Skip to content

Add skip_permissions_check option to Psycopack #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
timb07 merged 1 commit into from
Jun 30, 2025
Merged

Add skip_permissions_check option to Psycopack #45

timb07 merged 1 commit into from
Jun 30, 2025

Conversation

@timb07
Copy link
Contributor

@timb07 timb07 commented Jun 30, 2025
edited
Loading

Previously, the permissions check was done each time a Psycopack object was instantiated. The check looks for the permissions needed for the complete operation, including all the individual steps. However, one step, backfill(), doesn't require the much higher elevated permissions that the other steps require. Following the principle of least privilege, it might be desirable to run the backfill() step using a Postgres user with lower privileges than the user used for the other steps. (Backfilling only does DML operations, whereas most of the other steps do DDL operations that require higher privileges.)

This change adds a skip_permissions_check option to Psycopack which enables its use with a less-privileged Postgres user.

@timb07
Add skip_permissions_check option to Psycopack
9936730 
Previously, the permissions check was done each time a Psycopack object
was instantiated. The check looks for the permissions needed for the
complete operation, including all the individual steps. However, one
step, backfill(), doesn't require the much higher elevated permissions
that the other steps require. Following the principle of least privilege,
it might be desirable to run the backfill() step using a Postgres user
with lower privileges than the user used for the other steps.

This change adds a skip_permissions_check option to Psycopack which
enables its use with a less-privileged Postgres user.
@github-actions
Copy link

github-actions bot commented Jun 30, 2025

Coverage Report Results

Name Stmts Miss Branch BrPart Cover
src/psycopack/__init__.py 6 0 0 0 100%
src/psycopack/_commands.py 111 0 8 0 100%
src/psycopack/_conn.py 5 0 0 0 100%
src/psycopack/_const.py 3 0 0 0 100%
src/psycopack/_cur.py 24 0 2 0 100%
src/psycopack/_identifiers.py 12 0 2 0 100%
src/psycopack/_introspect.py 160 0 16 0 100%
src/psycopack/_logging.py 2 0 0 0 100%
src/psycopack/_psycopg.py 5 0 0 0 100%
src/psycopack/_registry.py 58 0 6 0 100%
src/psycopack/_repack.py 355 0 120 0 100%
src/psycopack/_tracker.py 165 0 36 0 100%
tests/conftest.py 19 0 0 0 100%
tests/factories.py 40 0 8 0 100%
tests/test_cur.py 20 0 2 0 100%
tests/test_fixtures.py 5 0 0 0 100%
tests/test_package.py 3 0 0 0 100%
tests/test_repack.py 708 0 0 0 100%
TOTAL 1701 0 200 0 100%

1 empty file skipped.

@timb07 timb07 requested review from Copilot and marcelofern June 30, 2025 03:12
Copilot AI reviewed Jun 30, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new option, skip_permissions_check, to the Psycopack class to allow bypassing permission checks when a less-privileged PostgreSQL user is used for the backfill step. Key changes include:

  • Modification of the Psycopack constructor in src/psycopack/_repack.py to accept and conditionally bypass permission checks.
  • Addition of a new test case in tests/test_repack.py to verify that when skip_permissions_check is set to True, the permissions check is not executed.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
tests/test_repack.py New test ensuring _check_user_permissions is not called when skip_permissions_check is enabled
src/psycopack/_repack.py Added skip_permissions_check parameter and conditional check to bypass permission validation
Comments suppressed due to low confidence (1)

src/psycopack/_repack.py:137

  • [nitpick] Consider adding documentation for the new 'skip_permissions_check' parameter in the class docstring and init method to clarify its intended usage.
        skip_permissions_check: bool = False,

@timb07 timb07 requested review from flpcury and s-cooper18 June 30, 2025 03:12
s-cooper18
s-cooper18 approved these changes Jun 30, 2025
View reviewed changes
Copy link

@s-cooper18 s-cooper18 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense

flpcury
flpcury approved these changes Jun 30, 2025
View reviewed changes
Copy link

@flpcury flpcury left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me as a workaround.
On the long-term it would be better to have more granular permission checking (permission to instantiate Psycopack != permission to backfill != permission to sync schemas, etc). That way, there should never be a use case for skipping permission checking

@timb07 timb07 merged commit 62378a6 into main Jun 30, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@s-cooper18 s-cooper18 s-cooper18 approved these changes

@flpcury flpcury flpcury approved these changes

@marcelofern marcelofern Awaiting requested review from marcelofern

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timb07 @s-cooper18 @flpcury