RHINENG-21214: hotfix manager privileges

Dugowitch · Dugowitch · commit 3acd2572bae2 · 2026-02-10T12:14:01.000+01:00
diff --git a/database_admin/migrations/145_update_manager_privileges.down.sql b/database_admin/migrations/145_update_manager_privileges.down.sql
@@ -0,0 +1,14 @@
+REVOKE UPDATE ON system_inventory FROM manager;
+GRANT UPDATE ON system_inventory (stale) TO manager;
+
+REVOKE UPDATE ON system_patch FROM manager;
+GRANT UPDATE ON system_patch (
+    installable_advisory_count_cache,
+    installable_advisory_enh_count_cache,
+    installable_advisory_bug_count_cache,
+    installable_advisory_sec_count_cache,
+    applicable_advisory_count_cache,
+    applicable_advisory_enh_count_cache,
+    applicable_advisory_bug_count_cache,
+    applicable_advisory_sec_count_cache,
+    template_id) TO manager;
diff --git a/database_admin/migrations/145_update_manager_privileges.up.sql b/database_admin/migrations/145_update_manager_privileges.up.sql
@@ -0,0 +1,2 @@
+GRANT UPDATE ON system_inventory TO manager;
+GRANT UPDATE ON system_patch TO manager;
diff --git a/database_admin/schema/create_schema.sql b/database_admin/schema/create_schema.sql
@@ -7,7 +7,7 @@ CREATE TABLE IF NOT EXISTS schema_migrations
 
 
 INSERT INTO schema_migrations
-VALUES (144, false);
+VALUES (145, false);
 
 -- ---------------------------------------------------------------------------
 -- Functions
@@ -698,6 +698,7 @@ SELECT create_table_partitions('system_inventory', 16,
 GRANT SELECT, INSERT, UPDATE ON system_inventory TO listener;
 GRANT SELECT, UPDATE, DELETE ON system_inventory TO vmaas_sync; -- vmaas_sync performs system culling
 GRANT SELECT, UPDATE (stale) ON system_inventory TO manager; -- manager needs to be able to update opt_out column
+GRANT SELECT, UPDATE ON system_inventory TO manager; -- manager needs to be able to update opt_out column
 GRANT SELECT, UPDATE ON system_inventory TO evaluator;
 
 SELECT create_table_partition_triggers('system_inventory_set_last_updated',
@@ -1063,6 +1064,7 @@ GRANT SELECT, UPDATE (installable_advisory_count_cache,
               applicable_advisory_bug_count_cache,
               applicable_advisory_sec_count_cache,
               template_id) ON system_patch TO manager;
+GRANT SELECT, UPDATE ON system_patch TO manager;
 GRANT SELECT, UPDATE, DELETE ON system_patch to vmaas_sync; -- vmaas_sync performs system culling
 
 -- system_platform
diff --git a/manager/controllers/template_systems_update.go b/manager/controllers/template_systems_update.go
@@ -139,6 +139,9 @@ func assignTemplateSystems(c *gin.Context, db *gorm.DB, accountID int, template
 		templateID = &template.ID
 	}
 
+	// TODO: once SystemPlatform model is removed, revoke unnecessary manager privileges to system_inventory and
+	// system_patch tables. They were granted in migration 145 as a temporary fix to solve system_platform view instead
+	// of update trigger issues. Hint: have a look at 145_update_manager_privileges.down.sql
 	tx = tx.Model(models.SystemPlatform{}).
 		Where("rh_account_id = ? AND inventory_id IN (?::uuid)",
 			accountID, inventoryIDs).

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+GRANT UPDATE ON system_inventory TO manager;`
	`2`	`+GRANT UPDATE ON system_patch TO manager;`
Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,9 @@ func assignTemplateSystems(c gin.Context, db gorm.DB, accountID int, template`
`139`	`139`	`templateID = &template.ID`
`140`	`140`	`}`
`141`	`141`
	`142`	`+ // TODO: once SystemPlatform model is removed, revoke unnecessary manager privileges to system_inventory and`
	`143`	`+ // system_patch tables. They were granted in migration 145 as a temporary fix to solve system_platform view instead`
	`144`	`+ // of update trigger issues. Hint: have a look at 145_update_manager_privileges.down.sql`
`142`	`145`	`tx = tx.Model(models.SystemPlatform{}).`
`143`	`146`	`Where("rh_account_id = ? AND inventory_id IN (?::uuid)",`
`144`	`147`	`accountID, inventoryIDs).`