[GPRD] Grant SELECT privileges into the ALL Gitlab relations/tables for the Trust and Safety DB user

Production Change

Change Summary

Trust and Safety team request additional privileges to read ALL tables in the gitlab database, as requested by https://gitlab.com/gitlab-com/gl-security/security-change-management/-/issues/9#note_1419882804

For the Trust and Safety team to effectively mitigate future/emerging threats which may take place across previously unused vectors within GitLab.com, it’s important to ensure that we are able to write new rules that can access the necessary data from all tables, including ones we may not have used before.

The Security Change Approval Board (CAB) have approved this request, see comment: https://gitlab.com/gitlab-com/gl-security/security-change-management/-/issues/9#note_1506683628

The Read-only privileges for Trust and Safety team will follow the same granted through our teleport RO (read-only) console database user

Original permissions for the trust-and-safety read-only database user were defined through the trust_safety_omamori_gprd_ro_role (see CR https://gitlab.com/gitlab-com/gl-infra/production/-/issues/14555

Change Details

  1. Services Impacted - ServicePatroni
  2. Change Technician - @rhenchen.gitlab
  3. Change Reviewer -
  4. Time tracking - 15 minutes minutes
  5. Downtime Component - none

Detailed steps for the change

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - 15 minutes

  • Set label changein-progress /label ~change::in-progress

  • Identify gprd patroni Main cluster leader node and perform change on a Leader node.

    ssh patroni-main-2004-101-db-gprd.c.gitlab-production.internal "sudo gitlab-patronictl list"

  • Grant Role permissions

    gitlab-psql \
    -Xc "GRANT SELECT ON ALL TABLES IN SCHEMA public TO trust_safety_omamori_gprd_ro_role"

  • Grant DEFAULT privileges to the trust_safety_omamori_gprd_ro_role role over new tables

    gitlab-psql \
    -Xc "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO trust_safety_omamori_gprd_ro_role" \
    -Xc "ALTER DEFAULT PRIVILEGES FOR ROLE gitlab IN SCHEMA public GRANT SELECT ON TABLES TO trust_safety_omamori_gprd_ro_role"

  • Set label changecomplete /label ~change::complete

Rollback

Rollback steps - steps to be taken in the event of a need to rollback this change

Estimated Time to Complete (mins) - 5 minutes

  • Identify gprd patroni Main cluster leader node and perform change on a Leader node. 
    ssh patroni-main-2004-101-db-gprd.c.gitlab-production.internal "sudo gitlab-patronictl list"
  • Revert to origninal trust_safety_omamori_gprd_ro_role Role privileges 
    gitlab-psql \
    -Xc "ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE SELECT ON TABLES FROM trust_safety_omamori_gprd_ro_role" \
    -Xc "ALTER DEFAULT PRIVILEGES FOR ROLE gitlab IN SCHEMA public REVOKE SELECT ON TABLES FROM trust_safety_omamori_gprd_ro_role" \
    -Xc "REVOKE ALL PRIVILEGES ON DATABASE gitlabhq_production FROM trust_safety_omamori_gprd_ro_role"
    -Xc "GRANT SELECT ON users, user_details, namespaces, projects, snippets TO trust_safety_omamori_gprd_ro_role" \
  • Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

Change Reviewer checklist

C4 C3 C2 C1:

  • Check if the following applies:
    • The scheduled day and time of execution of the change is appropriate.
    • The change plan is technically accurate.
    • The change plan includes estimated timing values based on previous testing.
    • The change plan includes a viable rollback plan.
    • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

  • Check if the following applies:
    • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
    • The change plan includes success measures for all steps/milestones during the execution.
    • The change adequately minimizes risk within the environment/service.
    • The performance implications of executing the change are well-understood and documented.
    • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
      • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
    • The change has a primary and secondary SRE with knowledge of the details available during the change window.
    • The labels blocks deployments and/or blocks feature-flags are applied as necessary

Change Technician checklist

  • Check if all items below are complete:
    • The change plan is technically accurate.
    • This Change Issue is linked to the appropriate Issue and/or Epic
    • Change has been tested in staging and results noted in a comment on this issue.
    • A dry-run has been conducted and results noted in a comment on this issue.
    • The change execution window respects the Production Change Lock periods.
    • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
    • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
    • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
    • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue.
    • Release managers have been informed (If needed! Cases include DB change) prior to change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
    • There are currently no active incidents that are severity1 or severity2
    • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.
Edited by Rafael Henchen