Merge "Devstack plugin set privileges to json ingester DB"

This commit is contained in:
Zuul 2019-03-21 18:37:54 +00:00 committed by Gerrit Code Review
commit 42f6d876c6
3 changed files with 22 additions and 1 deletions

View File

@ -67,7 +67,8 @@ function configure_congress {
# database_connection_url_postgresql returns URL with wrong prefix,
# so we do a substitution here
local db_connection_mysql=`database_connection_url_postgresql $CONGRESS_JSON_DB_NAME`
iniset $CONGRESS_CONF json_ingester db_connection ${db_connection_mysql/?*:\/\//postgresql:\/\/}
CONGRESS_JSON_DB_CONNECTION_URL=${db_connection_mysql/?*:\/\//postgresql:\/\/}
iniset $CONGRESS_CONF json_ingester db_connection $CONGRESS_JSON_DB_CONNECTION_URL
iniset $CONGRESS_CONF json_ingester config_path "$CONGRESS_JSON_CONF_DIR"
iniset $CONGRESS_CONF json_ingester config_reusables_path "$CONGRESS_JSON_CONF_REUSABLES_PATH"
@ -297,6 +298,11 @@ function init_congress {
configure_database_postgresql
fi
recreate_database_postgresql $CONGRESS_JSON_DB_NAME utf8
psql --set=ingester_role="$CONGRESS_JSON_INGESTER_ROLE" \
--set=user_role="$CONGRESS_JSON_USER_ROLE" \
--set=db_name="$CONGRESS_JSON_DB_NAME" \
$CONGRESS_JSON_DB_CONNECTION_URL \
-f $CONGRESS_DIR/scripts/jgress/setup_permissions.sql
fi
# Run Congress db migrations
congress-db-manage --config-file $CONGRESS_CONF upgrade head

View File

@ -55,6 +55,8 @@ ENABLE_CONGRESS_JSON=$(trueorfalse False ENABLE_CONGRESS_JSON)
CONGRESS_JSON_DB_NAME=${CONGRESS_JSON_DB_NAME:-congress_json}
CONGRESS_JSON_CONF_DIR=$CONGRESS_CONF_DIR/json_ingesters
CONGRESS_JSON_CONF_REUSABLES_PATH=$CONGRESS_CONF_DIR/config_reusables.yaml
CONGRESS_JSON_USER_ROLE=${CONGRESS_JSON_USER_ROLE:-jgress_user}
CONGRESS_JSON_INGESTER_ROLE=${CONGRESS_JSON_INGESTER_ROLE:-root}
TEMPEST_DIR=$DEST/tempest

View File

@ -0,0 +1,13 @@
--Sets up jgress user role and privileges
-- Usage:
-- $ psql --set=ingester_role=<ingester> --set=user_role=<user> --set=db_name=<name> -f setup_permissions.sql
--
-- Variables:
-- ingester_role - name of the role used by jgress ingester
-- user_role - name of the role for users writing & evaluating policy over
-- db_name - name of the postgres database used for jgress ingestion
CREATE ROLE :user_role LOGIN;
ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT USAGE ON schemas TO :user_role;
ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT SELECT ON tables TO :user_role;
GRANT ALL PRIVILEGES ON DATABASE :db_name TO :user_role;