid ='grant'>
<parameters db = 'karttur' user='manageexport' pswd='98k-gBh-GuB-6RM'></parameters>
<overwrite>N</overwrite>
<delete>N</delete>
<command>
GRANT USAGE ON SCHEMA system TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA system TO manageexport;
GRANT USAGE ON SCHEMA ancillary TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA ancillary TO manageexport;
GRANT USAGE ON SCHEMA smap TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA smap TO manageexport;
GRANT USAGE ON SCHEMA landsat TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA modis TO manageexport;
GRANT USAGE ON SCHEMA modis TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA modis TO manageexport;
GRANT USAGE ON SCHEMA regions TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA regions TO manageexport;
GRANT USAGE ON SCHEMA layout TO manageexport;
GRANT SELECT ON ALL TABLES IN SCHEMA layout TO manageexport;
</command>
</process>
</sql>
Login and password (.netrc)
Karttur’s GeoImagine Framework standard solution for database access at runtime is to read the credentials from a .netrc file. You have to create your own .netrc file that gives the same roles and passwords as you gave in the xml file above. The .netrc file should be in your home folder and you can edit it by using pico. You can copy, paste and edit the text under the “Hide/show” button below to your own .netrc file.
You should now have corresponding roles, passwords and rights for operating the Framework database. In summary:
Roles, passwords and their granted rights are defined in a json file.
Different roles are used for accessing and editing different schemas in the database. The linking of processes and database roles is hardcoded, and to change that you need to edit the modules in the postgresdb package.
At runtime the name and password of each role is accessed from a .netrc file that must have access codes, role names and role passwords that corresponds to the definitions in the xml file and the modules of the postgresdb package.
If you decided to keep the default roles, role names, passwords and codes, all the parts should correspond. If you changed the name, passwords and grants, the Framework will report errors and you can update any mistakes when you account them.