v9.2.1 migrate firewall tables to firewall schema (#4793, DB layer)#4796
Draft
tpurschke wants to merge 16 commits into
Draft
v9.2.1 migrate firewall tables to firewall schema (#4793, DB layer)#4796tpurschke wants to merge 16 commits into
tpurschke wants to merge 16 commits into
Conversation
Move the 22 firewall tables from public to a new firewall schema and rename 9 of them (object->nw_object, service->nw_service, etc.) per issue CactuseSecurity#4793. Creation now lives in fworch-create-tables-firewall.sql, which also adds firewall to the database search_path so unqualified references to the 13 non-renamed tables keep resolving. FK, constraint and index references to the renamed tables are updated; triggers need no change. WIP: idempotent functions/views, Hasura metadata, GraphQL, C# and Python layers still pending. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Complete the database layer of issue CactuseSecurity#4793: - update materialized views, idempotent functions/views (api-funcs, views-changes) and maintenance scripts to the renamed firewall tables, aliasing renamed tables back to their old name where queries use the table name as a column qualifier - add upgrade 9.1.9.sql: idempotent SET SCHEMA + RENAME for existing installs (OID-based FKs/sequences move with the tables) plus the firewall search_path - bump product_version to 9.1.9 and add a revision-history entry Historical upgrade scripts are intentionally left referencing the old public names: they run before the 9.1.9 cutover, when the tables still live in public. Hasura metadata, GraphQL, C# and Python layers are deferred to a live-stack workflow as agreed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…-orchestrator into feat/firewall-schema-4793
tpurschke
changed the title
The request.reqtask/reqelement/impltask/implelement foreign keys reference object/service/usr without quotes, which the earlier quoted-identifier replacement missed, so a new install failed in fworch-create-foreign-keys.sql with 'relation "service" does not exist'. Point them at firewall.nw_object/nw_service/nw_user. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Move the 22 firewall tables to the firewall schema in replace_metadata.json (132 table references). FK-based relationships resolve via the moved constraints; relationship names are unchanged, so only the auto-generated root field names gain the firewall_ prefix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Hasura prefixes root fields with the schema name, so moving the tables to the firewall schema renames the GraphQL root fields/types (rule -> firewall_rule, object -> firewall_nw_object, ...). - GraphQL (.graphql): rename root query/mutation fields and generated type names to firewall_*; nested relationship field names are unchanged (relationship names were preserved in the metadata), so fragments and nested selections keep working. - Importer (Python): update inline GraphQL strings, dynamically built mutation/response keys (RefType enum values, group prefix vs the public _flat tables) and response-root-key access to firewall_*. C# needs no changes: the API client extracts the single root field positionally (data.First) and relationship-name JSON bindings are unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…-orchestrator into feat/firewall-schema-4793
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Implements #4793 — moving the firewall configuration tables out of the
publicschema into a newfirewallschema (renaming 9 of them) and propagating the rename through the database, Hasura metadata, GraphQL calls and the Python importer.Scope
This PR now covers the DB, Hasura metadata, GraphQL and Python importer layers. Only the C# layer is deferred (see "Deferred" below). The end-to-end stack still needs an installer/integration run before merge (see "Verification").
What's included
Database
Schema move + renames (22 tables, 9 renamed):
fworch-create-tables-firewall.sqlcreates thefirewallschema and all 22 tables, and addsfirewallto the databasesearch_pathvia acurrent_database()DO-block — so the 13 non-renamed tables need no reference changes.fworch-create-tables-base.sql, deletedfworch-create-tables-rule-related.sql, wired the new file first ininstall-database.yml.objectnw_objectobjgrpnw_object_groupservicenw_servicesvcgrpnw_service_groupusrnw_userusergrpnw_user_grouprule_svc_resolvedrule_nw_service_resolvedrule_nwobj_resolvedrule_nw_object_resolvedrule_user_resolvedrule_nw_user_resolved(the other 13 —
rule,rule_metadata,parent_rule_type,rule_from/to/service,rulebase,rulebase_link,rule_enforced_on_gateway,rule_from_zone,rule_to_zone,rule_time,zone— keep their names and just move schema.)References updated (surgically — overloaded names like
changelog_object,objgrp_flat,rule_service,modelling.servicewere left untouched and verified): foreign keys, constraints, indices (index/constraint names preserved),views-materialized, idempotentapi-funcs+views-changes, and maintenance scripts. Where a query used a table name as a column qualifier (object.obj_id), the renamed table is aliased back to its old name so qualifiers still resolve.Upgrade path: new
9.2.1.sql— idempotentSET SCHEMA+RENAMEfor existing installs (FKs/sequences move with the tables via OID), plus the search_path. Bumpedproduct_versionto9.2.1and added a revision-history entry. Historical upgrade scripts are intentionally unchanged — they run before the 9.2.1 cutover, while the tables still live inpublic.Hasura metadata
replace_metadata.jsonregenerated so the moved/renamed tables are tracked in thefirewallschema, with custom root-field names (firewall_rule,update_firewall_nw_object, …) and relationships updated accordingly.GraphQL
.graphqlquery/fragment files updated to the new root-field / table names (rule→firewall_rule,object→firewall_nw_object,update_usr→update_firewall_nw_user, …).Python importer
model_controllers(fwconfig_import,fwconfig_import_object,fwconfig_import_rule,fwconfig_import_gateway,rulebase_link_controller) andservices/uid2id_mapperupdated to the renamed mutation/query root fields and result keys.tests-integration/tasks/test-importer.ymlupdated accordingly.Verification
search_pathcutover relies on later install steps running on fresh DB connections — confirm on a real install.