Merge branch 'master' into enh/react-to-5xx

ITISFoundation · Oct 2, 2024 · 41bb1b5 · 41bb1b5
2 parents 352c05d + bde0ab0
commit 41bb1b5
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 0 deletions.
diff --git a/.env-devel b/.env-devel
@@ -152,6 +152,10 @@ POSTGRES_PASSWORD=adminadmin
 POSTGRES_PORT=5432
 POSTGRES_USER=scu
 
+POSTGRES_READONLY_PASSWORD=readonly
+POSTGRES_READONLY_USER=readonly
+
+
 RABBIT_HOST=rabbit
 RABBIT_PASSWORD=adminadmin
 RABBIT_PORT=5672

diff --git a/.gitignore b/.gitignore
@@ -181,3 +181,6 @@ tests/public-api/osparc_python_wheels/*
 
 # osparc-config repo files
 repo.config
+
+# scripts resolved with .env s
+services/postgres/scripts/create-readonly-user.sql
diff --git a/services/postgres/Makefile b/services/postgres/Makefile
@@ -0,0 +1,14 @@
+include ../../scripts/common.Makefile
+
+
+ifneq (,$(wildcard $(DOT_ENV_FILE)))
+    include $(DOT_ENV_FILE)
+    export $(shell sed 's/=.*//' $(DOT_ENV_FILE))
+endif
+
+
+.PHONY: scripts/create-readonly-user.sql
+scripts/create-readonly-user.sql: scripts/create-readonly-user.sql.template
+	@echo "Generating SQL script from $<..."
+	@envsubst < $< > $@
+	@echo "SQL script generated as $@"
diff --git a/services/postgres/scripts/create-readonly-user.sql.template b/services/postgres/scripts/create-readonly-user.sql.template
@@ -0,0 +1,22 @@
+-- SQL script to create a read-only user and grant privileges
+
+
+--Create the read-only user with a password
+CREATE USER ${POSTGRES_READONLY_USER} WITH PASSWORD '${POSTGRES_READONLY_PASSWORD}';
+
+--Grant CONNECT privilege to the database (e.g., 'foo' is the database name)
+GRANT CONNECT ON DATABASE ${POSTGRES_DB} TO ${POSTGRES_READONLY_USER};
+
+--Grant USAGE privilege on the **public** schema
+GRANT USAGE ON SCHEMA public TO ${POSTGRES_READONLY_USER};
+
+--Grant SELECT privilege on all existing tables and sequencies in the **public** schema
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${POSTGRES_READONLY_USER};
+GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO ${POSTGRES_READONLY_USER};
+
+--Ensure that future tables created in the public schema and sequencies will have SELECT privilege for the read-only user
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${POSTGRES_READONLY_USER};
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON SEQUENCES TO ${POSTGRES_READONLY_USER};
+
+-- Listing all users
+SELECT * FROM pg_roles;