diff --git a/README.md b/README.md index 3794d7783..7578a692d 100644 --- a/README.md +++ b/README.md @@ -206,6 +206,22 @@ Once Postgres is installed (On macOS, use `brew`): 1. Grant all on database `obpdb` to `obp`; (So OBP-API can create tables etc.) +#### For newer versions of postgres 16 and above, you need to follow the following instructions +-- Connect to the sandbox database +\c sandbox; + +-- Grant schema usage and creation privileges +GRANT USAGE ON SCHEMA public TO obp; +GRANT CREATE ON SCHEMA public TO obp; + +-- Grant all privileges on existing tables (if any) +GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO obp; +GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO obp; + +-- Grant privileges on future tables and sequences +ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO obp; +ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO obp; + 1. Then, set the `db.url` in your Props: ``` diff --git a/obp-api/src/main/scripts/sql/create_oidc_user_and_views.sql b/obp-api/src/main/scripts/sql/create_oidc_user_and_views.sql index 75da5ff6d..61a5fbd9a 100644 --- a/obp-api/src/main/scripts/sql/create_oidc_user_and_views.sql +++ b/obp-api/src/main/scripts/sql/create_oidc_user_and_views.sql @@ -87,13 +87,13 @@ -- OIDC user credentials -- ⚠️ SECURITY: Change this to a strong password (20+ chars, mixed case, numbers, symbols) -\set OIDC_USER 'oidc_user' -\set OIDC_PASSWORD 'lakij8777fagg' +\set OIDC_USER "oidc_user" +\set OIDC_PASSWORD '''lakij8777fagg''' -- OIDC admin user credentials (for client administration) -- ⚠️ SECURITY: Change this to a strong password (20+ chars, mixed case, numbers, symbols) -\set OIDC_ADMIN_USER 'oidc_admin' -\set OIDC_ADMIN_PASSWORD 'fhka77uefassEE' +\set OIDC_ADMIN_USER "oidc_admin" +\set OIDC_ADMIN_PASSWORD '''fhka77uefassEE''' -- ============================================================================= -- 1. Connect to the OBP database @@ -120,7 +120,7 @@ ALTER ROLE :OIDC_ADMIN_USER WITH PASSWORD :OIDC_ADMIN_PASSWORD; -- Create the OIDC user with limited privileges CREATE USER :OIDC_USER WITH - PASSWORD :'OIDC_PASSWORD' + PASSWORD :OIDC_PASSWORD NOSUPERUSER NOCREATEDB NOCREATEROLE @@ -134,7 +134,7 @@ ALTER USER :OIDC_USER CONNECTION LIMIT 10; -- Create the OIDC admin user with limited privileges CREATE USER :OIDC_ADMIN_USER WITH - PASSWORD :'OIDC_ADMIN_PASSWORD' + PASSWORD :OIDC_ADMIN_PASSWORD NOSUPERUSER NOCREATEDB NOCREATEROLE @@ -143,11 +143,12 @@ CREATE USER :OIDC_ADMIN_USER WITH NOREPLICATION NOBYPASSRLS; - -- need this so the admin can create rows - GRANT USAGE, SELECT ON SEQUENCE consumer_id_seq TO :OIDC_ADMIN_USER; +-- TODO: THIS IS NOT WORKING FOR SOME REASON, WE HAVE TO MANUALLY DO THIS LATER +-- need this so the admin can create rows +GRANT USAGE, SELECT ON SEQUENCE consumer_id_seq TO :OIDC_ADMIN_USER; - -- double check this - GRANT USAGE, SELECT ON SEQUENCE consumer_id_seq TO oidc_admin; +-- double check this +GRANT USAGE, SELECT ON SEQUENCE consumer_id_seq TO oidc_admin; -- Set connection limit for the OIDC admin user ALTER USER :OIDC_ADMIN_USER CONNECTION LIMIT 5; @@ -202,6 +203,7 @@ DROP VIEW IF EXISTS v_oidc_clients CASCADE; CREATE VIEW v_oidc_clients AS SELECT key_c as client_id, + key_c as consumer_id, secret as client_secret, redirecturl as redirect_uris, 'authorization_code,refresh_token' as grant_types, -- Default OIDC grant types @@ -209,7 +211,8 @@ SELECT name as client_name, 'code' as response_types, 'client_secret_post' as token_endpoint_auth_method, - createdat as created_at + createdat as created_at, + consumerid FROM consumer WHERE isactive = true -- Only expose active consumers to OIDC service ORDER BY client_name;