From 0fbae08feb875e51c2fc19ac18a3d9a25f4f2234 Mon Sep 17 00:00:00 2001 From: Jonas Thelemann Date: Tue, 13 May 2025 05:50:17 +0200 Subject: [PATCH] feat(grafana): readd --- Dockerfile | 2 ++ src/deploy/database_grafana.sql | 8 ++++++++ src/deploy/role_grafana.sql | 9 +++++++++ src/deploy/schema_private.sql | 4 ++++ src/deploy/table_account_private.sql | 4 ++++ src/revert/database_grafana.sql | 1 + src/revert/role_grafana.sql | 7 +++++++ src/sqitch | 2 ++ src/sqitch.plan | 2 ++ src/verify/database_grafana.sql | 8 ++++++++ src/verify/role_grafana.sql | 13 +++++++++++++ test/fixture/schema.definition.sql | 14 ++++++++++++++ 12 files changed, 74 insertions(+) create mode 100644 src/deploy/database_grafana.sql create mode 100644 src/deploy/role_grafana.sql create mode 100644 src/revert/database_grafana.sql create mode 100644 src/revert/role_grafana.sql create mode 100644 src/verify/database_grafana.sql create mode 100644 src/verify/role_grafana.sql diff --git a/Dockerfile b/Dockerfile index 68c545b2..b141eb23 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,10 +35,12 @@ RUN apt-get update \ && apt-get install --no-install-recommends -y \ sqitch=1.1.0000-1 \ && mkdir -p /run/secrets \ + && echo "grafana" > /run/secrets/postgres_role_service_grafana_username \ && echo "postgres" > /run/secrets/postgres_password \ && echo "postgraphile" > /run/secrets/postgres_role_service_postgraphile_username \ && echo "vibetype" > /run/secrets/postgres_role_service_vibetype_username \ && echo "placeholder" | tee \ + /run/secrets/postgres_role_service_grafana_password \ /run/secrets/postgres_role_service_postgraphile_password \ /run/secrets/postgres_role_service_vibetype_password \ /dev/null diff --git a/src/deploy/database_grafana.sql b/src/deploy/database_grafana.sql new file mode 100644 index 00000000..a9f37819 --- /dev/null +++ b/src/deploy/database_grafana.sql @@ -0,0 +1,8 @@ +\set role_service_grafana_username `cat /run/secrets/postgres_role_service_grafana_username` + +SELECT 'CREATE DATABASE grafana OWNER "' || :'role_service_grafana_username' || '";' +WHERE NOT EXISTS ( + SELECT FROM pg_database WHERE datname = 'grafana' +)\gexec + +COMMENT ON DATABASE grafana IS 'The observation dashboard''s database.'; diff --git a/src/deploy/role_grafana.sql b/src/deploy/role_grafana.sql new file mode 100644 index 00000000..31715e63 --- /dev/null +++ b/src/deploy/role_grafana.sql @@ -0,0 +1,9 @@ +BEGIN; + +\set role_service_grafana_password `cat /run/secrets/postgres_role_service_grafana_password` +\set role_service_grafana_username `cat /run/secrets/postgres_role_service_grafana_username` + +DROP ROLE IF EXISTS :role_service_grafana_username; +CREATE ROLE :role_service_grafana_username LOGIN PASSWORD :'role_service_grafana_password'; + +COMMIT; diff --git a/src/deploy/schema_private.sql b/src/deploy/schema_private.sql index e8f7c00f..d044bd43 100644 --- a/src/deploy/schema_private.sql +++ b/src/deploy/schema_private.sql @@ -1,7 +1,11 @@ BEGIN; +\set role_service_grafana_username `cat /run/secrets/postgres_role_service_grafana_username` + CREATE SCHEMA vibetype_private; COMMENT ON SCHEMA vibetype_private IS 'Contains account information and is not used by PostGraphile.'; +GRANT USAGE ON SCHEMA vibetype_private TO :role_service_grafana_username; + COMMIT; diff --git a/src/deploy/table_account_private.sql b/src/deploy/table_account_private.sql index a44bd875..49d5d7a6 100644 --- a/src/deploy/table_account_private.sql +++ b/src/deploy/table_account_private.sql @@ -1,5 +1,7 @@ BEGIN; +\set role_service_grafana_username `cat /run/secrets/postgres_role_service_grafana_username` + CREATE TABLE vibetype_private.account ( id UUID PRIMARY KEY DEFAULT gen_random_uuid(), @@ -86,4 +88,6 @@ CREATE TRIGGER vibetype_private_account_password_reset_verification_valid_until FOR EACH ROW EXECUTE PROCEDURE vibetype_private.account_password_reset_verification_valid_until(); +GRANT SELECT ON TABLE vibetype_private.account TO :role_service_grafana_username; + COMMIT; diff --git a/src/revert/database_grafana.sql b/src/revert/database_grafana.sql new file mode 100644 index 00000000..b4229d9e --- /dev/null +++ b/src/revert/database_grafana.sql @@ -0,0 +1 @@ +DROP DATABASE grafana WITH (FORCE); diff --git a/src/revert/role_grafana.sql b/src/revert/role_grafana.sql new file mode 100644 index 00000000..07f63f0e --- /dev/null +++ b/src/revert/role_grafana.sql @@ -0,0 +1,7 @@ +BEGIN; + +\set role_service_grafana_username `cat /run/secrets/postgres_role_service_grafana_username` + +DROP ROLE :role_service_grafana_username; + +COMMIT; diff --git a/src/sqitch b/src/sqitch index 925ce631..b74f4ef0 100755 --- a/src/sqitch +++ b/src/sqitch @@ -79,6 +79,8 @@ function docker_sudo() { docker_sudo run --rm --network host \ --mount "type=bind,src=$THIS,dst=/repo" \ --mount "type=bind,src=$HOME,dst=$homedst" \ + --mount "type=bind,src=$THIS/../../stack/src/development/secrets/postgres/role_service_grafana_password.secret,dst=/run/secrets/postgres_role_service_grafana_password" \ + --mount "type=bind,src=$THIS/../../stack/src/development/secrets/postgres/role_service_grafana_username.secret,dst=/run/secrets/postgres_role_service_grafana_username" \ --mount "type=bind,src=$THIS/../../stack/src/development/secrets/postgres/role_service_postgraphile_password.secret,dst=/run/secrets/postgres_role_service_postgraphile_password" \ --mount "type=bind,src=$THIS/../../stack/src/development/secrets/postgres/role_service_postgraphile_username.secret,dst=/run/secrets/postgres_role_service_postgraphile_username" \ --mount "type=bind,src=$THIS/../../stack/src/development/secrets/postgres/role_service_vibetype_password.secret,dst=/run/secrets/postgres_role_service_vibetype_password" \ diff --git a/src/sqitch.plan b/src/sqitch.plan index 3193aef7..381ecf49 100644 --- a/src/sqitch.plan +++ b/src/sqitch.plan @@ -3,6 +3,8 @@ %uri=https://github.com/maevsi/vibetype/ privilege_execute_revoke 1970-01-01T00:00:00Z Jonas Thelemann # Revoke execute privilege from public. +role_grafana 1970-01-01T00:00:00Z Jonas Thelemann # Add role grafana. +database_grafana [role_grafana] 1970-01-01T00:00:00Z Jonas Thelemann # Add the database for grafana. role_postgraphile 1970-01-01T00:00:00Z Jonas Thelemann # Add role postgraphile. role_anonymous [role_postgraphile] 1970-01-01T00:00:00Z Jonas Thelemann # Add role anonymous. role_account [role_postgraphile] 1970-01-01T00:00:00Z Jonas Thelemann # Add role account. diff --git a/src/verify/database_grafana.sql b/src/verify/database_grafana.sql new file mode 100644 index 00000000..09570d2d --- /dev/null +++ b/src/verify/database_grafana.sql @@ -0,0 +1,8 @@ +BEGIN; + +DO $$ +BEGIN + ASSERT (SELECT 1 FROM pg_database WHERE datname='grafana') = 1; +END $$; + +ROLLBACK; diff --git a/src/verify/role_grafana.sql b/src/verify/role_grafana.sql new file mode 100644 index 00000000..56f26b29 --- /dev/null +++ b/src/verify/role_grafana.sql @@ -0,0 +1,13 @@ +BEGIN; + +\set role_service_grafana_username `cat /run/secrets/postgres_role_service_grafana_username` + +SET LOCAL role.service_grafana_username TO :'role_service_grafana_username'; + +DO $$ +BEGIN + ASSERT (SELECT pg_catalog.pg_has_role(current_setting('role.service_grafana_username'), 'USAGE')); + -- Other accounts might not exist yet for a NOT-check. +END $$; + +ROLLBACK; diff --git a/test/fixture/schema.definition.sql b/test/fixture/schema.definition.sql index c12e7908..9eef22a0 100644 --- a/test/fixture/schema.definition.sql +++ b/test/fixture/schema.definition.sql @@ -6486,6 +6486,13 @@ GRANT USAGE ON SCHEMA vibetype TO vibetype_account; GRANT USAGE ON SCHEMA vibetype TO vibetype; +-- +-- Name: SCHEMA vibetype_private; Type: ACL; Schema: -; Owner: ci +-- + +GRANT USAGE ON SCHEMA vibetype_private TO grafana; + + -- -- Name: FUNCTION armor(bytea); Type: ACL; Schema: public; Owner: ci -- @@ -7314,6 +7321,13 @@ GRANT SELECT,INSERT,DELETE,UPDATE ON TABLE vibetype.upload TO vibetype_account; GRANT SELECT,UPDATE ON TABLE vibetype.upload TO vibetype; +-- +-- Name: TABLE account; Type: ACL; Schema: vibetype_private; Owner: ci +-- + +GRANT SELECT ON TABLE vibetype_private.account TO grafana; + + -- -- Name: TABLE achievement_code; Type: ACL; Schema: vibetype_private; Owner: ci --