Skip to content

Commit bde0ab0

Browse files
pcrespovpcrespov
authored
🔨 Doc and scripts to create read-only user in PostgreSQL (ITISFoundation#6426)
1 parent d7bb29e commit bde0ab0

File tree

4 files changed

+43
-0
lines changed

4 files changed

+43
-0
lines changed

‎.env-devel‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,10 @@ POSTGRES_PASSWORD=adminadmin
152152
POSTGRES_PORT=5432
153153
POSTGRES_USER=scu
154154

155+
POSTGRES_READONLY_PASSWORD=readonly
156+
POSTGRES_READONLY_USER=readonly
157+
158+
155159
RABBIT_HOST=rabbit
156160
RABBIT_PASSWORD=adminadmin
157161
RABBIT_PORT=5672

‎.gitignore‎

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -181,3 +181,6 @@ tests/public-api/osparc_python_wheels/*
181181

182182
# osparc-config repo files
183183
repo.config
184+
185+
# scripts resolved with .env s
186+
services/postgres/scripts/create-readonly-user.sql

‎services/postgres/Makefile‎

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
include ../../scripts/common.Makefile
2+
3+
4+
ifneq (,$(wildcard $(DOT_ENV_FILE)))
5+
include $(DOT_ENV_FILE)
6+
export $(shell sed 's/=.*//' $(DOT_ENV_FILE))
7+
endif
8+
9+
10+
.PHONY: scripts/create-readonly-user.sql
11+
scripts/create-readonly-user.sql: scripts/create-readonly-user.sql.template
12+
@echo "Generating SQL script from $<..."
13+
@envsubst < $< > $@
14+
@echo "SQL script generated as $@"

‎services/postgres/scripts/create-readonly-user.sql.template‎

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
-- SQL script to create a read-only user and grant privileges
2+
3+
4+
--Create the read-only user with a password
5+
CREATE USER ${POSTGRES_READONLY_USER} WITH PASSWORD '${POSTGRES_READONLY_PASSWORD}';
6+
7+
--Grant CONNECT privilege to the database (e.g., 'foo' is the database name)
8+
GRANT CONNECT ON DATABASE ${POSTGRES_DB} TO ${POSTGRES_READONLY_USER};
9+
10+
--Grant USAGE privilege on the **public** schema
11+
GRANT USAGE ON SCHEMA public TO ${POSTGRES_READONLY_USER};
12+
13+
--Grant SELECT privilege on all existing tables and sequencies in the **public** schema
14+
GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${POSTGRES_READONLY_USER};
15+
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO ${POSTGRES_READONLY_USER};
16+
17+
--Ensure that future tables created in the public schema and sequencies will have SELECT privilege for the read-only user
18+
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${POSTGRES_READONLY_USER};
19+
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO ${POSTGRES_READONLY_USER};
20+
21+
-- Listing all users
22+
SELECT * FROM pg_roles;

0 commit comments

Comments
 (0)