# grant.rs

An open-source project that aims to manage Redshift database roles and privileges in GitOps style, written in Rust.

_This project is still in the early stages of development and is not ready for any kind of production use or any alpha/beta testing._

# Usage

Install binary from crates.io

```bash
cargo install grant
```

Using `grant` tool:

```bash
$ grant --help

grant 0.0.1-beta.2
Manage database roles and privileges in GitOps style

USAGE:
    grant <SUBCOMMAND>

FLAGS:
    -h, --help       Prints help information
    -V, --version    Prints version information

SUBCOMMANDS:
    apply       Apply a configuration to a redshift by file name. Yaml format are accepted
    gen         Generate sample configuration file
    gen-pass    Generate random password
    help        Prints this message or the help of the given subcommand(s)
    inspect     Inspect current database cluster with connection info from configuration file
    validate    Validate a configuration file or a target directory that contains configuration files
```

## Generate project structure

```bash
grant gen --target ./cluster

Creating path: "./cluster"
Generated: "./cluster/config.yml"
```

## Apply privilege changes

Content of `./examples/example.yaml`:

```yaml
connection:
  type: "postgres"
  # support environment variables, e.g. postgres://${HOSTNAME}:5432
  url: "postgres://postgres@localhost:5432/postgres"

roles:
  - name: role_database_level
    type: database
    grants:
      - CREATE
      - TEMP
    databases:
      - postgres

  - name: role_schema_level
    type: schema
    grants:
      - CREATE
    databases:
      - postgres
    schemas:
      - public
  - name: role_all_schema
    type: table
    grants:
      - SELECT
      - INSERT
      - UPDATE
    databases:
      - postgres
    schemas:
      - public
    tables:
      - ALL

users:
  - name: duyet
    password: 1234567890 # password in plaintext
    roles:
      - role_database_level
      - role_all_schema
      - role_schema_level
  - name: duyet2
    password: md58243e8f5dfb84bbd851de920e28f596f # support md5 style: grant gen-pass -u duyet2
    roles:
      - role_database_level
      - role_all_schema
      - role_schema_level
```

Apply this config to cluster:

```bash
grant apply -f ./examples/example.yaml

[2021-12-06T14:37:03Z INFO  grant::connection] Connected to database: postgres://postgres@localhost:5432/postgres
[2021-12-06T14:37:03Z INFO  grant::apply] Summary:
    ┌────────────┬───────────────────────────┐
    │ User       │ Action                    │
    │ ---        │ ---                       │
    │ duyet      │ update password           │
    │ duyet2     │ update password           │
    └────────────┴───────────────────────────┘

[2021-12-06T14:37:03Z INFO  grant::apply] Summary:
    ┌────────┬───────────────────────────────────────────────────────────┬─────────┐
    │ User   │ Database Privilege                                        │ Action  │
    │ ---    │ ---                                                       │ ---     │
    │ duyet  │ privileges `role_database_level` for database: ["postgre+ │ updated │
    │ duyet2 │ privileges `role_database_level` for database: ["postgre+ │ updated │
    └────────┴───────────────────────────────────────────────────────────┴─────────┘

[2021-12-06T14:37:03Z INFO  grant::apply] Summary:
    ┌────────┬───────────────────────────────────────────────────────┬─────────┐
    │ User   │ Schema Privileges                                     │ Action  │
    │ ---    │ ---                                                   │ ---     │
    │ duyet  │ privileges `role_schema_level` for schema: ["public"] │ updated │
    │ duyet2 │ privileges `role_schema_level` for schema: ["public"] │ updated │
    └────────┴───────────────────────────────────────────────────────┴─────────┘

[2021-12-06T14:37:03Z INFO  grant::apply] Summary:
    ┌────────┬─────────────────────────────────────────────────┬─────────┐
    │ User   │ Table Privileges                                │ Action  │
    │ ---    │ ---                                             │ ---     │
    │ duyet  │ privileges `role_all_schema` for table: ["ALL"] │ updated │
    │ duyet2 │ privileges `role_all_schema` for table: ["ALL"] │ updated │
    └────────┴─────────────────────────────────────────────────┴─────────┘
```

## Generate random password

```bash
$ grant gen-pass

Generated password: q)ItTjN$EXlkF@Tl
```

```bash
$ grant gen-pass --user duyet

Generated password: o^b3aD1L$xLm%#~U
Generated MD5 (user: duyet): md58243e8f5dfb84bbd851de920e28f596f
```

## Inspect the current cluster

```bash
$ grant inspect -f examples/example.yaml

[2021-11-29T07:46:44Z INFO  grant::inspect] Current users in postgres://postgres@localhost:5432/postgres:
    ┌────────────┬──────────┬───────┬──────────┐
    │ User       │ CreateDB │ Super │ Password │
    │ ---        │ ---      │ ---   │ ---      │
    │ postgres   │ true     │ true  │ ******** │
    │ duyet      │ false    │ false │ ******** │
    └────────────┴──────────┴───────┴──────────┘
```

# Developement

Clone the repo:

```bash
git clone https://github.com/duyet/grant.rs && cd grant.rs
```

Postgres is required for testing, you might need to use the `docker-compose.yaml`:

```bash
docker-compose up -d
```

Make sure you have connection to `postgres://postgres:postgres@localhost:5432/postgres`.

On the MacOS, the easiest way is install [Postgres.app](https://postgresapp.com).

To run the unittest:

```bash
cargo test
```

# TODO

- [x] Support reading connection info from environment variables
- [ ] Support store encrypted password in Git
- [x] Support Postgres and Redshift
- [ ] Support change password
- [ ] Visuallization (who can see what?)
- [ ] Apply show more detail about diff changes
- [ ] Inspect show more detail about user privileges

# LICENSE

MIT