From d8a62ee72278185fa586ba5b7c5f91a2bdae46fb Mon Sep 17 00:00:00 2001
From: Kirill Fedoseev <k.fedoseev@innopolis.university>
Date: Fri, 6 May 2022 18:18:30 +0200
Subject: [PATCH] Read only DB role for grafana

---
 db/migrations/000006_create_readonly_user.down.sql | 5 +++++
 db/migrations/000006_create_readonly_user.up.sql   | 7 +++++++
 docker-compose.dev.yml                             | 4 ++--
 docker-compose.prod.yml                            | 4 ++--
 4 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 db/migrations/000006_create_readonly_user.down.sql
 create mode 100644 db/migrations/000006_create_readonly_user.up.sql

diff --git a/db/migrations/000006_create_readonly_user.down.sql b/db/migrations/000006_create_readonly_user.down.sql
new file mode 100644
index 0000000..67801ad
--- /dev/null
+++ b/db/migrations/000006_create_readonly_user.down.sql
@@ -0,0 +1,5 @@
+DROP USER read_user;
+REVOKE CONNECT ON DATABASE db FROM readonly;
+REVOKE USAGE ON SCHEMA public FROM readonly;
+REVOKE SELECT ON ALL TABLES IN SCHEMA public FROM readonly;
+DROP ROLE readonly;
diff --git a/db/migrations/000006_create_readonly_user.up.sql b/db/migrations/000006_create_readonly_user.up.sql
new file mode 100644
index 0000000..c99ab4d
--- /dev/null
+++ b/db/migrations/000006_create_readonly_user.up.sql
@@ -0,0 +1,7 @@
+CREATE ROLE readonly;
+GRANT CONNECT ON DATABASE db TO readonly;
+GRANT USAGE ON SCHEMA public TO readonly;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;
+
+CREATE USER read_user WITH PASSWORD 'read_user_pass';
+GRANT readonly TO read_user;
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index e021689..5cbb70d 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -26,8 +26,8 @@ services:
       - grafana-storage:/var/lib/grafana
     environment:
       PG_HOST: 'postgres:5432'
-      PG_USER: 'postgres'
-      PG_PASSWORD: 'pass'
+      PG_USER: 'read_user'
+      PG_PASSWORD: 'read_user_pass'
       PG_DB: 'db'
       PROM_USER: 'admin'
       PROM_HOST: 'http://prometheus:9090'
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index a6d5f45..f084e1b 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -42,8 +42,8 @@ services:
       - grafana-storage:/var/lib/grafana
     environment:
       PG_HOST: 'postgres:5432'
-      PG_USER: 'postgres'
-      PG_PASSWORD: 'pass'
+      PG_USER: 'read_user'
+      PG_PASSWORD: 'read_user_pass'
       PG_DB: 'db'
       PROM_USER: 'admin'
       PROM_HOST: 'http://prometheus:9090'