46.2.1
by Zygmunt Krynicki
Add deployment instructions |
1 |
Deployment instructions
|
2 |
=======================
|
|
3 |
||
4 |
Currently deployment is supported on Ubuntu Lucid/Maverick with sqlite and |
|
5 |
apache. Using other databases is likely to work but it was not tested for this |
|
6 |
release. |
|
7 |
||
103.1.1
by Zygmunt Krynicki
Update the set of required dependencies |
8 |
Dashboard Requirements (debian package names, see setup.py meta-data for details and versions): |
9 |
* python-django |
|
98
by Zygmunt Krynicki
Note that python-django-openid-auth is required |
10 |
* python-django-openid-auth
|
103.1.1
by Zygmunt Krynicki
Update the set of required dependencies |
11 |
* python-docutils
|
12 |
* python-linaro-json
|
|
103.1.12
by Zygmunt Krynicki
Add a dependency on linaro-python-dashboard-bundle |
13 |
* python-linaro-dashboard-bundle
|
117.1.4
by Zygmunt Krynicki
Add depdendency on django-pagination |
14 |
* python-django-pagination
|
46.2.1
by Zygmunt Krynicki
Add deployment instructions |
15 |
|
16 |
For testing/packaging also install: |
|
98.1.1
by Zygmunt Krynicki
Note that python-django-testscenarios are required for testing |
17 |
* python-django-testscenarios |
46.2.1
by Zygmunt Krynicki
Add deployment instructions |
18 |
|
46.2.2
by Zygmunt Krynicki
Add information on how to report bugs |
19 |
Installation
|
20 |
============
|
|
21 |
||
22 |
See INSTALL |
|
23 |
||
24 |
Reporting Bugs
|
|
25 |
==============
|
|
26 |
||
27 |
All bugs should be reported to the launchpad project at |
|
28 |
https://bugs.launchpad.net/launch-control/+filebug |
|
46.2.1
by Zygmunt Krynicki
Add deployment instructions |
29 |
|
71.1.3
by Zygmunt Krynicki
Add reference to issues on django 1.1 |
30 |
Known Issues
|
31 |
============
|
|
32 |
||
33 |
1. Django 1.1 present on Ubuntu 10.04.1 LTS and possibly other installations
|
|
34 |
suffers from a bug that prevents tests for django.contrib.auth to work |
|
35 |
correctly. This issue is has been reported and is tracked inside Launchpad: |
|
36 |
https://bugs.edge.launchpad.net/ubuntu/+source/python-django/+bug/650473 |
|
190.1.1
by Zygmunt Krynicki
Document how to setup sandboxed/secured data views |
37 |
|
38 |
||
39 |
Securing data views
|
|
40 |
===================
|
|
41 |
||
42 |
Data views are essentially arbitrary SQL queries performed by the database |
|
43 |
engine that are exposed to untrusted users. In all but extremely simple cases |
|
44 |
data views should be sand-boxed at database level to prevent data leaks or data |
|
45 |
loss. |
|
46 |
||
47 |
Sand-boxing prevents the user invoking the query (as understood by the database |
|
48 |
engine) from altering the data and constrains the tables and columns the user |
|
49 |
can reference. |
|
50 |
||
51 |
Currently this feature is only available when using PostgreSQL backend. To |
|
190.1.2
by Zygmunt Krynicki
Reword certain sentences |
52 |
enable it run the following set of queries as the database administrator. |
190.1.1
by Zygmunt Krynicki
Document how to setup sandboxed/secured data views |
53 |
|
54 |
We first have to create a role (user) that will be used for dataview queries. |
|
55 |
The name of that user is derived from the name of the user owning the primary |
|
56 |
connection suffixed with "_dataview". Here, since we are using default |
|
57 |
deployment, the user is called "launchcontrol_dataview". |
|
58 |
||
190.1.2
by Zygmunt Krynicki
Reword certain sentences |
59 |
The user must have the same password as the primary user. You can reference |
60 |
/etc/launch-control/default_database.conf for the value you are using. |
|
190.1.1
by Zygmunt Krynicki
Document how to setup sandboxed/secured data views |
61 |
|
62 |
launchcontrol=# CREATE ROLE launchcontrol_dataview WITH OPTION LOGIN, PASSWORD {password}; |
|
63 |
||
190.1.2
by Zygmunt Krynicki
Reword certain sentences |
64 |
By default this new role has no permissions to do anything. We must explicitly |
65 |
grant each right. We'll allow selecting data from two tables outside of the |
|
66 |
dashboard. Content types are a part of Django implementation details and do |
|
67 |
not contain any private data. The user table will allow queries to resolve user |
|
68 |
primary key to a username. |
|
190.1.1
by Zygmunt Krynicki
Document how to setup sandboxed/secured data views |
69 |
|
70 |
launchcontrol=# GRANT SELECT (username, id) ON TABLE auth_user TO launchcontrol_dataview; |
|
71 |
launchcontrol=# GRANT SELECT ON TABLE django_content_type TO launchcontrol_dataview; |
|
72 |
||
190.1.2
by Zygmunt Krynicki
Reword certain sentences |
73 |
This step is larger, we explicitly allow selecting data from all the dashboard |
74 |
tables: |
|
190.1.1
by Zygmunt Krynicki
Document how to setup sandboxed/secured data views |
75 |
|
76 |
launchcontrol=# GRANT SELECT ON TABLE |
|
77 |
dashboard_app_bundle, |
|
78 |
dashboard_app_bundlestream, |
|
79 |
dashboard_app_hardwaredevice, |
|
80 |
dashboard_app_namedattribute, |
|
81 |
dashboard_app_softwarepackage, |
|
82 |
dashboard_app_softwaresource, |
|
83 |
dashboard_app_test, |
|
84 |
dashboard_app_testcase, |
|
85 |
dashboard_app_testresult, |
|
86 |
dashboard_app_testrun, |
|
87 |
dashboard_app_testrun_devices, |
|
88 |
dashboard_app_testrun_packages, |
|
89 |
dashboard_app_testrun_sources |
|
90 |
TO launchcontrol_dataview; |
|
91 |
||
190.1.2
by Zygmunt Krynicki
Reword certain sentences |
92 |
Finally we need to create or edit a small configuration file to make the |
93 |
dashboard use the constrained role. Since we are using django-debian many |
|
94 |
configuration variables traditionally configured via 'settings.py' can be |
|
95 |
defined in /etc/launch-control/settings.conf. By default that file is not |
|
96 |
created. You should create it and place following text inside: |
|
190.1.1
by Zygmunt Krynicki
Document how to setup sandboxed/secured data views |
97 |
|
98 |
{ |
|
99 |
"use_dataview_database": true |
|
100 |
} |
|
101 |
||
190.1.2
by Zygmunt Krynicki
Reword certain sentences |
102 |
That's it. Now restart the application and check that your data views still |
103 |
work. |