refactor: splits mysql init into two steps

because we can't grant table-specific permissions for tables that do not exist yet. Step 1: unchanged Step 2: Grants SELECT access to superset metadata tables created by Superset migrations
openedx · Nov 2, 2023 · ba89145 · ba89145
1 parent 9ad42bf
commit ba89145
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 14 deletions.
diff --git a/tutoraspects/plugin.py b/tutoraspects/plugin.py
@@ -241,7 +241,6 @@
         ("SUPERSET_DB_NAME", "superset"),
         ("SUPERSET_DB_USERNAME", "superset"),
         ("SUPERSET_DB_METADATA_NAME", "superset"),
-        ("SUPERSET_DB_METADATA_USERNAME", "superset_meta"),
         ("SUPERSET_EXTRA_REQUIREMENTS", []),
         ("SUPERSET_OAUTH2_ACCESS_TOKEN_PATH", "/oauth2/access_token/"),
         ("SUPERSET_OAUTH2_AUTHORIZE_PATH", "/oauth2/authorize/"),
@@ -272,8 +271,8 @@
         ("SUPERSET_ROW_LIMIT", 100_000),
         (
             "SUPERSET_METADATA_SQLALCHEMY_URI",
-            "mysql://{{SUPERSET_DB_METADATA_USERNAME}}:{{SUPERSET_DB_METADATA_PASSWORD}}"
-            "@{{SUPERSET_DB_HOST}}/{{SUPERSET_DB_NAME}}",
+            "mysql://{{SUPERSET_DB_USERNAME}}:{{SUPERSET_DB_PASSWORD}}"
+            "@{{SUPERSET_DB_HOST}}/{{SUPERSET_DB_METADATA_NAME}}",
         ),
         ("SUPERSET_SENTRY_DSN", ""),
         (
@@ -453,7 +452,6 @@
         # Superset Settings
         ("SUPERSET_SECRET_KEY", "{{ 24|random_string }}"),
         ("SUPERSET_DB_PASSWORD", "{{ 24|random_string }}"),
-        ("SUPERSET_DB_METADATA_PASSWORD", "{{ 24|random_string }}"),
         ("SUPERSET_OAUTH2_CLIENT_ID", "{{ 16|random_string }}"),
         ("SUPERSET_OAUTH2_CLIENT_ID_DEV", "{{ 16|random_string }}"),
         ("SUPERSET_OAUTH2_CLIENT_SECRET", "{{ 16|random_string }}"),
@@ -484,11 +482,12 @@
 # and then add it to the MY_INIT_TASKS list. Each task is in the format:
 # ("<service>", ("<path>", "<to>", "<script>", "<template>"))
 MY_INIT_TASKS: list[tuple[str, tuple[str, ...], int]] = [
-    ("mysql", ("aspects", "jobs", "init", "init-mysql.sh"), 92),
+    ("mysql", ("aspects", "jobs", "init", "mysql", "init-mysql.sh"), 92),
     ("clickhouse", ("aspects", "jobs", "init", "clickhouse", "init-clickhouse.sh"), 93),
     ("aspects", ("aspects", "jobs", "init", "aspects", "init-aspects.sh"), 94),
     ("superset", ("aspects", "jobs", "init", "superset", "init-superset.sh"), 95),
-    ("lms", ("aspects", "jobs", "init", "init-lms.sh"), 96),
+    ("mysql", ("aspects", "jobs", "init", "mysql", "init-mysql-post-migration.sh"), 96),
+    ("lms", ("aspects", "jobs", "init", "init-lms.sh"), 97),
 ]
 
 # For each task added to MY_INIT_TASKS, we load the task template

diff --git a/tutoraspects/templates/aspects/jobs/init/mysql/init-mysql-post-migration.sh b/tutoraspects/templates/aspects/jobs/init/mysql/init-mysql-post-migration.sh
@@ -0,0 +1,6 @@
+echo "MySQL init after Superset migrations..."
+
+# Grant SELECT access to a subset of superset metadata tables
+for TABLE in ab_user dashboards logs slices tables; do
+    mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "GRANT SELECT ON {{ SUPERSET_DB_METADATA_NAME }}.${TABLE} TO '{{ SUPERSET_DB_USERNAME }}'@'%';"
+done
diff --git a/...templates/aspects/jobs/init/init-mysql.sh → ...tes/aspects/jobs/init/mysql/init-mysql.sh b/...templates/aspects/jobs/init/init-mysql.sh → ...tes/aspects/jobs/init/mysql/init-mysql.sh
@@ -21,11 +21,3 @@ mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host
 mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "CREATE USER IF NOT EXISTS '{{ SUPERSET_DB_USERNAME }}';"
 mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "ALTER USER '{{ SUPERSET_DB_USERNAME }}'@'%' IDENTIFIED BY '{{ SUPERSET_DB_PASSWORD }}';"
 mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "GRANT ALL ON {{ SUPERSET_DB_NAME }}.* TO '{{ SUPERSET_DB_USERNAME }}'@'%';"
-
-# Superset metadata user (read-only)
-mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "CREATE USER IF NOT EXISTS '{{ SUPERSET_DB_METADATA_USERNAME }}';"
-mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "ALTER USER '{{ SUPERSET_DB_METADATA_USERNAME }}'@'%' IDENTIFIED BY '{{ SUPERSET_DB_METADATA_PASSWORD }}';"
-# Grant SELECT access to a subset of superset tables:
-for TABLE in ab_user dashboards logs slices tables; do
-    mysql -u {{ MYSQL_ROOT_USERNAME }} --password="{{ MYSQL_ROOT_PASSWORD }}" --host "{{ MYSQL_HOST }}" --port {{ MYSQL_PORT }} -e "GRANT SELECT ON {{ SUPERSET_DB_METADATA_NAME }}.${TABLE} TO '{{ SUPERSET_DB_METADATA_USERNAME }}'@'%';"
-done