Make 'admin' the default role instead of 'edgedb' (#8010)

But if 'edgedb' does not exist and it is specified at login, treat it as 'admin'.
geldata · Nov 26, 2024 · 3385a6a · 3385a6a
1 parent 89ef865
commit 3385a6a
Show file tree

Hide file tree

Showing 9 changed files with 22 additions and 9 deletions.
diff --git a/edb/buildmeta.py b/edb/buildmeta.py
@@ -60,7 +60,7 @@
 # The merge conflict there is a nice reminder that you probably need
 # to write a patch in edb/pgsql/patches.py, and then you should preserve
 # the old value.
-EDGEDB_CATALOG_VERSION = 2024_11_15_00_00
+EDGEDB_CATALOG_VERSION = 2024_11_22_00_00
 EDGEDB_MAJOR_VERSION = 6
 
 

diff --git a/edb/schema/defines.py b/edb/schema/defines.py
@@ -30,7 +30,8 @@
 # Maximum number of arguments supported by SQL functions.
 MAX_FUNC_ARG_COUNT = 100
 
-EDGEDB_SUPERUSER = 'edgedb'
+EDGEDB_SUPERUSER = 'admin'
+EDGEDB_OLD_SUPERUSER = 'edgedb'
 EDGEDB_TEMPLATE_DB = '__edgedbtpl__'
 EDGEDB_SYSTEM_DB = '__edgedbsys__'
 

diff --git a/edb/server/defines.py b/edb/server/defines.py
@@ -32,6 +32,7 @@
 EDGEDB_REMOTE_COMPILER_PORT = 5660
 EDGEDB_SUPERGROUP = 'edgedb_supergroup'
 EDGEDB_SUPERUSER = s_def.EDGEDB_SUPERUSER
+EDGEDB_OLD_SUPERUSER = s_def.EDGEDB_OLD_SUPERUSER
 EDGEDB_TEMPLATE_DB = s_def.EDGEDB_TEMPLATE_DB
 EDGEDB_OLD_DEFAULT_DB = 'edgedb'
 EDGEDB_SUPERUSER_DB = 'main'

diff --git a/edb/server/protocol/binary.pyx b/edb/server/protocol/binary.pyx
@@ -276,6 +276,7 @@ cdef class EdgeConnection(frontend.FrontendConnection):
                 f'missing required connection parameter in ClientHandshake '
                 f'message: "user"'
             )
+        user = self.tenant.resolve_user_name(user)
 
         database = params.get('database')
         branch = params.get('branch')

diff --git a/edb/server/protocol/protocol.pyx b/edb/server/protocol/protocol.pyx
@@ -895,6 +895,7 @@ cdef class HttpProtocol:
                 request.authorization)
             username, opt_password = auth_helpers.extract_http_user(
                 scheme, auth_payload, request.params)
+            username = self.tenant.resolve_user_name(username)
 
             # Fetch the configured auth methods
             authmethods = await self.tenant.get_auth_methods(

diff --git a/edb/server/tenant.py b/edb/server/tenant.py
@@ -1393,6 +1393,15 @@ def resolve_branch_name(
             assert database is not None
             return database
 
+    def resolve_user_name(self, user: str) -> str:
+        if (
+            user == defines.EDGEDB_OLD_SUPERUSER
+            and user not in self.get_roles()
+        ):
+            return defines.EDGEDB_SUPERUSER
+        else:
+            return user
+
     async def get_auth_methods(
         self,
         user: str,

diff --git a/edb/testbase/server.py b/edb/testbase/server.py
@@ -2422,7 +2422,7 @@ async def __aenter__(self):
         else:
             password = secrets.token_urlsafe()
             bootstrap_command = f"""\
-                ALTER ROLE edgedb {{
+                ALTER ROLE admin {{
                     SET password := '{password}';
                 }};
                 """

diff --git a/tests/test_server_auth.py b/tests/test_server_auth.py
@@ -459,7 +459,7 @@ async def test_server_auth_jwt_1(self):
 
             good_keys = [
                 [],
-                [("roles", ["edgedb"])],
+                [("roles", ["admin"])],
                 [("databases", ["main"])],
                 [("instances", ["localtest"])],
             ]
@@ -479,7 +479,7 @@ async def test_server_auth_jwt_1(self):
             bad_keys = {
                 (("roles", ("bad-role",)),):
                     'secret key does not authorize access '
-                    + 'in role "edgedb"',
+                    + 'in role "admin"',
                 (("databases", ("bad-database",)),):
                     'secret key does not authorize access '
                     + 'to database "main"',

diff --git a/tests/test_server_ops.py b/tests/test_server_ops.py
@@ -400,7 +400,7 @@ async def test_server_only_bootstraps_once(self):
             async with tb.start_edgedb_server(
                 data_dir=temp_dir,
                 default_auth_method=args.ServerAuthMethod.Scram,
-                bootstrap_command='ALTER ROLE edgedb SET password := "first";'
+                bootstrap_command='ALTER ROLE admin SET password := "first";'
             ) as sd:
                 con = await sd.connect(password='first')
                 try:
@@ -412,7 +412,7 @@ async def test_server_only_bootstraps_once(self):
             async with tb.start_edgedb_server(
                 data_dir=temp_dir,
                 default_auth_method=args.ServerAuthMethod.Scram,
-                bootstrap_command='ALTER ROLE edgedb SET password := "second";'
+                bootstrap_command='ALTER ROLE admin SET password := "second";'
             ) as sd:
                 con = await sd.connect(password='first')
                 try:
@@ -509,7 +509,7 @@ async def test(pgdata_path, tenant):
                     databases = await con.query('SELECT sys::Branch.name')
                     self.assertEqual(set(databases), {'main', tenant})
                     roles = await con.query('SELECT sys::Role.name')
-                    self.assertEqual(set(roles), {'edgedb', tenant})
+                    self.assertEqual(set(roles), {'admin', tenant})
                 finally:
                     await con.aclose()
 
@@ -544,7 +544,7 @@ async def test(pgdata_path, tenant):
                     databases = await con.query('SELECT sys::Branch.name')
                     self.assertEqual(set(databases), {'main', tenant})
                     roles = await con.query('SELECT sys::Role.name')
-                    self.assertEqual(set(roles), {'edgedb', tenant})
+                    self.assertEqual(set(roles), {'admin', tenant})
                 finally:
                     await con.aclose()