Multiple run user(s) for sqitch (principle of least privilege)

[rossocampbell]

I am new to sqitch and I am using PostgreSQL. It seems the intention for a sqitch project is for all changes to be executed by a single user. However, in keeping with the principle of least privilege I would like to run some small number of changes as a privileged user (only those that need to run with higher privileges) and the rest with a less-privileged user.

In my experimentation so far I have created 2 different sqitch projects to run as the privileged and less-privileged users, respectively. I have not explicitly set the registry option for either project so they are both using the default schema (one of the privileged changes gives access to the sqitch schema and tables to the less-privileged user), which means both sets of changes are in the same changes table. The sqitch log command shows them all but does not show the project name and it's possible to create changes with the same name in both projects. So there is room for confusion with this particular setup.

With that background, my question is simply how are others dealing with this situation? Any best practices for this? Am I completely missing something in the manual?

Thanks.

[theory]

Hi @rossocampbell, and welcome! I think the way you're approaching the problem is exactly right. It's how I'd try to do it, at any rate. As to the log output, the log command supports multiple formats, the default being "medium":

<event type> <change id>
Name:      <change name>
Committer: <committer>
Date:      <commit date>

<full change note>

You can specify a different format to see the project name and other details. The "full" format is probably the one you want:

<event type> <change id> <tags>
Name:      <change name>
Project:   <change name>
Planner:   <planner>
Committer: <committer>

<full change note>

To use it, run sqitch log --format full. If you want it to be the default, add it to your sqitch.conf files like so:

sqitch config log.format full

You can also create your own format by passing or setting format:<string>, where <string> is the format. If you wanted to make your own format from the default, copy this and modify it to your liking using the formatting codes at the end of the log docs:

sqitch/lib/App/Sqitch/Command/log.pm

Lines 57 to 62 in 9074a94

	%{:event}C%L %h%{reset}C
	%{name}_ %n
	%{committer}_ %c
	%{date}_ %{date}c
	%{ }B

HTH!

David

[rossocampbell]

Thanks, David. That config command to default to full format for logs seemed like the way to go for this.

--
Ross