25 lines
1.3 KiB
MySQL
25 lines
1.3 KiB
MySQL
|
|
-- 18_grant_reporting_ro.sql
|
||
|
|
-- Read-only access to the reporting.* layer for grafana_ro.
|
||
|
|
--
|
||
|
|
-- grafana_ro is the read-only role the STAGING dashboard_api connects as (it reads
|
||
|
|
-- the prod DB but must be physically unable to write — see
|
||
|
|
-- docs/STAGING_FLEETOPS_ARCHITECTURE.md §6). It already reads tracksolid.* (Grafana
|
||
|
|
-- + the migration-07 analytics views), but was never granted SELECT on the
|
||
|
|
-- reporting.* map/analytics layer (migration 11) — the prod dashboard_api connects
|
||
|
|
-- as the app/superuser role, so the gap went unnoticed until the read-only staging
|
||
|
|
-- instance hit "permission denied for view v_filter_drivers / v_daily_summary".
|
||
|
|
--
|
||
|
|
-- This grants USAGE + SELECT across reporting.* and sets DEFAULT PRIVILEGES so any
|
||
|
|
-- future reporting view/table is auto-readable by grafana_ro (no re-grant needed).
|
||
|
|
-- Read-only only: no INSERT/UPDATE/DELETE, so grafana_ro still cannot write or
|
||
|
|
-- REFRESH. Guarded + idempotent -> safe to re-apply.
|
||
|
|
|
||
|
|
DO $grants$
|
||
|
|
BEGIN
|
||
|
|
IF EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'grafana_ro') THEN
|
||
|
|
GRANT USAGE ON SCHEMA reporting TO grafana_ro;
|
||
|
|
GRANT SELECT ON ALL TABLES IN SCHEMA reporting TO grafana_ro; -- includes views
|
||
|
|
ALTER DEFAULT PRIVILEGES IN SCHEMA reporting GRANT SELECT ON TABLES TO grafana_ro;
|
||
|
|
END IF;
|
||
|
|
END $grants$;
|