Devstack plugin set privileges to json ingester DB

By default, users do not have privileges to access the schema and
data tables created by the ingester.
This patch sets up the default privileges so that users get the
intended read access to all schemas and tables created by JSON
ingesters.

Change-Id: I9de2ca6c19971d38be46829263a3267fe234a42d
Closes-bug: 1821098

devstack/plugin.sh

@@ -67,7 +67,8 @@ function configure_congress {
         # database_connection_url_postgresql returns URL with wrong prefix,
         # so we do a substitution here
         local db_connection_mysql=`database_connection_url_postgresql $CONGRESS_JSON_DB_NAME`
-        iniset $CONGRESS_CONF json_ingester db_connection ${db_connection_mysql/?*:\/\//postgresql:\/\/}
+        CONGRESS_JSON_DB_CONNECTION_URL=${db_connection_mysql/?*:\/\//postgresql:\/\/}
+        iniset $CONGRESS_CONF json_ingester db_connection $CONGRESS_JSON_DB_CONNECTION_URL
         iniset $CONGRESS_CONF json_ingester config_path "$CONGRESS_JSON_CONF_DIR"
         iniset $CONGRESS_CONF json_ingester config_reusables_path "$CONGRESS_JSON_CONF_REUSABLES_PATH"
 
@@ -297,6 +298,11 @@ function init_congress {
             configure_database_postgresql
         fi
         recreate_database_postgresql $CONGRESS_JSON_DB_NAME utf8
+        psql --set=ingester_role="$CONGRESS_JSON_INGESTER_ROLE" \
+             --set=user_role="$CONGRESS_JSON_USER_ROLE" \
+             --set=db_name="$CONGRESS_JSON_DB_NAME" \
+             $CONGRESS_JSON_DB_CONNECTION_URL \
+             -f $CONGRESS_DIR/scripts/jgress/setup_permissions.sql
     fi
     # Run Congress db migrations
     congress-db-manage --config-file $CONGRESS_CONF upgrade head

devstack/settings

@@ -55,6 +55,8 @@ ENABLE_CONGRESS_JSON=$(trueorfalse False ENABLE_CONGRESS_JSON)
 CONGRESS_JSON_DB_NAME=${CONGRESS_JSON_DB_NAME:-congress_json}
 CONGRESS_JSON_CONF_DIR=$CONGRESS_CONF_DIR/json_ingesters
 CONGRESS_JSON_CONF_REUSABLES_PATH=$CONGRESS_CONF_DIR/config_reusables.yaml
+CONGRESS_JSON_USER_ROLE=${CONGRESS_JSON_USER_ROLE:-jgress_user}
+CONGRESS_JSON_INGESTER_ROLE=${CONGRESS_JSON_INGESTER_ROLE:-root}
 
 
 TEMPEST_DIR=$DEST/tempest

scripts/jgress/setup_permissions.sql

@@ -0,0 +1,13 @@
+--Sets up jgress user role and privileges
+-- Usage:
+--     $ psql --set=ingester_role=<ingester> --set=user_role=<user> --set=db_name=<name> -f setup_permissions.sql
+--
+-- Variables:
+--   ingester_role - name of the role used by jgress ingester
+--   user_role - name of the role for users writing & evaluating policy over
+--   db_name - name of the postgres database used for jgress ingestion
+
+CREATE ROLE :user_role LOGIN;
+ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT USAGE ON schemas TO :user_role;
+ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT SELECT ON tables TO :user_role;
+GRANT ALL PRIVILEGES ON DATABASE :db_name TO :user_role;