From 4fc54a4d88e5520b547f81825bb1c9791e8973e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Thu, 25 Apr 2024 17:00:12 +0200
Subject: [PATCH] Give datagrepper its own DB user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 playbooks/openshift-apps/datagrepper.yml      | 24 +++++++++++++++++++
 .../datagrepper/templates/datagrepper.cfg.py  |  2 +-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/playbooks/openshift-apps/datagrepper.yml b/playbooks/openshift-apps/datagrepper.yml
index ab836dcb01..0c515bed0e 100644
--- a/playbooks/openshift-apps/datagrepper.yml
+++ b/playbooks/openshift-apps/datagrepper.yml
@@ -1,3 +1,27 @@
+- name: give access to the datanommer DB
+  hosts: datanommer_dbserver:datanommer_dbserver_stg
+  gather_facts: no
+  become: yes
+  become_user: postgres
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+    - /srv/web/infra/ansible/vars/apps/badges.yml
+
+  tasks:
+    - name: DB user
+      postgresql_user:
+        name: datagrepper
+        password: "{{ (env == 'production')|ternary(datagrepper_prod_db_password, datagrepper_stg_db_password) }}"
+    - name: grant the db user read only access to datanommer2
+      postgresql_privs:
+        database: datanommer2
+        privs: SELECT
+        objs: ALL_IN_SCHEMA
+        roles: datagrepper
+
+
 - name: make the app be real
   hosts: os_control_stg[0]:os_control[0]
   user: root
diff --git a/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py b/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py
index 4f4434bb7b..713480ebe2 100644
--- a/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py
+++ b/roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py
@@ -4,7 +4,7 @@
 
 APP_PATH = "https://apps{{ env_suffix }}.fedoraproject.org/datagrepper"
 DEFAULT_QUERY_DELTA = 86400
-DATANOMMER_SQLALCHEMY_URL = "postgresql://{{ datanommerDBUser }}:{{ (env == 'production')|ternary(datanommerDBPassword, datanommer_stg_db_password) }}@db-datanommer{{ (env == 'production')|ternary('02', '01') }}{{ env_suffix }}.iad2.fedoraproject.org/datanommer2"
+DATANOMMER_SQLALCHEMY_URL = "postgresql://datagrepper:{{ (env == 'production')|ternary(datagrepper_prod_db_password, datagrepper_stg_db_password) }}@db-datanommer{{ (env == 'production')|ternary('02', '01') }}{{ env_suffix }}.iad2.fedoraproject.org/datanommer2"
 
 # Only allow ajax/websockets connections back to our domains.
 # https://github.com/fedora-infra/datagrepper/pull/192