Devstack plugin set privileges to json ingester DB
By default, users do not have privileges to access the schema and data tables created by the ingester. This patch sets up the default privileges so that users get the intended read access to all schemas and tables created by JSON ingesters. Change-Id: I9de2ca6c19971d38be46829263a3267fe234a42d Closes-bug: 1821098
This commit is contained in:
parent
97aff84d2a
commit
aa9a76794c
|
@ -67,7 +67,8 @@ function configure_congress {
|
|||
# database_connection_url_postgresql returns URL with wrong prefix,
|
||||
# so we do a substitution here
|
||||
local db_connection_mysql=`database_connection_url_postgresql $CONGRESS_JSON_DB_NAME`
|
||||
iniset $CONGRESS_CONF json_ingester db_connection ${db_connection_mysql/?*:\/\//postgresql:\/\/}
|
||||
CONGRESS_JSON_DB_CONNECTION_URL=${db_connection_mysql/?*:\/\//postgresql:\/\/}
|
||||
iniset $CONGRESS_CONF json_ingester db_connection $CONGRESS_JSON_DB_CONNECTION_URL
|
||||
iniset $CONGRESS_CONF json_ingester config_path "$CONGRESS_JSON_CONF_DIR"
|
||||
iniset $CONGRESS_CONF json_ingester config_reusables_path "$CONGRESS_JSON_CONF_REUSABLES_PATH"
|
||||
|
||||
|
@ -297,6 +298,11 @@ function init_congress {
|
|||
configure_database_postgresql
|
||||
fi
|
||||
recreate_database_postgresql $CONGRESS_JSON_DB_NAME utf8
|
||||
psql --set=ingester_role="$CONGRESS_JSON_INGESTER_ROLE" \
|
||||
--set=user_role="$CONGRESS_JSON_USER_ROLE" \
|
||||
--set=db_name="$CONGRESS_JSON_DB_NAME" \
|
||||
$CONGRESS_JSON_DB_CONNECTION_URL \
|
||||
-f $CONGRESS_DIR/scripts/jgress/setup_permissions.sql
|
||||
fi
|
||||
# Run Congress db migrations
|
||||
congress-db-manage --config-file $CONGRESS_CONF upgrade head
|
||||
|
|
|
@ -55,6 +55,8 @@ ENABLE_CONGRESS_JSON=$(trueorfalse False ENABLE_CONGRESS_JSON)
|
|||
CONGRESS_JSON_DB_NAME=${CONGRESS_JSON_DB_NAME:-congress_json}
|
||||
CONGRESS_JSON_CONF_DIR=$CONGRESS_CONF_DIR/json_ingesters
|
||||
CONGRESS_JSON_CONF_REUSABLES_PATH=$CONGRESS_CONF_DIR/config_reusables.yaml
|
||||
CONGRESS_JSON_USER_ROLE=${CONGRESS_JSON_USER_ROLE:-jgress_user}
|
||||
CONGRESS_JSON_INGESTER_ROLE=${CONGRESS_JSON_INGESTER_ROLE:-root}
|
||||
|
||||
|
||||
TEMPEST_DIR=$DEST/tempest
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
--Sets up jgress user role and privileges
|
||||
-- Usage:
|
||||
-- $ psql --set=ingester_role=<ingester> --set=user_role=<user> --set=db_name=<name> -f setup_permissions.sql
|
||||
--
|
||||
-- Variables:
|
||||
-- ingester_role - name of the role used by jgress ingester
|
||||
-- user_role - name of the role for users writing & evaluating policy over
|
||||
-- db_name - name of the postgres database used for jgress ingestion
|
||||
|
||||
CREATE ROLE :user_role LOGIN;
|
||||
ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT USAGE ON schemas TO :user_role;
|
||||
ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT SELECT ON tables TO :user_role;
|
||||
GRANT ALL PRIVILEGES ON DATABASE :db_name TO :user_role;
|
Loading…
Reference in New Issue