stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity

doctor: complete runtime check documentation sprint

Browse Source 
Signed-off-by: master <>
This commit is contained in:
master
2026-03-31 23:26:24 +03:00
parent 404d50bcb7
commit 152c1b1357
54 changed files with 2210 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
docs/doctor/articles/postgres/db-permissions.md Normal file
View File

@@ -0,0 +1,51 @@
---
checkId: check.db.permissions
plugin: stellaops.doctor.database
severity: fail
tags: [database, postgres, permissions, security]
---
# Database Permissions
## What It Checks
Inspects the current PostgreSQL user, whether it is a superuser, whether it can create databases or roles, and whether it has access to application schemas.
The check warns when the app runs as a superuser and fails when the user cannot use the `public` schema.
## Why It Matters
Over-privileged accounts increase blast radius. Under-privileged accounts break startup migrations and normal CRUD paths.
## Common Causes
- The connection string still uses `postgres` or another admin account
- Grants were not applied after creating a dedicated service account
- Restrictive schema privileges were added manually
## How to Fix
### Docker Compose
```bash
docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "CREATE USER stellaops WITH PASSWORD '<strong-password>';"
docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "GRANT CONNECT ON DATABASE stellaops TO stellaops;"
docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "GRANT USAGE ON SCHEMA public TO stellaops;"
docker compose -f devops/compose/docker-compose.stella-ops.yml exec postgres psql -U postgres -d stellaops -c "GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO stellaops;"
```
Update `ConnectionStrings__DefaultConnection` after the grants are in place.
### Bare Metal / systemd
```bash
psql -h <db-host> -U postgres -d <db-name> -c "ALTER ROLE <app-user> NOSUPERUSER NOCREATEDB NOCREATEROLE;"
```
### Kubernetes / Helm
```bash
kubectl exec -n <namespace> <postgres-pod> -- psql -U postgres -d <db-name> -c "\du"
```
## Verification
```bash
stella doctor --check check.db.permissions
```
## Related Checks
- `check.db.migrations.failed` - missing privileges frequently break migrations
- `check.db.connection` - credentials and grants must both be correct