tracksolid_timescale_grafan.../migrations/18_grant_reporting_ro.sql

25 lines
1.3 KiB
MySQL
Raw Normal View History

-- 18_grant_reporting_ro.sql
-- Read-only access to the reporting.* layer for grafana_ro.
--
-- grafana_ro is the read-only role the STAGING dashboard_api connects as (it reads
-- the prod DB but must be physically unable to write — see
-- docs/STAGING_FLEETOPS_ARCHITECTURE.md §6). It already reads tracksolid.* (Grafana
-- + the migration-07 analytics views), but was never granted SELECT on the
-- reporting.* map/analytics layer (migration 11) — the prod dashboard_api connects
-- as the app/superuser role, so the gap went unnoticed until the read-only staging
-- instance hit "permission denied for view v_filter_drivers / v_daily_summary".
--
-- This grants USAGE + SELECT across reporting.* and sets DEFAULT PRIVILEGES so any
-- future reporting view/table is auto-readable by grafana_ro (no re-grant needed).
-- Read-only only: no INSERT/UPDATE/DELETE, so grafana_ro still cannot write or
-- REFRESH. Guarded + idempotent -> safe to re-apply.
DO $grants$
BEGIN
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'grafana_ro') THEN
GRANT USAGE ON SCHEMA reporting TO grafana_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA reporting TO grafana_ro; -- includes views
ALTER DEFAULT PRIVILEGES IN SCHEMA reporting GRANT SELECT ON TABLES TO grafana_ro;
END IF;
END $grants$;