<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:16:59 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-1935] Service creating ROLE and SCHEMA on tenant initialization</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-1935</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;When Okapi enables a module for a new tenant Okapi invokes that module&apos;s tenant API and the module creates a database ROLE and a database SCHEMA for that combination of module and tenant in PostgreSQL.&lt;/p&gt;

&lt;p&gt;The module needs advanced database privileges to create the ROLE and the SCHEMA. But this also allows the module to access data of all other modules and all other tenants. This is a security issue. Each module should have access to its own data but not to other module&apos;s data.&lt;/p&gt;

&lt;p&gt;A possible solution:&lt;/p&gt;

&lt;p&gt;On tenant initialization Okapi calls a service that creates ROLE and SCHEMA for that combination of module and tenant. Okapi then passes the ROLE&apos;s credentials to the module. When Okapi invokes the tenant API for tenant creation the module can create the tables etc. in the SCHEMA using the ROLE, no advanced database privileges needed.&lt;br/&gt;
 Required changes:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;A service that creates a ROLE (including credentials) and SCHEMA for a combination of module and tenant. This service is the only place with advanced database privileges (only privileges for creating ROLEs and SCHEMAs, no superuser privilege required).&lt;/li&gt;
	&lt;li&gt;A storage that saves the credentials of all ROLEs.&lt;/li&gt;
	&lt;li&gt;A way to inject the ROLE credentials to a module. Needed for tenant initialization and on module restart.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Note: This should be combined with the module-tenant ROLEs described in 
    &lt;span class=&quot;jira-issue-macro&quot; data-jira-key=&quot;FOLIO-3182&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-3182&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Module ROLE and module-tenant ROLEs&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10309?size=medium&quot; /&gt;
            FOLIO-3182
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-complete jira-macro-single-issue-export-pdf&quot;&gt;Draft&lt;/span&gt;
            &lt;/span&gt;
.&lt;/p&gt;</description>
                <environment></environment>
        <key id="79900">FOLIO-1935</key>
            <summary>Service creating ROLE and SCHEMA on tenant initialization</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="10000" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/generic.png" description="(Migrated on 4 Feb 2024 13:41 UTC)">Draft</status>
                    <statusCategory id="2" key="new" colorName="blue-gray"/>
                                    <resolution id="-1">Unresolved</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>platform-backlog</label>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Wed, 3 Apr 2019 11:02:25 +0000</created>
                <updated>Fri, 22 Sep 2023 12:15:36 +0000</updated>
                                                                                <due></due>
                            <votes>1</votes>
                                    <watches>6</watches>
                                                                <comments>
                                                            <comment id="190046" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Wed, 2 Jun 2021 10:36:52 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; It&apos;s a good proposal, inline with that we have discussed earlier. I wonder if, instead of a standalone service this should be part of Okapi, to simplify the init procedure. I also wonder if there are existing solutions that could make managing Postgres credentials simpler (e.g a proxy of some sort mapping module IP addresses to creds, etc).&lt;/p&gt;</comment>
                                                            <comment id="190047" author="5f8314dfbdef80006f6f572d" created="Wed, 2 Jun 2021 19:23:15 +0000"  >&lt;p&gt;I think it&apos;s a terrible idea to move knowledge abt db structures into Okapi. Until now a module could be tested and executed wo okapi. What abt purge ?  Requre okapi too?&lt;/p&gt;</comment>
                                                            <comment id="190048" author="6291011f9c617b006a6f8d98" created="Fri, 4 Jun 2021 19:06:34 +0000"  >&lt;p&gt;As I see it, there are two levels here:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;One is the creds needed to connect to the DB in the first place.&lt;/li&gt;
	&lt;li&gt;The next is a role with certain permissions and creds that gets created specifically for each module&#8217;s schema when that module is init&#8217;d for the tenant.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&lt;font color=&quot;#1d1c1d&quot;&gt;As it is now the Folio storage modules use that initial DB connection foo (folio_admin, password, along with the DB URL and port) to create the role, level of access, and creds for the schema/schemas in its domain.&lt;/font&gt;&lt;/p&gt;

&lt;p&gt;&lt;font color=&quot;#1d1c1d&quot;&gt;Going forwards, each storage module&apos;s code would need to be re-written to take these changes into account, as they essentially connect with what is a DB superuser (folio_admin) when they spin up.&lt;/font&gt;&lt;/p&gt;

&lt;p&gt;&lt;font color=&quot;#1d1c1d&quot;&gt;Don&apos;t forget that this is the same DB superuser, regardless of tenant, in a multi-tenant environment using the same instance of Folio.&lt;/font&gt;&lt;/p&gt;

&lt;p&gt;&lt;font color=&quot;#1d1c1d&quot;&gt;I can only assume these &quot;Okapi Service&quot; creds are stored in something that a secret store would use (a dedicated DB outside of Folio&#8217;s DB? Some Secret passed in to Okapi?) This will be the most tricky part... How would you first spin up a module, and edit or change what env vars it would use after these DB access creds are created upon tenant init? Seems like a very chicken and egg type of situation...&lt;/font&gt;&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;&lt;font color=&quot;#1d1c1d&quot;&gt;Bootstrapping the Folio platform has always proven problematic... Perhaps it&apos;s better that a module is given some sort of higher level bootstrap access (a user in the DB that can create roles, etc...) then restarts its service connecting using only the needed user/roles/permissions/password to do what it needs to do in its schema?&lt;/font&gt;&lt;/p&gt;

&lt;p&gt;&lt;font color=&quot;#1d1c1d&quot;&gt;The proposal here is a major re-architect of the system... And quite honestly, at this stage in the project - If you&apos;re going to rewrite how these things are bootstrapped in you might as well rewrite to account for the rest of the bootstrap issues Folio has! (Creating supertenant admin for securing Okapi, tenant admin users, what is considered a system user of Okapi/Folio platform vs a Patron)&lt;/font&gt;&lt;/p&gt;</comment>
                                                            <comment id="190049" author="5cf6c546b87c300f36eb7b9a" created="Fri, 24 Sep 2021 15:23:40 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;&#160;there hasn&apos;t been movement on this in a while, the security team is wondering if the core-platform team made any progress on this, or the related issues?&#160; Do you have any idea when this will be prioritized by the CP team?&lt;/p&gt;</comment>
                                                            <comment id="190050" author="5cf6c546b87c300f36eb7b9a" created="Thu, 14 Oct 2021 15:28:07 +0000"  >&lt;p&gt;Discussed with &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;&#160;and the Security team... We agreed that we need to sort out the details here and generate a formal proposal that can be reviewed by the TC/security team.&#160; The end goal being a formal decision.&lt;/p&gt;</comment>
                                                            <comment id="190051" author="5cf6c546b87c300f36eb7b9a" created="Thu, 3 Feb 2022 16:28:13 +0000"  >&lt;blockquote&gt;&lt;p&gt;We agreed that we need to sort out the details here and generate a formal proposal&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Ab8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; class=&quot;user-hover&quot; rel=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; data-account-id=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; accountid=&quot;557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d&quot; rel=&quot;noreferrer&quot;&gt;Jakub Skoczen&lt;/a&gt;&#160;/ &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c265e7d2310e9fc0c5ac&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c265e7d2310e9fc0c5ac&quot; data-account-id=&quot;5cf6c265e7d2310e9fc0c5ac&quot; accountid=&quot;5cf6c265e7d2310e9fc0c5ac&quot; rel=&quot;noreferrer&quot;&gt;VBar&lt;/a&gt;&#160;is this something either the Solution architects or the core platform team would be willing to take on?&lt;/p&gt;</comment>
                                                            <comment id="190052" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Mon, 14 Feb 2022 14:29:37 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; I think this is something that the Core Platform could take on but it won&apos;t be started until the Token Expiration/System users work is concluded.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10002">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                        <issuelink>
            <issuekey id="56747">RMB-360</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="67298">MODFISTO-214</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="80193">FOLIO-595</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="67331">MODFISTO-239</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="67329">MODFISTO-236</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79905">FOLIO-3182</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="56679">RMB-651</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79468">FOLIO-1794</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79655">FOLIO-2031</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="79702">FOLIO-2862</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="67298">MODFISTO-214</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="81652">FOLIO-2551</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="32474">MODORDSTOR-213</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="67331">MODFISTO-239</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="67329">MODFISTO-236</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="13076">UXPROD-1819</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i01vr9:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="128">CP: R3 2022 roadmap</customfieldvalue>
    <customfieldvalue id="1452">CP: Roadmap backlog</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 2 Jun 2021 10:36:52 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                </customfields>
    </item>
</channel>
</rss>