grant.rs

An open-source project that aims to manage Redshift database roles and privileges in GitOps style, written in Rust.

This project is still in the early stages of development and is not ready for any kind of production use or any alpha/beta testing.

Usage

Install binary from crates.io

bash cargo install grant

Using grant tool:

```bash $ grant --help

grant 0.0.1-beta.2 Manage database roles and privileges in GitOps style

USAGE: grant

FLAGS: -h, --help Prints help information -V, --version Prints version information

SUBCOMMANDS: apply Apply a configuration to a redshift by file name. Yaml format are accepted gen Generate sample configuration file gen-pass Generate random password help Prints this message or the help of the given subcommand(s) inspect Inspect current database cluster with connection info from configuration file validate Validate a configuration file or a target directory that contains configuration files ```

Generate project structure

```bash grant gen --target ./cluster

Creating path: "./cluster" Generated: "./cluster/config.yml" ```

Apply privilege changes

Content of ./examples/example.yaml:

```yaml connection: type: "postgres" # support environment variables, e.g. postgres://${HOSTNAME}:5432 url: "postgres://postgres@localhost:5432/postgres"

roles: - name: roledatabaselevel type: database grants: - CREATE - TEMP databases: - postgres

• name: roleschemalevel type: schema grants:
  • CREATE databases:
  • postgres schemas:
  • public
• name: roleallschema type: table grants:
  • SELECT
  • INSERT
  • UPDATE databases:
  • postgres schemas:
  • public tables:
  • ALL

users: - name: duyet password: 1234567890 # password in plaintext roles: - roledatabaselevel - roleallschema - roleschemalevel - name: duyet2 password: md58243e8f5dfb84bbd851de920e28f596f # support md5 style: grant gen-pass -u duyet2 roles: - roledatabaselevel - roleallschema - roleschemalevel ```

Apply this config to cluster:

```bash grant apply -f ./examples/example.yaml

[2021-12-06T14:37:03Z INFO grant::connection] Connected to database: postgres://postgres@localhost:5432/postgres [2021-12-06T14:37:03Z INFO grant::apply] Summary: ┌────────────┬───────────────────────────┐ │ User │ Action │ │ --- │ --- │ │ duyet │ update password │ │ duyet2 │ update password │ └────────────┴───────────────────────────┘

[2021-12-06T14:37:03Z INFO grant::apply] Summary: ┌────────┬───────────────────────────────────────────────────────────┬─────────┐ │ User │ Database Privilege │ Action │ │ --- │ --- │ --- │ │ duyet │ privileges role_database_level for database: ["postgre+ │ updated │ │ duyet2 │ privileges role_database_level for database: ["postgre+ │ updated │ └────────┴───────────────────────────────────────────────────────────┴─────────┘

[2021-12-06T14:37:03Z INFO grant::apply] Summary: ┌────────┬───────────────────────────────────────────────────────┬─────────┐ │ User │ Schema Privileges │ Action │ │ --- │ --- │ --- │ │ duyet │ privileges role_schema_level for schema: ["public"] │ updated │ │ duyet2 │ privileges role_schema_level for schema: ["public"] │ updated │ └────────┴───────────────────────────────────────────────────────┴─────────┘

[2021-12-06T14:37:03Z INFO grant::apply] Summary: ┌────────┬─────────────────────────────────────────────────┬─────────┐ │ User │ Table Privileges │ Action │ │ --- │ --- │ --- │ │ duyet │ privileges role_all_schema for table: ["ALL"] │ updated │ │ duyet2 │ privileges role_all_schema for table: ["ALL"] │ updated │ └────────┴─────────────────────────────────────────────────┴─────────┘ ```

Generate random password

```bash $ grant gen-pass

Generated password: q)ItTjN$EXlkF@Tl ```

```bash $ grant gen-pass --user duyet

Generated password: o^b3aD1L$xLm%#~U Generated MD5 (user: duyet): md58243e8f5dfb84bbd851de920e28f596f ```

Inspect the current cluster

```bash $ grant inspect -f examples/example.yaml

[2021-11-29T07:46:44Z INFO grant::inspect] Current users in postgres://postgres@localhost:5432/postgres: ┌────────────┬──────────┬───────┬──────────┐ │ User │ CreateDB │ Super │ Password │ │ --- │ --- │ --- │ --- │ │ postgres │ true │ true │ * │ │ duyet │ false │ false │ * │ └────────────┴──────────┴───────┴──────────┘ ```

Developement

Clone the repo:

bash git clone https://github.com/duyet/grant.rs && cd grant.rs

Postgres is required for testing, you might need to use the docker-compose.yaml:

bash docker-compose up -d

Make sure you have connection to postgres://postgres:postgres@localhost:5432/postgres.

On the MacOS, the easiest way is install Postgres.app.

To run the unittest:

bash cargo test

TODO

• [x] Support reading connection info from environment variables
• [ ] Support store encrypted password in Git
• [x] Support Postgres and Redshift
• [ ] Support change password
• [ ] Visuallization (who can see what?)
• [ ] Apply show more detail about diff changes
• [ ] Inspect show more detail about user privileges

LICENSE

MIT