DB accounts for production setup

ewv · 21 September 2023 20:45

We’re getting ready to set up what might be one of our final databases, so I’d like to get the account permissions correct. Does CERN allow the account CTA normally runs with to also create tables and so forth? Or do you run the create schema and upgrade processes with an account with more privileges than the account normally used by the frontend?

Thanks,

Eric

jleduc · 21 September 2023 21:38

Hello Eric,
At CERN CTA catalogue account can create tables and we use it to perform liquibase schema upgrades (from production servers only).
We use a separate readonly account for namespace comparisons and DB cloning operations.

The current rules are:

only operations conducted on production servers: running CTA instance or containerized schema upgrade procedures running on production servers can use production credentials
anything that runs outside of production servers: containerized EOSCTA/CTA namespace reconciliation in kubernetes, production clone schema upgrade tests in CI,… can use up to read only access to production DB if absolutely needed (most of the time production DB clone access is enough).

Basically processes and containerized procedure are allowed to consume local credentials only: if you mess with production you must do it on production servers with locally configured credentials.

With these rules there is absolutely no valid reason to spread production credentials outside of the production infrastructure.

Cheers,
Julien

ewv · 22 September 2023 16:08

OK, thanks. That helps.