# redshift-user-manager
Redshift User Manager (RUM) is a user manager for AWS Redshift.
It can create/delete users and grant/revoke permissions from those users.
RUM works with a roles and permissions model which are defined in a config YAML file.
Permissions define the actual access to schemas/tables.
Permissions are then assigned to roles, and roles can be granted to users.
# Installation
RUM is installed via pip and requires python >= 3.6
```
pip install redshift-user-manager
```
Once installed it can be invoked on the command line with the `rum` command.
```
rum version
```
# Config YAML
RUM must be given a config yaml file which defines: the database that it is operating on, the permissions definitions, and role definitions.
```yaml
host: a-database.abcd1234.us-east-1.redshift.amazonaws.com
port: 5439
database: a-database
roles:
read-all:
permissions:
- r-all
read-write-all:
permissions:
- rw-all
permissions:
r-all:
level: READ
entities: "*"
rw-all:
level: READ
entities: "*"
```
## Permissions
A permission can give access to all tables and schemas, all tables within schema(s), or to specific schema/tables.
```yaml
permissions:
r-all:
level: READ
entities: "*"
rw-all:
level: READWRITE
entities: "*"
rw-schema-a:
level: READWRITE
entities:
- schema-a.*
r-table-a:
level: READ
entities:
- schema-a.table-a
rw-table-a-table-b:
level: READWRITE
entities:
- schema-a.table-a
- schema-a.table-b
```
### Level
Each permission is given a level: (`READ` or `READWRITE`). This level determines the level of access given to the given entities.
`READ` gives `SELECT` access to the given entities. `READWRITE` gives `ALL` access to the given entities.
### Entities
Each permission must be given value(s) for the entities field. The possible values are `*` or a list of `schema.*` or `schema.table`.
- `*` will give the given permission level to all tables within all schemas. As well as give default permissions to new entities created by the user which granted these permissions. This is equivalent to explicitly defining `schema.*` for all schemas in the database, and internally executes the same queries as `schema.*`.
- `schema.*` will give the given permission level to all tables within a specific schemas. As well as give default permissions to new entities created by the user which granted these permissions within that schema.
```sql
GRANT {SELECT|ALL} ON SCHEMA {schema} TO {user_name};
GRANT {USAGE|ALL} ON ALL TABLES IN SCHEMA {schema} TO {user_name};
ALTER DEFAULT PRIVILEGES IN SCHEMA {schema} GRANT {SELECT|ALL} ON TABLES TO {user_name};
```
- `schema.table` will give the given permission level to a specific table within a specific schema.
```sql
GRANT USAGE ON SCHEMA {schema} TO {user_name};
GRANT {SELECT|ALL} ON {schema}.{table} TO {user_name};
```
## Roles
Roles are lists of permissions that can then be granted or revoked from specific users. Roles are defined in the config YAML.
```yaml
roles:
developer:
permissions:
- r-all
- rw-schema-a
read-only:
permissions:
- r-all
```
This example config defines two roles: `developer` and `read-only`.
# Usage
RUM is invoked via the command line with the command `rum`. In order to function RUM must be given 4 pieces of information either by environment variable or passed in as a CLI argument:
- `REDSHIFT_USER_MANAGER_USERNAME`: The username used to connect to the database. This user must be a superuser and is the user that is used to create/grant permissions in the database.
- `REDSHIFT_USER_MANAGER_PASSWORD`: The password used to connect to the database.
- `REDSHIFT_USER_MANAGER_CONFIG_FILE`: A path to the `config.yaml` file. Defaults to a file named `redshift-user-manager-config.yaml` in the current working directory.
- `REDSHIFT_USER_MANAGER_STATE_FILE`: A path to the `state.yaml` file which holds the state for RUM. Defaults to a file named `state.yaml` in the current working directory.
I recommend putting both the state.yaml and config.yaml into source control so that any changes can be change-tracked.
## Create a user.
You can choose to have RUM generate a random password, or you can give it a password to use for the user. When creating a role, you can optionally pass in roles that you want to grant this user. Roles can be granted or revoked in the future as well.
For example, to create a user `test-user` with the password `1234`, and grant it the `read-all` role:
```bash
rum create test-user -p 1234 -r read-all
```
## Delete a user.
When deleting users from redshift, all permissions must first be revoked. RUM handles this for you.
For example, to delete the user `test-user`:
```bash
rum delete test-user
```
## Grant/Revoke roles for/from a user.
Roles can be granted and revoked from a user.
For example, we will first grant the role `r-all` to the user `test-user`, and then revoke it.
```bash
rum grant test-user -r r-all
rum revoke test-user -r r-all
```
## Refresh a user or all users permissions.
When new schemas or tables are added or permissions within the config.yaml change, it can be useful to re-apply all permissions to a single, or all users:
```bash
rum refresh test-user
rum refresh-all
```
Raw data
{
"_id": null,
"home_page": "https://github.com/henryivesjones/redshift-user-manager",
"name": "redshift-user-manager",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "",
"keywords": "sql,redshift,user,managment",
"author": "Henry Jones",
"author_email": "Henry Jones <henryivesjones@gmail.com>",
"download_url": "https://files.pythonhosted.org/packages/da/1c/aa706e9adf91f50dbccccef291bba6a36a8cfbe49c6d70828493faebc01c/redshift-user-manager-0.1.3.tar.gz",
"platform": null,
"description": "# redshift-user-manager\nRedshift User Manager (RUM) is a user manager for AWS Redshift.\nIt can create/delete users and grant/revoke permissions from those users.\nRUM works with a roles and permissions model which are defined in a config YAML file.\nPermissions define the actual access to schemas/tables.\nPermissions are then assigned to roles, and roles can be granted to users.\n\n# Installation\nRUM is installed via pip and requires python >= 3.6\n\n```\npip install redshift-user-manager\n```\nOnce installed it can be invoked on the command line with the `rum` command.\n```\nrum version\n```\n\n# Config YAML\nRUM must be given a config yaml file which defines: the database that it is operating on, the permissions definitions, and role definitions.\n```yaml\nhost: a-database.abcd1234.us-east-1.redshift.amazonaws.com\nport: 5439\ndatabase: a-database\nroles:\n read-all:\n permissions:\n - r-all\n read-write-all:\n permissions:\n - rw-all\npermissions:\n r-all:\n level: READ\n entities: \"*\"\n rw-all:\n level: READ\n entities: \"*\"\n```\n\n## Permissions\nA permission can give access to all tables and schemas, all tables within schema(s), or to specific schema/tables.\n```yaml\npermissions:\n r-all:\n level: READ\n entities: \"*\"\n rw-all:\n level: READWRITE\n entities: \"*\"\n rw-schema-a:\n level: READWRITE\n entities:\n - schema-a.*\n r-table-a:\n level: READ\n entities:\n - schema-a.table-a\n rw-table-a-table-b:\n level: READWRITE\n entities:\n - schema-a.table-a\n - schema-a.table-b\n```\n### Level\nEach permission is given a level: (`READ` or `READWRITE`). This level determines the level of access given to the given entities.\n\n`READ` gives `SELECT` access to the given entities. `READWRITE` gives `ALL` access to the given entities.\n\n### Entities\nEach permission must be given value(s) for the entities field. The possible values are `*` or a list of `schema.*` or `schema.table`.\n - `*` will give the given permission level to all tables within all schemas. As well as give default permissions to new entities created by the user which granted these permissions. This is equivalent to explicitly defining `schema.*` for all schemas in the database, and internally executes the same queries as `schema.*`.\n\n - `schema.*` will give the given permission level to all tables within a specific schemas. As well as give default permissions to new entities created by the user which granted these permissions within that schema.\n```sql\nGRANT {SELECT|ALL} ON SCHEMA {schema} TO {user_name};\nGRANT {USAGE|ALL} ON ALL TABLES IN SCHEMA {schema} TO {user_name};\nALTER DEFAULT PRIVILEGES IN SCHEMA {schema} GRANT {SELECT|ALL} ON TABLES TO {user_name};\n```\n\n - `schema.table` will give the given permission level to a specific table within a specific schema.\n```sql\nGRANT USAGE ON SCHEMA {schema} TO {user_name};\nGRANT {SELECT|ALL} ON {schema}.{table} TO {user_name};\n```\n\n## Roles\nRoles are lists of permissions that can then be granted or revoked from specific users. Roles are defined in the config YAML.\n```yaml\nroles:\n developer:\n permissions:\n - r-all\n - rw-schema-a\n read-only:\n permissions:\n - r-all\n```\nThis example config defines two roles: `developer` and `read-only`.\n\n# Usage\nRUM is invoked via the command line with the command `rum`. In order to function RUM must be given 4 pieces of information either by environment variable or passed in as a CLI argument:\n - `REDSHIFT_USER_MANAGER_USERNAME`: The username used to connect to the database. This user must be a superuser and is the user that is used to create/grant permissions in the database.\n - `REDSHIFT_USER_MANAGER_PASSWORD`: The password used to connect to the database.\n - `REDSHIFT_USER_MANAGER_CONFIG_FILE`: A path to the `config.yaml` file. Defaults to a file named `redshift-user-manager-config.yaml` in the current working directory.\n - `REDSHIFT_USER_MANAGER_STATE_FILE`: A path to the `state.yaml` file which holds the state for RUM. Defaults to a file named `state.yaml` in the current working directory.\n\nI recommend putting both the state.yaml and config.yaml into source control so that any changes can be change-tracked.\n\n## Create a user.\nYou can choose to have RUM generate a random password, or you can give it a password to use for the user. When creating a role, you can optionally pass in roles that you want to grant this user. Roles can be granted or revoked in the future as well.\n\nFor example, to create a user `test-user` with the password `1234`, and grant it the `read-all` role:\n```bash\nrum create test-user -p 1234 -r read-all\n```\n\n## Delete a user.\nWhen deleting users from redshift, all permissions must first be revoked. RUM handles this for you.\n\nFor example, to delete the user `test-user`:\n```bash\nrum delete test-user\n```\n\n## Grant/Revoke roles for/from a user.\nRoles can be granted and revoked from a user.\n\nFor example, we will first grant the role `r-all` to the user `test-user`, and then revoke it.\n```bash\nrum grant test-user -r r-all\nrum revoke test-user -r r-all\n```\n\n## Refresh a user or all users permissions.\nWhen new schemas or tables are added or permissions within the config.yaml change, it can be useful to re-apply all permissions to a single, or all users:\n\n```bash\nrum refresh test-user\nrum refresh-all\n\n\n```\n",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "A user management CLI tool for AWS Redshift.",
"version": "0.1.3",
"split_keywords": [
"sql",
"redshift",
"user",
"managment"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "a7c11999c0c17e8749d25478559c0455183d0415e2acc689d595ded11a20b2f6",
"md5": "5ea4af10c3b788f255fc2755c1407bd8",
"sha256": "ac78896fe62e519f731c91ecad472455fa7d62e8b41e0569d0077dbeb6395b20"
},
"downloads": -1,
"filename": "redshift_user_manager-0.1.3-py3-none-any.whl",
"has_sig": false,
"md5_digest": "5ea4af10c3b788f255fc2755c1407bd8",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 23347,
"upload_time": "2023-04-27T17:19:02",
"upload_time_iso_8601": "2023-04-27T17:19:02.155460Z",
"url": "https://files.pythonhosted.org/packages/a7/c1/1999c0c17e8749d25478559c0455183d0415e2acc689d595ded11a20b2f6/redshift_user_manager-0.1.3-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "da1caa706e9adf91f50dbccccef291bba6a36a8cfbe49c6d70828493faebc01c",
"md5": "d9e5e2622dfa50c0c52c97c52b246342",
"sha256": "e4d3f8263ae6dec581e8424f333c661edd2c844a0b0dd30fcb28f3965aacb795"
},
"downloads": -1,
"filename": "redshift-user-manager-0.1.3.tar.gz",
"has_sig": false,
"md5_digest": "d9e5e2622dfa50c0c52c97c52b246342",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 23871,
"upload_time": "2023-04-27T17:19:04",
"upload_time_iso_8601": "2023-04-27T17:19:04.458842Z",
"url": "https://files.pythonhosted.org/packages/da/1c/aa706e9adf91f50dbccccef291bba6a36a8cfbe49c6d70828493faebc01c/redshift-user-manager-0.1.3.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-04-27 17:19:04",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "henryivesjones",
"github_project": "redshift-user-manager",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "redshift-user-manager"
}