sddi-ckan-k8s icon indicating copy to clipboard operation
sddi-ckan-k8s copied to clipboard

Published 20 hours ago verified publisher icon tum-gis

Decouple database initialization

Open BWibo opened this issue 11 months ago • 0 comments

CKAN and its tool chain require databases that need specific initialization steps (mainly roles and permissions) for security reasons. Several init steps require Postgres superuser rights. At the same time, unprivileged database users need to be set for CKAN and other services (e.g. Datapusher), that are supposed to use the databases. The different databases may potentially live in separte instances (e.g. ckan-db on one server, ckan datastore on a different server).

Currently, those step can only be performed when the postgis sub-chart is used. External databases (e.g. a managed database from a cloud provider) cannot be initialized successfully, because the native CKAN init fail, because it does not have sufficient rights.

In the future, the database initialization should be moved to a (maybe multiple?) separate Helm chart/subchart, the ckan-database-initializer.

This inititalizer should be capable to initialize one or many databases for CKAN and it's services:

  • Specify a DB superuser for each required DB instance, that can do all initialization steps:
    • Create roles and users
    • Create databases
    • Grant required access to the different DBs for each role

BWibo avatar Jul 10 '23 14:07 BWibo