From 1325ccf28067df6cbc4685d24f210282fb654ca6 Mon Sep 17 00:00:00 2001
From: Christopher Usher <chrusher@gmail.com>
Date: Thu, 7 Nov 2019 01:54:23 +0000
Subject: [PATCH] added a read only user to database setup script

---
 docker-compose.jsonnet |  4 ++++
 postgres/setup.sh      | 13 +++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/docker-compose.jsonnet b/docker-compose.jsonnet
index d876c86..0415268 100644
--- a/docker-compose.jsonnet
+++ b/docker-compose.jsonnet
@@ -94,6 +94,8 @@
   db_super_password:: "postgres", // Must not contain ' or \ as these are not escaped.
   db_replication_user:: "replicate", // if empty, don't allow replication
   db_replication_password:: "standby", // don't use default in production. Must not contain ' or \ as these are not escaped.
+  db_readonly_user:: "vst-ro", // if empty, don't have a readonly account
+  db_readonly_password:: "volunteer", // don't use default in production. Must not contain ' or \ as these are not escaped.  
   db_standby:: false, // set to true to have this database replicate another server
 
   // Path to a JSON file containing google credentials for cutter as keys
@@ -354,6 +356,8 @@
         WUBLOADER_PASSWORD: $.db_args.password,
         REPLICATION_USER: $.db_replication_user,
         REPLICATION_PASSWORD: $.db_replication_password,
+        READONLY_USER: $.db_readonly_user,
+        READONLY_PASSWORD: $.db_readonly_password,
         MASTER_NODE: $.db_args.host,
       },
       volumes: ["%s:/mnt/database" % $.database_path, "%s:/mnt/wubloader" % $.segments_path],
diff --git a/postgres/setup.sh b/postgres/setup.sh
index 46afe9b..97fdd72 100644
--- a/postgres/setup.sh
+++ b/postgres/setup.sh
@@ -108,3 +108,16 @@ if [ -a /mnt/wubloader/editors.csv ]; then
 	EOF
 fi
 
+if [ -n "READONLY_USER" ]; then
+	echo "Creating $READONLY_USER"
+	# allow $READONLY_USER to connect remotely
+	echo "host all $READONLY_USER all md5" >> "$PGDATA/pg_hba.conf"
+	psql -v ON_ERROR_STOP=1 -U $POSTGRES_USER -d $POSTGRES_DB <<-EOSQL
+
+	CREATE USER $READONLY_USER WITH CONNECTION LIMIT 50 LOGIN PASSWORD '$READONLY_PASSWORD';
+	GRANT CONNECT ON DATABASE $POSTGRES_DB TO $READONLY_USER;
+	GRANT USAGE ON SCHEMA public TO $READONLY_USER;
+	GRANT SELECT ON ALL TABLES IN SCHEMA public TO $READONLY_USER;
+
+	EOSQL
+fi