posgra 0.1.9 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 951beba5dfa0b044ea3b5467f856c20b475e373d
-  data.tar.gz: 0ad1275dcb66c096037f2f8b3bf5a7817334288f
+  metadata.gz: 8af082dbe487f54a35c23d4c39947c58b12f403d
+  data.tar.gz: 9cb68ff5f9e321277c31246d6b2631bbfb0d67ce
 SHA512:
-  metadata.gz: f5da29a44a9d95f2c9867df4154bebab2d954c54b7d285568bd91c8070fcfb7bfd8a4ef3057b9117357c1767c407c96952594b323a0d7055503ff3af4c1f268a
-  data.tar.gz: 1cd71973a72a56835041229493e914b751822214ec291e64f81f4f206772a089c834560eace40a1c079cb84b1c35f84f6b99c0f6fc650e5d93b5151e39945e09
+  metadata.gz: e48736a442d4592ea2310dae9884ab1dac1d1de688596517f08504dae133e0da0c98aa4552f22287518a7fc35894581bb654259a90011fb304bc48d1f117415d
+  data.tar.gz: b811a332a01d8960f9c672b2afcb8a89aeaf70589d25616c162cdddeb1ff118e14f0f343de293c026ab84f5ca3239dcfd9110e9eddd6d8bb736476f01b4a7d42

data/.travis.yml

@@ -1,19 +1,24 @@
-sudo: false
+dist: trusty
+sudo: required
 language: ruby
 rvm:
   - 2.0.0
   - 2.1.8
   - 2.2.4
   - 2.3.0
-before_install: gem install bundler -v 1.11.2
-script:
-  - bundle install
-  - bundle exec rake
-addons:
-  postgresql: "9.4"
-  apt:
-    packages:
-      - libgmp-dev
+before_install:
+  - gem install bundler
+  - sudo service postgresql stop
+before_script:
+  - docker-compose up -d
+  - function pg_ping { PGPASSWORD=password pg_isready -U postgres -h 127.0.0.1 > /dev/null 2> /dev/null; }
+  - for i in {1..60}; do pg_ping && break; sleep 1; done
 env:
   global:
     - POSGRA_TEST_USER=postgres
+services:
+  - docker
+addons:
+  apt:
+    packages:
+    - postgresql-client-9.4

data/README.md

@@ -28,9 +28,10 @@ Or install it yourself as:
 ```sh
 $ posgra help
 Commands:
-  posgra grant SUBCOMMAND  # Manage grants
-  posgra help [COMMAND]    # Describe available commands or one specific command
-  posgra role SUBCOMMAND   # Manage roles
+  posgra database SUBCOMMAND  # Manage database grants
+  posgra grant SUBCOMMAND     # Manage grants
+  posgra help [COMMAND]       # Describe available commands or one specific command
+  posgra role SUBCOMMAND      # Manage roles
 
 Options:
   -h, [--host=HOST]
@@ -62,6 +63,13 @@ posgra grant apply --dry-run pg_grants.rb
 posgra grant apply pg_grants.rb
 ```
 
+```sh
+posgra database export pg_dbgrants.rb
+vi pg_dbgrants.rb
+posgra database apply --dry-run pg_dbgrants.rb
+posgra database apply pg_dbgrants.rb
+```
+
 ### for Redshift
 
 ```sh
@@ -106,6 +114,26 @@ role "bob" do
 end
 ```
 
+### DB Grant
+
+```ruby
+role "alice" do
+  database "my_database" do
+    grant "CONNECT", :grantable => true
+    grant "CREATE"
+    grant "TEMPORARY"
+  end
+end
+
+role "bob" do
+  database "my_database" do
+    grant "CONNECT"
+    grant "CREATE"
+    grant "TEMPORARY"
+  end
+end
+```
+
 ### Template
 
 ```ruby
@@ -138,3 +166,19 @@ role "bob" do
   end
 end
 ```
+
+## Running tests
+
+```sh
+docker-compose up -d
+bundle install
+bundle exec rake
+```
+
+### on OS X (docker-machine & VirtualBox)
+
+Port forwarding is required.
+
+```sh
+VBoxManage controlvm default natpf1 "psql,tcp,127.0.0.1,5432,,5432"
+```

data/docker-compose.yml

@@ -0,0 +1,6 @@
+postgres:
+  image: "postgres:9.4"
+  ports:
+    - "5432:5432"
+  environment:
+    POSTGRES_PASSWORD: password

data/lib/posgra.rb

@@ -15,12 +15,16 @@ require 'posgra/utils'
 require 'posgra/cli'
 require 'posgra/cli'
 require 'posgra/cli/helper'
+require 'posgra/cli/database'
 require 'posgra/cli/grant'
 require 'posgra/cli/role'
 require 'posgra/cli/app'
 require 'posgra/client'
 require 'posgra/driver'
 require 'posgra/dsl'
+require 'posgra/dsl/database'
+require 'posgra/dsl/database/role'
+require 'posgra/dsl/database/role/database'
 require 'posgra/dsl/grants'
 require 'posgra/dsl/grants/role'
 require 'posgra/dsl/grants/role/schema'

data/lib/posgra/cli/app.rb

@@ -13,4 +13,7 @@ class Posgra::CLI::App < Thor
 
   desc 'grant SUBCOMMAND', 'Manage grants'
   subcommand :grant, Posgra::CLI::Grant
+
+  desc 'database SUBCOMMAND', 'Manage database grants'
+  subcommand :database, Posgra::CLI::Database
 end

data/lib/posgra/cli/database.rb

@@ -0,0 +1,70 @@
+class Posgra::CLI::Database < Thor
+  include Posgra::CLI::Helper
+  include Posgra::Logger::Helper
+
+  DEFAULT_FILENAME = 'pg_dbgrants.rb'
+
+  class_option :'include-role'
+  class_option :'exclude-role'
+  class_option :'include-database'
+  class_option :'exclude-database'
+
+  desc 'apply FILE', 'Apply database grants'
+  option :'dry-run', :type => :boolean, :default => false
+  def apply(file)
+    check_fileanem(file)
+    updated = client.apply_databases(file)
+
+    unless updated
+      Posgra::Logger.instance.info('No change'.intense_blue)
+    end
+  end
+
+  desc 'export [FILE]', 'Export database grants'
+  option :split, :type => :boolean, :default => false
+  def export(file = nil)
+    check_fileanem(file)
+    dsl = client.export_databases
+
+    if options[:split]
+      file = DEFAULT_FILENAME unless file
+
+      log(:info, 'Export Database Grants')
+      requires = []
+
+      dsl.each do |user, content|
+        user = user.gsub(/\s+/, '_')
+        user = '_' if user.empty?
+        grant_file = "#{user}.rb"
+        requires << grant_file
+        log(:info, "  write `#{grant_file}`")
+
+        open(grant_file, 'wb') do |f|
+          f.puts Posgra::CLI::MAGIC_COMMENT
+          f.puts content
+        end
+      end
+
+      log(:info, "  write `#{file}`")
+
+      open(file, 'wb') do |f|
+        f.puts Posgra::CLI::MAGIC_COMMENT
+
+        requires.each do |grant_file|
+          f.puts "require '#{File.basename grant_file}'"
+        end
+      end
+    else
+      if file.nil? or file == '-'
+        puts dsl
+      else
+        log(:info, "Export Database Grants to `#{file}`")
+
+        open(file, 'wb') do |f|
+          f.puts Posgra::CLI::MAGIC_COMMENT
+          f.puts dsl
+        end
+      end
+    end
+  end
+end

data/lib/posgra/client.rb

@@ -1,6 +1,7 @@
 class Posgra::Client
   DEFAULT_EXCLUDE_SCHEMA = /\A(?:pg_.*|information_schema)\z/
   DEFAULT_EXCLUDE_ROLE = /\A\z/
+  DEFAULT_EXCLUDE_DATABASE = /\A(?:template\d+|postgres)\z/
 
   def initialize(options = {})
     if options[:exclude_schema]
@@ -21,6 +22,15 @@ class Posgra::Client
       options[:exclude_role] = DEFAULT_EXCLUDE_ROLE
     end
 
+    if options[:exclude_database]
+      options[:exclude_database] = Regexp.union(
+        options[:exclude_database],
+        DEFAULT_EXCLUDE_DATABASE
+      )
+    else
+      options[:exclude_database] = DEFAULT_EXCLUDE_DATABASE
+    end
+
     @options = options
     @client = connect(options)
     @driver = Posgra::Driver.new(@client, options)
@@ -39,7 +49,6 @@ class Posgra::Client
     if options[:split]
       dsl_h = Hash.new {|hash, key| hash[key] = {} }
 
-
       exported.each do |role, schemas|
         dsl = Posgra::DSL.convert_grants({role => schemas}, options)
         dsl_h[role] = dsl
@@ -51,6 +60,24 @@ class Posgra::Client
     end
   end
 
+  def export_databases(options = {})
+    options = @options.merge(options)
+    exported = Posgra::Exporter.export_databases(@driver, options)
+
+    if options[:split]
+      dsl_h = Hash.new {|hash, key| hash[key] = {} }
+
+      exported.each do |role, databases|
+        dsl = Posgra::DSL.convert_databases({role => databases}, options)
+        dsl_h[role] = dsl
+      end
+
+      dsl_h
+    else
+      Posgra::DSL.convert_databases(exported, options)
+    end
+  end
+
   def apply_roles(file, options = {})
     options = @options.merge(options)
     walk_for_roles(file, options)
@@ -61,6 +88,11 @@ class Posgra::Client
     walk_for_grants(file, options)
   end
 
+  def apply_databases(file, options = {})
+    options = @options.merge(options)
+    walk_for_database_grants(file, options)
+  end
+
   def close
     @client.close
   end
@@ -87,6 +119,12 @@ class Posgra::Client
     walk_roles(expected, actual)
   end
 
+  def walk_for_database_grants(file, options)
+    expected = load_file(file, :parse_databases, options)
+    actual = Posgra::Exporter.export_databases(@driver, options)
+    walk_database_roles(expected, actual)
+  end
+
   def walk_users(expected, actual)
     updated = false
 
@@ -219,6 +257,60 @@ class Posgra::Client
     updated
   end
 
+  def walk_database_roles(expected, actual)
+    updated = false
+
+    expected.each do |expected_role, expected_databases|
+      actual_databases = actual.delete(expected_role) || {}
+      updated = walk_databases(expected_databases, actual_databases, expected_role) || updated
+    end
+
+    actual.each do |actual_role, actual_databases|
+      actual_databases.each do |database, _|
+        updated = @driver.revoke_all_on_database(actual_role, database) || updated
+      end
+    end
+
+    updated
+  end
+
+  def walk_databases(expected, actual, role)
+    updated = false
+
+    expected.each do |expected_database, expected_grants|
+      actual_grants = actual.delete(expected_database) || {}
+      updated = walk_database_grants(expected_grants, actual_grants, role, expected_database) || updated
+    end
+
+    actual.each do |actual_database, _|
+      updated = @driver.revoke_all_on_database(role, actual_database) || updated
+    end
+
+    updated
+  end
+
+  def walk_database_grants(expected, actual, role, database)
+    updated = false
+
+    expected.each do |expected_priv, expected_options|
+      actual_options = actual.delete(expected_priv)
+
+      if actual_options
+        if expected_options != actual_options
+          updated = @driver.update_database_grant_options(role, expected_priv, expected_options, database) || updated
+        end
+      else
+        updated = @driver.database_grant(role, expected_priv, expected_options, database) || updated
+      end
+    end
+
+    actual.each do |actual_priv, _|
+      updated = @driver.database_revoke(role, actual_priv, database) || updated
+    end
+
+    updated
+  end
+
   def load_file(file, method, options)
     if file.kind_of?(String)
       open(file) do |f|

data/lib/posgra/driver.rb

@@ -5,6 +5,8 @@ class Posgra::Driver
   DEFAULT_ACL_PRIVS = ENV['POSGRA_DEFAULT_ACL_PRIVS'] || 'arwdDxt'
   DEFAULT_ACL = "{%s=#{DEFAULT_ACL_PRIVS}/%s}"
 
+  DEFAULT_DATABASE_ACL = "{%s=CTc/%s}"
+
   DEFAULT_ACL_BY_KIND = {
     'S' => '{%s=rwU/%s}'
   }
@@ -21,6 +23,7 @@ class Posgra::Driver
     'R' => 'RULE',
     'X' => 'EXECUTE',
     'C' => 'CREATE',
+    'c' => 'CONNECT',
     'T' => 'TEMPORARY',
   }
 
@@ -143,6 +146,18 @@ class Posgra::Driver
     updated
   end
 
+  def revoke_all_on_database(role, database)
+    sql = "REVOKE ALL ON DATABASE #{@client.escape_identifier(database)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      exec(sql)
+      updated = true
+    end
+
+    updated
+  end
+
   def grant(role, priv, options, schema, object)
     updated = false
 
@@ -216,6 +231,79 @@ class Posgra::Driver
     updated
   end
 
+  def database_grant(role, priv, options, database)
+    updated = false
+
+    sql = "GRANT #{priv} ON DATABASE #{@client.escape_identifier(database)} TO #{@client.escape_identifier(role)}"
+
+    if options['is_grantable']
+      sql << ' WITH GRANT OPTION'
+    end
+
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      exec(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def update_database_grant_options(role, priv, options, database)
+    updated = false
+
+    if options.fetch('is_grantable')
+      updated = grant_database_grant_option(role, priv, database)
+    else
+      updated = roveke_database_grant_option(role, priv, database)
+    end
+
+    updated
+  end
+
+  def grant_database_grant_option(role, priv, database)
+    updated = false
+
+    sql = "GRANT #{priv} ON DATABASE #{@client.escape_identifier(database)} TO #{@client.escape_identifier(role)} WITH GRANT OPTION"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      exec(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def roveke_database_grant_option(role, priv, database)
+    updated = false
+
+    sql = "REVOKE GRANT OPTION FOR #{priv} ON DATABASE #{@client.escape_identifier(database)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      exec(sql)
+      updated = true
+    end
+
+    updated
+  end
+
+  def database_revoke(role, priv, database)
+    updated = false
+
+    sql = "REVOKE #{priv} ON DATABASE #{@client.escape_identifier(database)} FROM #{@client.escape_identifier(role)}"
+    log(:info, sql, :color => :green)
+
+    unless @options[:dry_run]
+      exec(sql)
+      updated = true
+    end
+
+    updated
+  end
+
   def describe_objects(schema)
     rs = exec <<-SQL
       SELECT
@@ -294,6 +382,7 @@ class Posgra::Driver
     SQL
 
     grants_by_role = {}
+
     rs.each do |row|
       relname = row.fetch('relname')
       nspname = row.fetch('nspname')
@@ -317,11 +406,52 @@ class Posgra::Driver
     grants_by_role
   end
 
+  def describe_databases
+    rs = exec <<-SQL
+      SELECT
+        pg_database.datname,
+        pg_database.datacl,
+        pg_user.usename
+      FROM
+        pg_database
+        INNER JOIN pg_user ON pg_database.datdba = pg_user.usesysid
+    SQL
+
+    database_grants_by_role = {}
+
+    rs.each do |row|
+      datname = row.fetch('datname')
+      datacl = row.fetch('datacl')
+      usename = row.fetch('usename')
+
+      next unless matched?(datname, @options[:include_database], @options[:exclude_database])
+
+      parse_database_aclitems(datacl, usename).each do |aclitem|
+        role = aclitem.fetch('grantee')
+        privs = aclitem.fetch('privileges')
+        next unless matched?(role, @options[:include_role], @options[:exclude_role])
+        database_grants_by_role[role] ||= {}
+        database_grants_by_role[role][datname] = privs
+      end
+    end
+
+    database_grants_by_role
+  end
+
   private
 
   def parse_aclitems(aclitems, owner, relkind)
     aclitems_fmt = DEFAULT_ACL_BY_KIND.fetch(relkind, DEFAULT_ACL)
     aclitems ||= aclitems_fmt % [owner, owner]
+    parse_aclitems0(aclitems)
+  end
+
+  def parse_database_aclitems(aclitems, owner)
+    aclitems ||= DEFAULT_DATABASE_ACL % [owner, owner]
+    parse_aclitems0(aclitems)
+  end
+
+  def parse_aclitems0(aclitems)
     aclitems = aclitems[1..-2].split(',')
 
     aclitems.map do |aclitem|

data/lib/posgra/dsl.rb

@@ -7,6 +7,10 @@ class Posgra::DSL
     Posgra::DSL::Converter.convert_grants(exported, options)
   end
 
+  def self.convert_databases(exported, options = {})
+    Posgra::DSL::Converter.convert_databases(exported, options)
+  end
+
   def self.parse_roles(dsl, path, options = {})
     Posgra::DSL::Roles.eval(dsl, path, options).result
   end
@@ -14,4 +18,8 @@ class Posgra::DSL
   def self.parse_grants(dsl, path, options = {})
     Posgra::DSL::Grants.eval(dsl, path, options).result
   end
+
+  def self.parse_databases(dsl, path, options = {})
+    Posgra::DSL::Database.eval(dsl, path, options).result
+  end
 end

data/lib/posgra/dsl/converter.rb

@@ -7,6 +7,10 @@ class Posgra::DSL::Converter
     self.new(exported, options).convert_grants
   end
 
+  def self.convert_databases(exported, options = {})
+    self.new(exported, options).convert_databases
+  end
+
   def initialize(exported, options = {})
     @exported = exported
     @options = options
@@ -27,6 +31,11 @@ class Posgra::DSL::Converter
     output_roles(grants_by_role).strip
   end
 
+  def convert_databases
+    database_grants_by_role = @exported || {}
+    output_database_roles(database_grants_by_role).strip
+  end
+
   private
 
   def output_users(users)
@@ -117,10 +126,10 @@ end
     EOS
   end
 
-  def output_grants(grants)
+  def output_grants(grants, indent = "      ")
     grants.sort_by {|g| g.to_s }.map {|privilege_type, options|
       output_grant(privilege_type, options).strip
-    }.join("\n      ")
+    }.join("\n#{indent}")
   end
 
   def output_grant(privilege_type, options)
@@ -133,4 +142,45 @@ end
 
     out
   end
+
+  def output_database_roles(database_grants_by_role)
+    database_grants_by_role.sort_by {|r, _| r }.map {|role, grants_by_database|
+      output_database_role(role, grants_by_database)
+    }.join("\n")
+  end
+
+  def output_database_role(role, grants_by_database)
+    if grants_by_database.empty?
+      databases = "# no databases"
+    else
+      databases = output_databases(grants_by_database)
+    end
+
+    <<-EOS
+role #{role.inspect} do
+  #{databases}
+end
+    EOS
+  end
+
+  def output_databases(grants_by_database)
+    grants_by_database.sort_by {|s, _| s }.map {|database, grants|
+      output_database(database, grants).strip
+    }.join("\n  ")
+  end
+
+  def output_database(database, grants)
+    if grants.empty?
+      grants = "# no grants"
+    else
+      grants = output_grants(grants, '    ')
+    end
+
+    <<-EOS
+  database #{database.inspect} do
+    #{grants}
+  end
+    EOS
+  end
+
 end

data/lib/posgra/dsl/database.rb

@@ -0,0 +1,53 @@
+class Posgra::DSL::Database
+  include Posgra::Logger::Helper
+  include Posgra::TemplateHelper
+  include Posgra::Utils::Helper
+
+  def self.eval(dsl, path, options = {})
+    self.new(path, options) do
+      eval(dsl, binding, path)
+    end
+  end
+
+  attr_reader :result
+
+  def initialize(path, options = {}, &block)
+    @path = path
+    @options = options
+    @result = {}
+
+    @context = Hashie::Mash.new(
+      :path => path,
+      :options => options,
+      :templates => {},
+    )
+
+    instance_eval(&block)
+  end
+
+  private
+
+  def template(name, &block)
+    @context.templates[name.to_s] = block
+  end
+
+  def require(file)
+    pgrantfile = (file =~ %r|\A/|) ? file : File.expand_path(File.join(File.dirname(@path), file))
+
+    if File.exist?(pgrantfile)
+      instance_eval(File.read(pgrantfile), pgrantfile)
+    elsif File.exist?(pgrantfile + '.rb')
+      instance_eval(File.read(pgrantfile + '.rb'), pgrantfile + '.rb')
+    else
+      Kernel.require(file)
+    end
+  end
+
+  def role(name, &block)
+    name = name.to_s
+
+    if matched?(name, @options[:include_role], @options[:exclude_role])
+      @result[name] = Posgra::DSL::Database::Role.new(@context, name, @options, &block).result
+    end
+  end
+end

data/lib/posgra/dsl/database/role.rb

@@ -0,0 +1,23 @@
+class Posgra::DSL::Database::Role
+  include Posgra::Logger::Helper
+  include Posgra::TemplateHelper
+  include Posgra::Utils::Helper
+
+  attr_reader :result
+
+  def initialize(context, role, options, &block)
+    @role = role
+    @options = options
+    @context = context.merge(:role => role)
+    @result = {}
+    instance_eval(&block)
+  end
+
+  def database(name, &block)
+    name = name.to_s
+
+    if matched?(name, @options[:include_database], @options[:exclude_database])
+      @result[name] = Posgra::DSL::Database::Role::Database.new(@context, name, @options, &block).result
+    end
+  end
+end

data/lib/posgra/dsl/database/role/database.rb

@@ -0,0 +1,22 @@
+class Posgra::DSL::Database::Role::Database
+  include Posgra::Logger::Helper
+  include Posgra::TemplateHelper
+
+  attr_reader :result
+
+  def initialize(context, database, options, &block)
+    @database = database
+    @options = options
+    @context = context.merge(:database => database)
+    @result = {}
+    instance_eval(&block)
+  end
+
+  def grant(name, options = {})
+    name = name.to_s
+
+    @result[name] = {
+      'is_grantable' => !!options[:grantable]
+    }
+  end
+end

data/lib/posgra/exporter.rb

@@ -1,10 +1,14 @@
 class Posgra::Exporter
-  def self.export_roles(driver, options = {}, &block)
-    self.new(driver, options).export_roles(&block)
+  def self.export_roles(driver, options = {})
+    self.new(driver, options).export_roles
   end
 
-  def self.export_grants(driver, options = {}, &block)
-    self.new(driver, options).export_grants(&block)
+  def self.export_grants(driver, options = {})
+    self.new(driver, options).export_grants
+  end
+
+  def self.export_databases(driver, options = {})
+    self.new(driver, options).export_databases
   end
 
   def initialize(driver, options = {})
@@ -22,4 +26,8 @@ class Posgra::Exporter
   def export_grants
     @driver.describe_grants
   end
+
+  def export_databases
+    @driver.describe_databases
+  end
 end

data/lib/posgra/version.rb

@@ -1,3 +1,3 @@
 module Posgra
-  VERSION = "0.1.9"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: posgra
 version: !ruby/object:Gem::Version
-  version: 0.1.9
+  version: 0.2.0
 platform: ruby
 authors:
 - winebarrel
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-02-08 00:00:00.000000000 Z
+date: 2016-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pg
@@ -167,10 +167,12 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- docker-compose.yml
 - exe/posgra
 - lib/posgra.rb
 - lib/posgra/cli.rb
 - lib/posgra/cli/app.rb
+- lib/posgra/cli/database.rb
 - lib/posgra/cli/grant.rb
 - lib/posgra/cli/helper.rb
 - lib/posgra/cli/role.rb
@@ -178,6 +180,9 @@ files:
 - lib/posgra/driver.rb
 - lib/posgra/dsl.rb
 - lib/posgra/dsl/converter.rb
+- lib/posgra/dsl/database.rb
+- lib/posgra/dsl/database/role.rb
+- lib/posgra/dsl/database/role/database.rb
 - lib/posgra/dsl/grants.rb
 - lib/posgra/dsl/grants/role.rb
 - lib/posgra/dsl/grants/role/schema.rb