GTEdgeAI/gt-ai-os-community
3
0
Fork 0
Code Issues Packages Releases Wiki Activity
Files
c42b8b5c92d4c772a123c2c745f1bfeebfce8985
gt-ai-os-community/scripts/postgresql/unified/01-create-tenant-roles.sql
HackWeasel b9dfb86260 GT AI OS Community Edition v2.0.33 
Security hardening release addressing CodeQL and Dependabot alerts:

- Fix stack trace exposure in error responses
- Add SSRF protection with DNS resolution checking
- Implement proper URL hostname validation (replaces substring matching)
- Add centralized path sanitization to prevent path traversal
- Fix ReDoS vulnerability in email validation regex
- Improve HTML sanitization in validation utilities
- Fix capability wildcard matching in auth utilities
- Update glob dependency to address CVE
- Add CodeQL suppression comments for verified false positives

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 17:04:45 -05:00

63 lines
2.2 KiB
SQL
Raw Blame History

-- GT 2.0 Tenant Cluster Role Creation Script
-- Creates PostgreSQL roles for tenant cluster (including replication)
-- Runs in tenant postgres container only
-- Enable logging
\set ON_ERROR_STOP on
\set ECHO all
-- Create replication user for High Availability
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'replicator') THEN
CREATE ROLE replicator WITH REPLICATION PASSWORD 'tenant_replicator_dev_password' LOGIN;
RAISE NOTICE 'Created replicator role for HA cluster';
ELSE
RAISE NOTICE 'Replicator role already exists';
END IF;
END $$;
-- Create application user for tenant backend connections (legacy)
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_app') THEN
CREATE ROLE gt2_app LOGIN PASSWORD 'gt2_app_password';
RAISE NOTICE 'Created gt2_app role for tenant backend';
ELSE
RAISE NOTICE 'gt2_app role already exists';
END IF;
END $$;
-- Create tenant user for tenant database operations (current)
DO $$
BEGIN
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'gt2_tenant_user') THEN
CREATE ROLE gt2_tenant_user LOGIN PASSWORD 'gt2_tenant_dev_password';
RAISE NOTICE 'Created gt2_tenant_user role for tenant operations';
ELSE
RAISE NOTICE 'gt2_tenant_user role already exists';
END IF;
END $$;
-- Set default search_path for gt2_tenant_user role
-- This ensures all connections automatically use tenant_test_company schema
ALTER ROLE gt2_tenant_user SET search_path TO tenant_test_company, public;
-- Grant database connection permissions (only on gt2_tenants which exists in tenant container)
GRANT CONNECT ON DATABASE gt2_tenants TO gt2_app;
GRANT CONNECT ON DATABASE gt2_tenants TO gt2_tenant_user;
GRANT CONNECT ON DATABASE gt2_tenants TO replicator;
-- Log completion
DO $$
BEGIN
RAISE NOTICE '=== GT 2.0 TENANT CLUSTER ROLE CREATION ===';
RAISE NOTICE 'Roles created:';
RAISE NOTICE ' - replicator (for HA replication)';
RAISE NOTICE ' - gt2_app (tenant backend - legacy)';
RAISE NOTICE ' - gt2_tenant_user (tenant operations - current)';
RAISE NOTICE 'Permissions granted on:';
RAISE NOTICE ' - gt2_tenants database';
RAISE NOTICE '==========================================';
END $$;
View Git Blame Copy Permalink