From 29956393a74c1fd2a1d12bb8a3fe334d55b08a42 Mon Sep 17 00:00:00 2001 From: Roman Plevka Date: Fri, 15 Nov 2024 18:43:41 +0100 Subject: [PATCH] update db init script to set proper permissions for RO user --- scripts/db_init/init-user-db.sh | 18 ++++++++++++++---- scripts/db_init/setup_db.sh | 12 +++++++++++- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/scripts/db_init/init-user-db.sh b/scripts/db_init/init-user-db.sh index a1acb71..29f1bca 100644 --- a/scripts/db_init/init-user-db.sh +++ b/scripts/db_init/init-user-db.sh @@ -1,10 +1,20 @@ #!/bin/bash set -e +# Create the telemetry database and the telemetry role psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL CREATE DATABASE telemetry; - CREATE ROLE telemetry WITH LOGIN PASSWORD 'changeme'; - GRANT CONNECT ON DATABASE telemetry TO telemetry; - GRANT USAGE ON SCHEMA public TO telemetry; - GRANT SELECT ON ALL TABLES IN SCHEMA public TO telemetry; + CREATE ROLE ${POSTGRES_RO_USER:-telemetry} WITH LOGIN PASSWORD '${POSTGRES_RO_PASSWORD:-changeme}'; + GRANT CONNECT ON DATABASE telemetry TO ${POSTGRES_RO_USER:-telemetry}; EOSQL + +# Connect to the telemetry database to set up permissions and triggers +psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "telemetry" <<-EOSQL + GRANT USAGE ON SCHEMA public TO ${POSTGRES_RO_USER:-telemetry}; + + -- Grant SELECT privileges on existing tables + GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${POSTGRES_RO_USER:-telemetry}; + + -- Set default privileges for future tables created by the postgres user + ALTER DEFAULT PRIVILEGES FOR USER ${POSTGRES_USER} IN SCHEMA public GRANT SELECT ON TABLES TO ${POSTGRES_RO_USER:-telemetry}; +EOSQL \ No newline at end of file diff --git a/scripts/db_init/setup_db.sh b/scripts/db_init/setup_db.sh index a1dc822..ec88ecb 100755 --- a/scripts/db_init/setup_db.sh +++ b/scripts/db_init/setup_db.sh @@ -1,2 +1,12 @@ podman network create rekuper -podman run --name rekuper_db --network rekuper --rm -e POSTGRES_PASSWORD=changeme -v ./init-user-db.sh:/docker-entrypoint-initdb.d/init-user-db.sh:z -p 25432:5432 postgres:17 +podman run \ + --rm \ + --name rekuper_db \ + --network rekuper \ + -e POSTGRES_USER=postgres \ + -e POSTGRES_PASSWORD=changeme \ + -e POSTGRES_RO_USER=telemetry \ + -e POSTGRES_RO_PASSWORD=fero \ + -v ./init-user-db.sh:/docker-entrypoint-initdb.d/init-user-db.sh:z \ + -p 25432:5432 \ + postgres:17 postgres -c log_statement=all