From 7d6bcdd87de02a270c5dddced038f42a3c5404d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Thu, 25 Apr 2024 15:11:37 +0200 Subject: [PATCH] Badges: use a specific user to connect to the datanommer DB MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- inventory/inventory | 6 +++++ playbooks/openshift-apps/badges.yml | 23 +++++++++++++++++++ .../badges/templates/fm-fedbadges.toml | 2 +- 3 files changed, 30 insertions(+), 1 deletion(-) diff --git a/inventory/inventory b/inventory/inventory index aa14d58eb2..7a5d3a0b28 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -190,6 +190,12 @@ db-datanommer01.stg.iad2.fedoraproject.org db-koji01.stg.iad2.fedoraproject.org #copr-db-stg.aws.fedoraproject.org +[datanommer_dbserver] +db-datanommer02.iad2.fedoraproject.org + +[datanommer_dbserver_stg] +db-datanommer01.stg.iad2.fedoraproject.org + # clients that talk to the main postgres servers [postgres_clients] diff --git a/playbooks/openshift-apps/badges.yml b/playbooks/openshift-apps/badges.yml index b33c3ac93e..31d7bbf623 100644 --- a/playbooks/openshift-apps/badges.yml +++ b/playbooks/openshift-apps/badges.yml @@ -25,6 +25,29 @@ owner: "{{ tahrirDBUser }}" encoding: UTF-8 +- name: give access to the datanommer DB + hosts: datanommer_dbserver:datanommer_dbserver_stg + gather_facts: no + become: yes + become_user: postgres + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/apps/badges.yml + + tasks: + - name: DB user + postgresql_user: + name: "{{ tahrirDBUser }}" + password: "{{ (env == 'production')|ternary(tahrirDBPassword, tahrirstgDBPassword) }}" + - name: grant the db user read only access to datanommer2 + postgresql_privs: + database: datanommer2 + privs: SELECT + objs: ALL_IN_SCHEMA + roles: "{{ tahrirDBUser }}" + - name: make the app be real hosts: os_control_stg:os_control user: root diff --git a/roles/openshift-apps/badges/templates/fm-fedbadges.toml b/roles/openshift-apps/badges/templates/fm-fedbadges.toml index ffc801256d..dbc8284275 100644 --- a/roles/openshift-apps/badges/templates/fm-fedbadges.toml +++ b/roles/openshift-apps/badges/templates/fm-fedbadges.toml @@ -58,7 +58,7 @@ consume_delay = 1 database_uri = "postgresql://{{ tahrirDBUser }}:{{ (env == 'production')|ternary(tahrirDBPassword, tahrirstgDBPassword) }}@{{ badges_db_host }}/{{ badges_db_name }}" # Datanommer database URI -datanommer_db_uri = "postgresql://{{ datanommerDBUser }}:{{ (env == 'production')|ternary(datanommerDBPassword, datanommer_stg_db_password) }}@db-datanommer{{ (env == 'production')|ternary('02', '01') }}{{ env_suffix }}/datanommer2" +datanommer_db_uri = "postgresql://{{ tahrirDBUser }}:{{ (env == 'production')|ternary(tahrirDBPassword, tahrirstgDBPassword) }}@db-datanommer{{ (env == 'production')|ternary('02', '01') }}{{ env_suffix }}/datanommer2" datagrepper_url = "https://apps{{ env_suffix }}.fedoraproject.org/datagrepper" distgit_hostname = "src{{ env_suffix }}.fedoraproject.org" id_provider_hostname = "id{{ env_suffix }}.fedoraproject.org"