Restrict metabase user to tables (#1132)

* Automatically configure registry in portainer

Creates a single authneticated dockerhub registry that lets pulling
private images (i.e. updating service's image (that is private) in portainer shall work now)

* closes #1089

* Update

* Imrpove wait for it installation

* Fix portainer makefile wrong options

#1125

* fix

* spacing

* Restrict metabase user to set of tables

* closes #1113

* configuration

* Add readme

Author: YuryHrytsuk

services/metabase/README.md

@@ -0,0 +1,8 @@
+## How to deploy first time
+
+Before deploying metabase first time, make sure that postgres is configured:
+1. Generate SQL commands via `make configure_metabase.sql`
+2. Execute SQL commands from the script in psql shell
+    * you can get one via adminer or by directly connecting to container and executing `psql -U <user> -d <db>`
+
+This can be automated via https://github.com/ITISFoundation/osparc-ops-environments/issues/827

services/metabase/configure_metabase.sql.template

@@ -1,7 +1,19 @@
 CREATE USER ${METABASE_POSTGRES_USER} WITH PASSWORD '${METABASE_POSTGRES_PASSWORD}';
 
--- relies on readonly role aldready existing in the database
-GRANT ${POSTGRES_DB}_readonly TO ${METABASE_POSTGRES_USER};
+/*
+Access to simcore database
+*/
+
+GRANT CONNECT ON DATABASE ${POSTGRES_DB} TO ${METABASE_POSTGRES_USER};
+
+-- https://stackoverflow.com/questions/17338621/what-does-grant-usage-on-schema-do-exactly
+GRANT USAGE ON SCHEMA public TO ${METABASE_POSTGRES_USER};
+
+GRANT SELECT ON TABLE ${METABASE_POSTGRES_ALLOWED_SIMCORE_TABLES} TO ${METABASE_POSTGRES_USER};
+
+/*
+Metabase database to store its data
+*/
 
 CREATE DATABASE ${METABASE_POSTGRES_DB}
     WITH OWNER ${METABASE_POSTGRES_USER};