Running Canton Participant without the database user having elevated permissions

Is it possible to run a Canton participant such that the DB user doesn’t have permission to alter the schema?

In the PostgreSQL v1 driver a feature was implemented to start the driver in “admin setup mode”. It would use a db user with elevated permission to create the schema (or migrate it if it’s a version upgrade) and close after finishing.
Then you would start the driver in normal operation mode with a DB user without elevated permission.

Is something similar available for a Canton Participant?

The background of the question is that OpSec prohibits an application to run using a DB user with permissions to manipulate the Schema.

1 Like

Hey @Darko,

It should actually be possible if you follow these steps:

  • configure your participant storage with your administrative user then startup the process with the manual start flag specified on the command line so the participant won’t actually run (I think just --manual-start). Then run the migrate console command that will create the schema in the database.
  • reconfigure the participant for with your application user without create table permissions and then just start the node normally.

David.

Hi @david_padbury,

Thanks a lot. That sounds like precisely the thing we need.

Given that all of this would be run by deployment scripts I would assume that we would have two different config files, that would be leveraged depending on the mode.
I’m assuming that you can script everything in the first bullet point (including the shutdown of the process after a successful migration?)
Can you also make the process shutdown with a non-zero return code if the migration fails?

Finally, I’m assuming that the db.migrate command would also work for initialization of the db, right?

Thanks again!

Yes, you could create two separate configuration files. Rather than duplicate everything you could have one main config file with the normal user then create a separate “admin config” that just starts with include required(file('participant.conf')) but then overrides the storage username and password alone.

To actually run the initial migration I think you can just create a bootstrap script containing just participant1.db.migrate and then start canton with canton --config admin.conf run migration your-migration-bootstrap.canton. This will just run the command then exit, or fail with a non-zero exit code if something goes wrong.

For initialization of the db? Yeah, db.migrate will create the tables and other bits in your database. But you’ll have to first create the initial empty db and users for it to run.