Give datagrepper its own DB user

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>

playbooks/openshift-apps/datagrepper.yml

@@ -1,3 +1,27 @@
+- name: give access to the datanommer DB
+  hosts: datanommer_dbserver:datanommer_dbserver_stg
+  gather_facts: no
+  become: yes
+  become_user: postgres
+  vars_files:
+    - /srv/web/infra/ansible/vars/global.yml
+    - /srv/private/ansible/vars.yml
+    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+    - /srv/web/infra/ansible/vars/apps/badges.yml
+
+  tasks:
+    - name: DB user
+      postgresql_user:
+        name: datagrepper
+        password: "{{ (env == 'production')|ternary(datagrepper_prod_db_password, datagrepper_stg_db_password) }}"
+    - name: grant the db user read only access to datanommer2
+      postgresql_privs:
+        database: datanommer2
+        privs: SELECT
+        objs: ALL_IN_SCHEMA
+        roles: datagrepper
+
+
 - name: make the app be real
   hosts: os_control_stg[0]:os_control[0]
   user: root

roles/openshift-apps/datagrepper/templates/datagrepper.cfg.py

@@ -4,7 +4,7 @@
 
 APP_PATH = "https://apps{{ env_suffix }}.fedoraproject.org/datagrepper"
 DEFAULT_QUERY_DELTA = 86400
-DATANOMMER_SQLALCHEMY_URL = "postgresql://{{ datanommerDBUser }}:{{ (env == 'production')|ternary(datanommerDBPassword, datanommer_stg_db_password) }}@db-datanommer{{ (env == 'production')|ternary('02', '01') }}{{ env_suffix }}.iad2.fedoraproject.org/datanommer2"
+DATANOMMER_SQLALCHEMY_URL = "postgresql://datagrepper:{{ (env == 'production')|ternary(datagrepper_prod_db_password, datagrepper_stg_db_password) }}@db-datanommer{{ (env == 'production')|ternary('02', '01') }}{{ env_suffix }}.iad2.fedoraproject.org/datanommer2"
 
 # Only allow ajax/websockets connections back to our domains.
 # https://github.com/fedora-infra/datagrepper/pull/192