docs(lore-0063): decide DDL identity (Option 1) + author provisioning runbook#47
Merged
Merged
Conversation
… runbook
Option 1: loopback `default` admin applies all DDL; runtime certs
(prices_writer/prices_reader) carry no DDL (write_no_ddl/read_only,
grants on prices.* only). A leaked ingestion cert can't DROP TABLE
prices.* or touch default.*. Matches BE (removed remote-DDL users in
BE 0241) and keeps the 0051 loopback descope.
Author notes/G-provisioning-plan.md: ready-to-execute runbook with
drafted BE-PR XML (services + dedicated quotas), CN-map env append,
CREATE DATABASE one-shot, cert -> single {cert,key,ca} bundle secret
(aligned to 0052, reconciling the old two-secret assumption),
verification, and a gated-action inventory. Authoring only; no
Hetzner/AWS/BE-repo action.
…n item
Fold the salvageable findings from the (stale) feat/0063 branch into the
live Option-1 runbook:
- Clarify there is one Hetzner CH box (production `ch-prod-01`); the
`{env}` placeholder is the AWS-side client stage, not a second box.
Flag the implication that per-env certs would share one prices DB.
- Add open item to verify that inline user-XML `<grants>` blocks are
applied by the running CH version (BE's live services.xml uses none);
fall back to init.sql GRANTs under loopback admin if not.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Locks the DDL-apply identity for the prices tenant to Option 1 and authors the ready-to-execute provisioning runbook. Task-doc only — no Hetzner / AWS / BE-repo action taken.
Option 1 (decided)
DDL is the box
defaultadmin over loopback; the always-on runtime certs carry no DDL:defaultadminprices_writer(CNprices-ingestion-{env})SELECT, INSERT, OPTIMIZE ON prices.*prices_reader(CNprices-api-{env})SELECT ON prices.*Chosen over the G-note's scoped-DDL writer (Option 2) and the hybrid migrator cert (Option 3). A leaked ingestion cert can't
DROP TABLE prices.*or touchdefault.*. Matches BE (they removed remote-DDL users in BE 0241) and keeps the 0051 loopback descope intact.Changes
notes/G-provisioning-plan.md(new): runbook — drafted BE-PR XML (services.xmlusers + dedicatedprices_write/prices_readquotas; no new profile), CN-map env append,CREATE DATABASEone-shot, schema apply (loopback, → 0051), cert issuance → single{cert,key,ca}bundle secret (aligned to 0052), verification, and a 7-row gated-action inventory.CREATE TABLEnow denied); Design Decisions → Emerged added; two acceptance criteria ticked.Flagged for follow-up (in the runbook)
prices.*as re-derivable (not in BE's snapshot)Gated — needs your explicit approval before running
clickhouse-clienton the box, the BE-repo PR,CREATE DATABASE,ansible-playbook,issue-client-cert.sh,aws secretsmanager put. None done here.