RHINENG-24787: narrow manager db privileges

TenSt · TenSt · commit b21cf434d1e0 · 2026-04-20T13:58:49.000+02:00
diff --git a/database_admin/migrations/152_narrow_manager_inventory_patch_privileges.down.sql b/database_admin/migrations/152_narrow_manager_inventory_patch_privileges.down.sql
@@ -0,0 +1,5 @@
+REVOKE UPDATE ON system_patch FROM manager;
+GRANT UPDATE ON system_patch TO manager;
+
+REVOKE UPDATE ON system_inventory FROM manager;
+GRANT UPDATE ON system_inventory TO manager;
diff --git a/database_admin/migrations/152_narrow_manager_inventory_patch_privileges.up.sql b/database_admin/migrations/152_narrow_manager_inventory_patch_privileges.up.sql
@@ -0,0 +1,16 @@
+-- Restore least-privilege grants for manager after migration 145 temporarily
+-- broadened them for system_platform view/trigger updates (removed in 151).
+REVOKE UPDATE ON system_inventory FROM manager;
+GRANT UPDATE (stale) ON system_inventory TO manager;
+
+REVOKE UPDATE ON system_patch FROM manager;
+GRANT UPDATE (
+    installable_advisory_count_cache,
+    installable_advisory_enh_count_cache,
+    installable_advisory_bug_count_cache,
+    installable_advisory_sec_count_cache,
+    applicable_advisory_count_cache,
+    applicable_advisory_enh_count_cache,
+    applicable_advisory_bug_count_cache,
+    applicable_advisory_sec_count_cache,
+    template_id) ON system_patch TO manager;
diff --git a/database_admin/schema/create_schema.sql b/database_admin/schema/create_schema.sql
@@ -7,7 +7,7 @@ CREATE TABLE IF NOT EXISTS schema_migrations
 
 
 INSERT INTO schema_migrations
-VALUES (151, false);
+VALUES (152, false);
 
 -- ---------------------------------------------------------------------------
 -- Functions
@@ -603,8 +603,7 @@ SELECT create_table_partitions('system_inventory', 16,
 
 GRANT SELECT, INSERT, UPDATE ON system_inventory TO listener;
 GRANT SELECT, UPDATE, DELETE ON system_inventory TO vmaas_sync; -- vmaas_sync performs system culling
-GRANT SELECT, UPDATE (stale) ON system_inventory TO manager; -- manager needs to be able to update opt_out column
-GRANT SELECT, UPDATE ON system_inventory TO manager; -- manager needs to be able to update opt_out column
+GRANT SELECT, UPDATE (stale) ON system_inventory TO manager;
 GRANT SELECT, UPDATE ON system_inventory TO evaluator;
 
 SELECT create_table_partition_triggers('system_inventory_set_last_updated',
@@ -970,7 +969,6 @@ GRANT SELECT, UPDATE (installable_advisory_count_cache,
               applicable_advisory_bug_count_cache,
               applicable_advisory_sec_count_cache,
               template_id) ON system_patch TO manager;
-GRANT SELECT, UPDATE ON system_patch TO manager;
 GRANT SELECT, UPDATE, DELETE ON system_patch to vmaas_sync; -- vmaas_sync performs system culling
 
 -- ----------------------------------------------------------------------------
diff --git a/manager/controllers/template_systems_update.go b/manager/controllers/template_systems_update.go
@@ -139,8 +139,6 @@ func assignTemplateSystems(c *gin.Context, db *gorm.DB, accountID int, template
 		templateID = &template.ID
 	}
 
-	// TODO: Revisit migration 145 manager privileges on system_inventory/system_patch; they were tied to
-	// system_platform view/update-trigger work and may be narrower now that template_id is updated on system_patch.
 	siSub := tx.Model(&models.SystemInventory{}).
 		Select("id").
 		Where("rh_account_id = ? AND inventory_id IN (?::uuid)", accountID, inventoryIDs)

Original file line number	Diff line number	Diff line change
`@@ -139,8 +139,6 @@ func assignTemplateSystems(c gin.Context, db gorm.DB, accountID int, template`
`139`	`139`	`templateID = &template.ID`
`140`	`140`	`}`
`141`	`141`
`142`		`- // TODO: Revisit migration 145 manager privileges on system_inventory/system_patch; they were tied to`
`143`		`- // system_platform view/update-trigger work and may be narrower now that template_id is updated on system_patch.`
`144`	`142`	`siSub := tx.Model(&models.SystemInventory{}).`
`145`	`143`	`Select("id").`
`146`	`144`	`Where("rh_account_id = ? AND inventory_id IN (?::uuid)", accountID, inventoryIDs)`