Regranting permissions¶

When modifying or dropping permissions, roles, or groups for course special groups (see custom regranting), the regrant script must be run, mainly because otherwise already existing grants that should actually be modified or deleted will remain in place. The script generates a sequence of SQL commands that

(1) dump all grants in xi-account and
(2) ensure that all necessary roles are created and their grants are re-created.

Regrant script¶

Copy the regranting script from web/services/course/db/regrant.rb to your clip-board
Using Nomads web UI, connect to xi-course:
- https://nomad.adm.production.openhpi.xi.xopic.de/ui/exec/xikolo/course-api/server?namespace=default
- Don’t forget to press Enter here!
Create a temporary script:
xi-course:/app$
```
cat > tmp/regrant.rb
```
- Paste the script’s content from your clip-board
- Press CTRL-D

Create the regranting SQL code:

xi-course:/app$

rails r tmp/regrant.rb > tmp/regrant.sql

Copy the SQL script to your local machine:
- You can directly pipe it to your clipboard (Linux: cat tmp/regrant.sql | xclip) or print and then manually select and copy it:
xi-course:/app$
```
cat tmp/regrant.sql
```

Remove the safety belt (the ROLLBACK; in the last line of the SQL script):

localhost:~#

sed -i '$ d' [path-to-file]/regrant.sql # Linux
sed -i '' -e '$ d' [path-to-file]/regrant.sql # Mac

Copy the SQL script to the database server:

localhost:~#

scp [path-to-file]/regrant.sql root@db.production.openhpi.xi.xopic.de:/tmp

Login to the db VM:

localhost:~#

ssh root@db.production.openhpi.xi.xopic.de

Execute the SQL script in the database:
db:~#
```
sudo -u postgres psql web
```
Load the script in the psql console:
web=#
```
\i /tmp/regrant.sql
```
If the script runs without errors, apply the changes:
web=#
```
COMMIT;
```
Delete the regrant script from the database VM.
You’re done (or can continue with the next instance if applicable).
Don’t forget to remove the regrant script(s) from your local machine and xi-course as soon as you’re done completely.

Note

If you need to regrant all platform instances, keep in mind that you need to execute the steps 1 - 4 only once for all instances without overwrites for permissions for the course_special_groups in the xikolo.yml. You can reuse the regrant SQL script generated for the first instance. Instances with overwritten permissions need their own regrant SQL script.

Custom regranting¶

If you modify global permission groups, you might need to also modify the existing grants manually on console. In particular, if you remove grants for roles from a group, these grants have to be deleted by hand after deployment.

For example, when extracting the roles for handling personal information from the existing xikolo.admins group to the new, dedicated xikolo.gdpr_admins, the new group including its granted permissions were created with the permissions:load rake task on deployment. The corresponding grants still had to be removed from the admin group (partial “regrant”).

Remove all grants for xikolo.gdpr_admins from xikolo.admins

Group.find_by(name: 'xikolo.admins')
  .grants
  .where(
    role: Group.find_by(name: 'xikolo.gdpr_admins').grants.map {|g| g.role }
  ).destroy_all

There are further use cases where manual regranting must be applied, e.g. when completely dropping a global permission group.

Note

You don’t need to apply any custom regranting for global permission groups if your changes are purely additive, e.g. adding a new group or adding permissions to existing groups.