From aa9a76794c2ed979c395f9d5f2453da7539ad81c Mon Sep 17 00:00:00 2001
From: Eric K <ekcs.openstack@gmail.com>
Date: Wed, 20 Mar 2019 15:12:03 -0700
Subject: [PATCH] Devstack plugin set privileges to json ingester DB

By default, users do not have privileges to access the schema and
data tables created by the ingester.
This patch sets up the default privileges so that users get the
intended read access to all schemas and tables created by JSON
ingesters.

Change-Id: I9de2ca6c19971d38be46829263a3267fe234a42d
Closes-bug: 1821098
---
 devstack/plugin.sh                   |  8 +++++++-
 devstack/settings                    |  2 ++
 scripts/jgress/setup_permissions.sql | 13 +++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100644 scripts/jgress/setup_permissions.sql

diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 266358f5d..23645c41e 100755
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -67,7 +67,8 @@ function configure_congress {
         # database_connection_url_postgresql returns URL with wrong prefix,
         # so we do a substitution here
         local db_connection_mysql=`database_connection_url_postgresql $CONGRESS_JSON_DB_NAME`
-        iniset $CONGRESS_CONF json_ingester db_connection ${db_connection_mysql/?*:\/\//postgresql:\/\/}
+        CONGRESS_JSON_DB_CONNECTION_URL=${db_connection_mysql/?*:\/\//postgresql:\/\/}
+        iniset $CONGRESS_CONF json_ingester db_connection $CONGRESS_JSON_DB_CONNECTION_URL
         iniset $CONGRESS_CONF json_ingester config_path "$CONGRESS_JSON_CONF_DIR"
         iniset $CONGRESS_CONF json_ingester config_reusables_path "$CONGRESS_JSON_CONF_REUSABLES_PATH"
 
@@ -297,6 +298,11 @@ function init_congress {
             configure_database_postgresql
         fi
         recreate_database_postgresql $CONGRESS_JSON_DB_NAME utf8
+        psql --set=ingester_role="$CONGRESS_JSON_INGESTER_ROLE" \
+             --set=user_role="$CONGRESS_JSON_USER_ROLE" \
+             --set=db_name="$CONGRESS_JSON_DB_NAME" \
+             $CONGRESS_JSON_DB_CONNECTION_URL \
+             -f $CONGRESS_DIR/scripts/jgress/setup_permissions.sql
     fi
     # Run Congress db migrations
     congress-db-manage --config-file $CONGRESS_CONF upgrade head
diff --git a/devstack/settings b/devstack/settings
index 6627bd658..1ad64ecfa 100644
--- a/devstack/settings
+++ b/devstack/settings
@@ -55,6 +55,8 @@ ENABLE_CONGRESS_JSON=$(trueorfalse False ENABLE_CONGRESS_JSON)
 CONGRESS_JSON_DB_NAME=${CONGRESS_JSON_DB_NAME:-congress_json}
 CONGRESS_JSON_CONF_DIR=$CONGRESS_CONF_DIR/json_ingesters
 CONGRESS_JSON_CONF_REUSABLES_PATH=$CONGRESS_CONF_DIR/config_reusables.yaml
+CONGRESS_JSON_USER_ROLE=${CONGRESS_JSON_USER_ROLE:-jgress_user}
+CONGRESS_JSON_INGESTER_ROLE=${CONGRESS_JSON_INGESTER_ROLE:-root}
 
 
 TEMPEST_DIR=$DEST/tempest
diff --git a/scripts/jgress/setup_permissions.sql b/scripts/jgress/setup_permissions.sql
new file mode 100644
index 000000000..a67d8ac68
--- /dev/null
+++ b/scripts/jgress/setup_permissions.sql
@@ -0,0 +1,13 @@
+--Sets up jgress user role and privileges
+-- Usage:
+--     $ psql --set=ingester_role=<ingester> --set=user_role=<user> --set=db_name=<name> -f setup_permissions.sql
+--
+-- Variables:
+--   ingester_role - name of the role used by jgress ingester
+--   user_role - name of the role for users writing & evaluating policy over
+--   db_name - name of the postgres database used for jgress ingestion
+
+CREATE ROLE :user_role LOGIN;
+ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT USAGE ON schemas TO :user_role;
+ALTER DEFAULT PRIVILEGES FOR USER :ingester_role GRANT SELECT ON tables TO :user_role;
+GRANT ALL PRIVILEGES ON DATABASE :db_name TO :user_role;