♻️ Update postgres configuration ⚠️ DEVOPS

[YuryHrytsuk]

What do these changes do?

1. create readonly role to reuse for users that need to access database
   • can be reused for readonly user and for metabase's user
2. fix security issue with public schema in Postgres 14
3. make readonly user rely on readonly role

Actions:

• init.sql script shall be executed in all deployments.
• Create role and user scripts shall be executed on demand (if necessary)

Related issue/s

• Deploy metabase and provide access to selected app-team members osparc-ops-environments#1061
• sql scripts to be moved to Test / Code / Document postgres state (users, permissions, ...) in all deployments osparc-ops-environments#827 (once implemented)

How to test

1. Create a user. Grant it readonly role. Select data from tables
2. Create a new user. Connect to db. Create a table should show an error permission denied

Dev-ops

• Execute init script in all deployments (as superuser for every database [simcore, metabase, ...])
• If applicable, create read only role and user

NOTE: for templating env use repo config

[Copilot]

Pull Request Overview

Adds and refactors SQL scripts to enforce a read-only role for Postgres databases and lock down the public schema in Postgres 14.

• Introduce init.sql to revoke CREATE on the public schema for all new databases.
• Create and remove templates for a reusable ${POSTGRES_DB}_readonly role, and refactor the read-only user scripts to grant/revoke this role.
• Update .gitignore to track template files and the new init.sql.

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
services/postgres/scripts/init.sql	New script to revoke CREATE on public schema per DB
services/postgres/scripts/create-readonly-role.sql.template	New template for creating the ${POSTGRES_DB}_readonly role
services/postgres/scripts/create-readonly-user.sql.template	Refactored user script to grant the readonly role
services/postgres/scripts/remove-readonly-role.sql.template	New template for revoking privileges and dropping the readonly role
services/postgres/scripts/remove-readonly-user.sql.template	Updated script to revoke the readonly role before dropping the user
services/postgres/scripts/.gitignore	Kept template files and init.sql tracked

[sanderegg]

our colleague copilot has some valid points

[pcrespov]

thx

[YuryHrytsuk]

@Mergifyio queue

[mergify]

queue

🛑 The pull request has been removed from the queue default

The following conditions don't match anymore:

• any of: [🔀 queue conditions]
  • all of: [📌 queue conditions of queue default]
    • any of: [🛡 GitHub branch protection]
      • check-neutral = system-tests
      • check-skipped = system-tests
      • check-success = system-tests

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[mergify]

This pull request has been removed from the queue for the following reason: checks failed.

The merge conditions cannot be satisfied due to failing checks:

You may have to fix your CI before adding the pull request to the queue again.
If you update this pull request, to fix the CI, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.