Skip to content

fix: Properly distribute analytics postgres user #1023

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adskyiproger merged 2,094 commits into from
Sep 19, 2025
Merged

fix: Properly distribute analytics postgres user #1023

adskyiproger merged 2,094 commits into from
Sep 19, 2025

Conversation

@adskyiproger
Copy link
Contributor

@adskyiproger adskyiproger commented Sep 19, 2025
edited
Loading

Description

Postgres admin permissions are mixed with analytics user. Goal of this PR is to separate permissions:

  • Postgres admin remain responsible for:
    • backup
    • restore
    • migration
  • analytics user will be responsible for it's own stuff in countryconfig

Test results

Environment is available at: https://fix-analytics.opencrvs.dev/

Checklist

  • I have linked the correct Github issue under "Development"
  • I have tested the changes locally, and written appropriate tests
  • I have tested beyond the happy path (e.g. edge cases, failure paths)
  • I have updated the changelog with this change (if applicable)
  • I have updated the GitHub issue status accordingly

jamil314 and others added 30 commits August 28, 2025 14:22
@jamil314
Merge branch 'ocrvs-10054' of https://github.com/opencrvs/opencrvs-co…
2d623f7 
…untryconfig into ocrvs-10054
@cibelius
fix tests
79523eb
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
849f73b
@cibelius
Merge pull request #1635 from opencrvs/ocrvs-10263
6155420 
Fix tests for ocrvs-10263
@cibelius
progress with tests
9816379
@cibelius
add test
d7a9532
@jamil314
Merge branch 'develop' into ocrvs-10054
4809390
@jamil314
Merge branch 'ocrvs-10054' of https://github.com/opencrvs/opencrvs-co…
15ea9be 
…untryconfig into ocrvs-10054
@makelicious
chore: add markus to e2e users
ca58f6e
@cibelius
add testcase
29937e9
@jamil314
fix: tests
594622c
@jamil314
Merge branch 'ocrvs-10054' of https://github.com/opencrvs/opencrvs-co…
4b3d913 
…untryconfig into ocrvs-10054
@makelicious
Merge pull request #1637 from opencrvs/chore/add-markus-to-e2e-server
b9746df 
chore: add markus to e2e users
@naftis
Merge branch 'metabase' of github.com:opencrvs/opencrvs-countryconfig…
9ff1ff7 
… into metabase
@jamil314
Merge pull request #1631 from opencrvs/ocrvs-10054
dc6a96f 
feat: Trigger notification for events
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
ed513fc
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
f66d2a9
@cibelius
fix tests
148c877
@cibelius
Merge branch 'develop' into ocrvs-9829
c35a30f
@jamil314
infra: add jamil as a user in v19-alpha-prod
60a9fc8
@jamil314
infra: add tameem as a user in v19-alpha-prod
39aa1f5
@rikukissa
add extra timeout for record details updating after approving a request
1940679
@naftis
Merge branch 'develop' of https://github.com/opencrvs/opencrvs-faraja…
8cbc132 
…land into metabase
@naftis
Merge branch 'metabase' of https://github.com/opencrvs/opencrvs-count…
fbd2536 
…ryconfig into metabase
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
3b00eaa
@naftis
Merge branch 'metabase' of https://github.com/opencrvs/opencrvs-count…
2ec643b 
…ryconfig into metabase
@cibelius
Merge pull request #1638 from opencrvs/ocrvs-9829
8121cfd 
e2e testing: Notification API requires 'createdAtLocation'
@naftis
Merge branch 'metabase' of https://github.com/opencrvs/opencrvs-count…
c1c7c3f 
…ryconfig into metabase
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
31ec7b1
@naftis
Merge branch 'metabase' of https://github.com/opencrvs/opencrvs-count…
213cf18 
…ryconfig into metabase
jamil314 and others added 20 commits September 18, 2025 15:34
@jamil314
Merge branch 'develop' of https://github.com/opencrvs/opencrvs-countr…
a753d9e 
…yconfig into sync-fork-18-09
@jamil314
Merge pull request #1692 from opencrvs/sync-fork-18-09
e3efddf 
Sync fork 18 09
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
bdde85d
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
e512f55
@cibelius
try with superuser credentials
bad73c9
@cibelius
Merge remote-tracking branch 'upstream/use-postgres-superuser-credent…
b3a5fe6 
…ials' into use-postgres-superuser-credentials
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
25fa95d
@cibelius
Merge branch 'develop' into use-postgres-superuser-credentials
5811791
@cibelius
Merge pull request #1694 from opencrvs/use-postgres-superuser-credent…
b7bcdd4 
…ials

Use postgres superuser credentials
@cibelius
fix shell script env check
bb40c74
@cibelius
Merge pull request #1695 from opencrvs/use-postgres-superuser-credent…
fbfad07 
…ials

fix shell script env check
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
18b0ecd
@github-actions
Merge remote-tracking branch 'upstream/develop' into develop
763e635
@Zangetsu101
Merge branch 'develop' of github.com:opencrvs/opencrvs-countryconfig …
18b23f7 
…into merge-cc-dev-to-far
@Zangetsu101
chore: allow V2_EVENTS to be set via env variable
f2c6799
@Zangetsu101
chore: enable 2FA on v19-beta-prod
e65363c
@Zangetsu101
Merge pull request #1696 from opencrvs/merge-cc-dev-to-far
962c0c9 
Merge cc dev to far
@Zangetsu101
chore: enable v2 by default on v19-beta-prod
f6593a5
@Zangetsu101
chore: provide tameem access to v19-prod
62ceadc
@adskyiproger
fix: Properly distribute analytics postgres user
db7896f
@github-actions

This comment has been minimized.

Sign in to view
Zangetsu101
Zangetsu101 approved these changes Sep 19, 2025
View reviewed changes
Copy link
Contributor

@Zangetsu101 Zangetsu101 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we are still using ANALYTICS_POSTGRES_USER in some of the compose files, which should be removed if we are gonna generate the username. As during the deploy, it errors if the ANALYTICS_POSTGRES_USER is not present in the github environment currently

infrastructure/deployment/deploy.sh
export EVENTS_APP_POSTGRES_PASSWORD=`generate_password`
export EVENTS_MIGRATOR_POSTGRES_PASSWORD=`generate_password`
export ANALYTICS_POSTGRES_PASSWORD=`generate_password`
export ANALYTICS_POSTGRES_USER=`generate_password`
Copy link
Contributor

@Zangetsu101 Zangetsu101 Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So user name is also rotated?

Copy link
Member

@naftis naftis Sep 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest, I don't know what is generally the convention. In our codebase we sometimes rotate usernames but for Postgres we haven't yet? Feel free to do like you wish.

May help with onboarding if they don't need to decide username for this?

❗ I don't think setup-analytics.sh supports altering usernames

Copy link
Contributor Author

@adskyiproger adskyiproger Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right and static user name will work better,
I did tested data seed, deploy, but just imagine situation when you do rotation every time on real environment?

What will happen after 10 sequential deployments?
10 different users with same privileges

I will drop this line, but where should we store analytics user name?

We are using hardcoded user name for events app and migrator

Copy link
Member

@naftis naftis Sep 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The roles are altered on setup-analytics.sh, no new ones should be created. So that's fine?

Initially I did write the setup-analytics.sh with events_analytics username to keep up with the convention. I'm not sure why Riku changed it to a variable, maybe to help with the same issue why we now replace the variables in core .sql files?

Copy link
Contributor Author

@adskyiproger adskyiproger Sep 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kept events_analytics user name for consistency with events_app and events_migratior

@adskyiproger adskyiproger merged commit 225111f into develop Sep 19, 2025
5 of 6 checks passed
@adskyiproger adskyiproger deleted the fix-analytics-user branch September 19, 2025 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@naftis naftis naftis left review comments

@Zangetsu101 Zangetsu101 Zangetsu101 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.