Create and use LAYMAN_ROLE_SERVICE_URI env

LayerManager · Dec 5, 2023 · e3b14ce · e3b14ce
1 parent 9156450
commit e3b14ce
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 6 deletions.
diff --git a/.env.demo b/.env.demo
@@ -16,6 +16,7 @@ LAYMAN_AUTHN_MODULES=layman.authn.http_header
 LAYMAN_AUTHN_HTTP_HEADER_NAME=a0468616f9968eaecdc3377988aba650
 GRANT_CREATE_PUBLIC_WORKSPACE=EVERYONE
 GRANT_PUBLISH_IN_PUBLIC_WORKSPACE=EVERYONE
+LAYMAN_ROLE_SERVICE_URI=postgresql://docker:docker@postgresql:5432/layman_test?schema=_role_service
 
 # connection parameters to PostgreSQL database
 LAYMAN_PG_HOST=postgresql

diff --git a/.env.dev b/.env.dev
@@ -16,6 +16,7 @@ LAYMAN_AUTHN_MODULES=layman.authn.oauth2,layman.authn.http_header
 LAYMAN_AUTHN_HTTP_HEADER_NAME=a0468616f9968eaecdc3377988aba650
 GRANT_CREATE_PUBLIC_WORKSPACE=EVERYONE
 GRANT_PUBLISH_IN_PUBLIC_WORKSPACE=EVERYONE
+LAYMAN_ROLE_SERVICE_URI=postgresql://docker:docker@postgresql:5432/layman_test?schema=_role_service
 
 # connection parameters to PostgreSQL database
 LAYMAN_PG_HOST=postgresql

diff --git a/.env.test b/.env.test
@@ -16,6 +16,7 @@ LAYMAN_AUTHN_MODULES=layman.authn.http_header
 LAYMAN_AUTHN_HTTP_HEADER_NAME=a0468616f9968eaecdc3377988aba650
 GRANT_CREATE_PUBLIC_WORKSPACE=EVERYONE
 GRANT_PUBLISH_IN_PUBLIC_WORKSPACE=EVERYONE
+LAYMAN_ROLE_SERVICE_URI=postgresql://docker:docker@postgresql:5432/layman_test?schema=_role_service
 
 # connection parameters to PostgreSQL database
 LAYMAN_PG_HOST=postgresql

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@
   LAYMAN_CLIENT_VERSION=v1.17.1
   ```
   It was already required in v1.22.2.
+- Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI)
 ### Migrations and checks
 #### Schema migrations
 - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null.

diff --git a/doc/env-settings.md b/doc/env-settings.md
@@ -99,6 +99,9 @@ List of [users](models.md#user) and [roles](models.md#role) giving them permissi
 ### GRANT_PUBLISH_IN_PUBLIC_WORKSPACE
 List of [users](models.md#user) and [roles](models.md#role) giving them permission to publish new [publication](models.md#publication) in already created [public workspace](models.md#public-workspace).
 
+### LAYMAN_ROLE_SERVICE_URI
+URL of Role Service with schema in format `postgresql://<username>:<password>@<host>:<port>/<dbname>?schema=<schema_name>`. If you want to use internal Role Service, set it to `postgresql://{LAYMAN_PG_USER}:{LAYMAN_PG_PASSWORD}@{LAYMAN_PG_HOST}:{LAYMAN_PG_PORT}/{LAYMAN_PG_DBNAME}?schema=_role_service`.
+
 ## Layman Test Client Settings
 
 ### LTC_BASEPATH

diff --git a/src/layman/authz/role_service.py b/src/layman/authz/role_service.py
@@ -27,11 +27,11 @@ def ensure_admin_roles():
 
 def get_user_roles(username):
     query = f"""
-select rolename from {ROLE_SERVICE_SCHEMA}.user_roles
+select rolename from {settings.LAYMAN_ROLE_SERVICE_SCHEMA}.user_roles
 where username = %s
   and rolename not in (%s, %s, %s)
   and LEFT(rolename, 5) != 'USER_'
   and rolename ~ %s
 """
-    roles = db_util.run_query(query, (username, 'ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE, ROLE_NAME_PATTERN))
+    roles = db_util.run_query(query, (username, 'ADMIN', 'GROUP_ADMIN', settings.LAYMAN_GS_ROLE, ROLE_NAME_PATTERN), uri_str=settings.LAYMAN_ROLE_SERVICE_URI)
     return {role[0] for role in roles}
diff --git a/src/layman_settings.py b/src/layman_settings.py
@@ -1,6 +1,6 @@
 import os
 import re
-from urllib.parse import urljoin, urlparse
+from urllib.parse import urljoin, urlparse, parse_qs
 from enum import Enum
 import redis
 
@@ -157,9 +157,6 @@ class EnumWfsWmsStatus(Enum):
                                                           "should be used for " \
                                                           "LAYMAN_PRIME_SCHEMA. "
 
-# Name of schema, where Layman maintains internal GS JDBC Role Service.
-LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service'
-
 # List of schemas that are not allowed to be used as usernames.
 PG_NON_USER_SCHEMAS = [
     'public',
@@ -226,6 +223,11 @@ class EnumWfsWmsStatus(Enum):
 if RIGHTS_EVERYONE_ROLE not in GRANT_PUBLISH_IN_PUBLIC_WORKSPACE:
     assert not GRANT_CREATE_PUBLIC_WORKSPACE.difference(GRANT_PUBLISH_IN_PUBLIC_WORKSPACE)
 
+# Name of schema, where Layman maintains internal GS JDBC Role Service.
+LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service'
+LAYMAN_ROLE_SERVICE_URI = os.environ['LAYMAN_ROLE_SERVICE_URI']
+LAYMAN_ROLE_SERVICE_SCHEMA = parse_qs(urlparse(LAYMAN_ROLE_SERVICE_URI).query).pop('schema', [None])[0]
+
 # UPLOAD_MAX_INACTIVITY_TIME = 10 # 10 seconds
 UPLOAD_MAX_INACTIVITY_TIME = 5 * 60  # 5 minutes