Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Postgres 15 requires a Schema during installation #12768

Closed
Alef-Burzmali opened this issue May 31, 2023 · 4 comments · Fixed by #13172
Closed

Postgres 15 requires a Schema during installation #12768

Alef-Burzmali opened this issue May 31, 2023 · 4 comments · Fixed by #13172
Assignees
Labels
status: accepted This issue has been accepted for implementation type: documentation A change or addition to the documentation

Comments

@Alef-Burzmali
Copy link
Contributor

Alef-Burzmali commented May 31, 2023

Change Type

Correction

Area

Installation/upgrade

Proposed Changes

With the next Debian release coming with Postgres 15 as the default version, there is an interesting change for the configuration of the database for Django. With the current installation steps, you have a "permission denied for schema public" error during the initial migration.

I'll paraphrase my source: https://gist.github.com/axelbdt/74898d80ceee51b69a16b575345e8457

In Postgres 15 release announcement:

Remove PUBLIC creation permission on the public schema (Noah Misch)
The new default is one of the secure schema usage patterns that Section 5.9.6 has recommended...

In practice, it means that the configuration block in configuration_example.py for the database should be changed to:

DATABASE = {
    'ENGINE': 'django.db.backends.postgresql',  # Database engine
    'NAME': 'netbox',         # Database name
    'USER': '',               # PostgreSQL username
    'PASSWORD': '',           # PostgreSQL password
    'HOST': 'localhost',      # Database server
    'PORT': '',               # Database port (leave blank for default)
    'CONN_MAX_AGE': 300,      # Max database connection age
    'OPTIONS': {
        'options': '-c search_path=netbox',
    }
}

and in the instructions to create the database in PostgreSQL Database Installation:

CREATE DATABASE netbox;
CREATE USER netbox WITH PASSWORD 'J5brHrAXFLQSif0K';
\connect netbox;
CREATE SCHEMA netbox AUTHORIZATION netbox;

As far as I know, these changes are also compatible with Postgres <15. Also, I have not found any bug or issue with this configuration on my test server with Postgres 15.

I do not have (yet) the systems needed to test what happens during a migration from an older Postgres version to Postgres 15 and if some specific actions would be required.

@Alef-Burzmali Alef-Burzmali added the type: documentation A change or addition to the documentation label May 31, 2023
@DanSheps
Copy link
Member

DanSheps commented Jun 5, 2023

I believe we are currently documenting the lowest netbox supported Postgres version in our documentation.

This "secure schema" pattern isn't something netbox really requires. NetBox, from a database perspective, is a single user application. It would make far more sense to instead do this the third point recommended under Usage Patterns:

Keep the default search path, and grant privileges to create in the public schema. All users access the public schema implicitly. This simulates the situation where schemas are not available at all, giving a smooth transition from the non-schema-aware world. However, this is never a secure pattern. It is acceptable only when the database has a single user or a few mutually-trusting users. In databases upgraded from PostgreSQL 14 or earlier, this is the default.

This would instead change the instructions to (I think, I would need to confirm):

CREATE DATABASE netbox;
CREATE USER netbox WITH PASSWORD 'J5brHrAXFLQSif0K';
ALTER DATABASE netbox OWNER TO netbox;
\connect netbox;
GRANT CREATE ON SCHEMA public TO netbox

@Alef-Burzmali
Copy link
Contributor Author

It makes sense. Certainly, installing a second application on the same database as NetBox is not a standard installation.

I've tested your commands, they work on a new installation. You just need to add a missing ; at the end of the last one.

@DanSheps
Copy link
Member

DanSheps commented Jun 7, 2023

Awesome, thanks for testing. I would say we should update the docs with the extra step(s) required for this change.

@DanSheps DanSheps added the status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation label Jun 7, 2023
@Alef-Burzmali
Copy link
Contributor Author

Hello. Happy to prepare a PR for this, if you want to assign this issue to me.

@jsenecal jsenecal added status: accepted This issue has been accepted for implementation and removed status: needs owner This issue is tentatively accepted pending a volunteer committed to its implementation labels Jul 12, 2023
Alef-Burzmali added a commit to Alef-Burzmali/netbox that referenced this issue Jul 12, 2023
Alef-Burzmali added a commit to Alef-Burzmali/netbox that referenced this issue Jul 12, 2023
jeremystretch pushed a commit that referenced this issue Jul 27, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
status: accepted This issue has been accepted for implementation type: documentation A change or addition to the documentation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants