From bc754e088e5e32e7a1559d5e1bab5ff23ac8ae2a Mon Sep 17 00:00:00 2001
From: Maximilian Weiss <maximilian.weiss@att.com>
Date: Thu, 29 Jul 2021 18:34:17 +0000
Subject: [PATCH] Revoke all privileges for PUBLIC role in postgres dbs

Change-Id: I98102bd9c72264c7e364b50e0683e4777b42b0e7
---
 helm-toolkit/Chart.yaml                           | 2 +-
 helm-toolkit/templates/scripts/_db-pg-init.sh.tpl | 3 +++
 releasenotes/notes/helm-toolkit.yaml              | 1 +
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml
index 4f10b0b71..8dfefaa53 100644
--- a/helm-toolkit/Chart.yaml
+++ b/helm-toolkit/Chart.yaml
@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.18
+version: 0.2.19
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:
diff --git a/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl b/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
index 93cea2516..4d7dfaa37 100644
--- a/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
+++ b/helm-toolkit/templates/scripts/_db-pg-init.sh.tpl
@@ -63,4 +63,7 @@ pgsql_superuser_cmd "SELECT * FROM pg_roles WHERE rolname = '$USER_DB_USER';" &&
 
 #give permissions to user
 pgsql_superuser_cmd "GRANT ALL PRIVILEGES ON DATABASE $USER_DB_NAME to $USER_DB_USER;"
+
+#revoke all privileges from PUBLIC role
+pgsql_superuser_cmd "REVOKE ALL ON DATABASE $USER_DB_NAME FROM PUBLIC;"
 {{- end }}
diff --git a/releasenotes/notes/helm-toolkit.yaml b/releasenotes/notes/helm-toolkit.yaml
index c4189d5d7..7e9f998f5 100644
--- a/releasenotes/notes/helm-toolkit.yaml
+++ b/releasenotes/notes/helm-toolkit.yaml
@@ -25,4 +25,5 @@ helm-toolkit:
   - 0.2.16 Add manual mode to the created backup file name
   - 0.2.17 Update db backup/restore retry for sending to remote
   - 0.2.18 Make Rabbit-init job more robust
+  - 0.2.19 Revoke all privileges for PUBLIC role in postgres dbs
 ...