Different user for Liquibase and application

lgarciaga · September 23, 2024, 10:56am

Hi JMIX Team,

Our application should access the database with a user that can only manipulate data and another user should be used as schema owner to run Liquibase with more authorizations . This appraoch reduces security risks in case of breach. Therefore, we need to have 2 different users, one for Liquibase and for our JMIX V2 application.

We looked at your documentation Springboot and we tried to connecto to our Oracle database as mentioned.

main.datasource.url=jdbc:oracle:thin:@//localhost:1521/xe
main.datasource.username=usersl
main.datasource.password=usersl
main.liquibase.url = jdbc:oracle:thin:@//localhost:1521/xe
main.liquibase.username = userowner
main.liquibase.password = userowner
main.liquibase.default-schema = userowner

Unfortunately, this approach did not work, as the application is still using the datasource user.

Searching deeply about this topic we found an older related topic - Separate DataSource for running Liquibase in Jmix application but this option did not work either, we assumed this was for JMIX v.1.x

Do you have any other idea how to do it?

Thank you

Luis Garcia

mbucan · September 23, 2024, 12:42pm

Hello,

I may have an idea, how about using spring profiles?
https://docs.jmix.io/jmix/studio/profile-specific-properties.html

Make one profile with an admin level access rights, that you can run when updating the database structure, and another for normal usage.
Be sure to test this, because Jmix usually expects full access rights to its database.

Kind regards,
Mladen

lgarciaga · September 25, 2024, 6:50am

Hi Mladen,

This option seems to work. Thanks for the hint!. It is not perfect because we need to make the deployment twice but at least is a workaround.

If this requirement is requested by other customers, it would be good if the team can have a look at this topic and make possible to run liquibase and the application with 2 user in the same deployement.

Thank you and best regards.

Luis

krivopustov · September 30, 2024, 6:43am

The SpringLiquibase bean configuration has slightly changed in Jmix 2.x, so this code should work now:

application.properties

myliquibase.datasource.jdbcUrl = jdbc:postgresql://localhost/somedb
myliquibase.datasource.username = someuser
myliquibase.datasource.password = somepassword

MainApplication.java

@Bean
@ConfigurationProperties("myliquibase.datasource")
public DataSource liquibaseDataSource() {
    return DataSourceBuilder.create().build();
}

@Bean(name = "jmix_Liquibase")
public SpringLiquibase liquibase(@Qualifier("liquibaseDataSource") DataSource dataSource,
                                 @Qualifier("jmix_LiquibaseProperties") LiquibaseProperties properties) {
    return JmixLiquibaseCreator.create(dataSource, properties);
}

Note that this affects only the runtime execution of the Liquibase changelogs by the application. Studio will continue using the main datasource configuration.

Regards,
Konstantin

lgarciaga · October 4, 2024, 10:33am

Hi Konstantin,

This works perfectly and make our deployments lean and straightforward. Thanks for the information.

Best Regards.