forked from mozilla-services/socorro
-
Notifications
You must be signed in to change notification settings - Fork 0
/
roles.sql
72 lines (57 loc) · 2.49 KB
/
roles.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-- this file creates all of the roles and inherited permissions
-- for socorro users on the PostgreSQL database.
-- it does NOT set passwords for them, which you need to do
-- separately. Since it does set dummy passwords for a few
-- roles, if you are setting up Socorro on a non-test machine,
-- you will need to immediately reset those
-- create roles idempotently to avoid errors
-- also set dummy passwords for the core login roles
-- if we are creating them for the first time
DO $d$
DECLARE someroles TEXT[];
rolepass TEXT[];
iter INT := 1;
BEGIN
someroles := ARRAY['analyst','breakpad','breakpad_ro','breakpad_rw',
'breakpad_metrics','processor','monitor','monitoring',
'nagiosdaemon','ganglia','replicator','django','test','socorro'];
rolepass := ARRAY['breakpad_ro','breakpad_rw','processor','monitor','django','test','socorro'];
WHILE iter <= array_upper(someroles, 1) LOOP
PERFORM 1 FROM information_schema.enabled_roles
WHERE role_name = someroles[iter];
IF NOT FOUND THEN
EXECUTE 'CREATE ROLE ' || someroles[iter] ||
' WITH NOSUPERUSER INHERIT NOCREATEROLE NOCREATEDB LOGIN;';
IF someroles[iter] = ANY ( rolepass ) THEN
EXECUTE 'ALTER ROLE ' || someroles[iter] ||
' WITH PASSWORD ''aPassword''';
END IF;
END IF;
iter := iter + 1;
END LOOP;
END;$d$;
-- analyst role, for read-only connections by analytics users
ALTER ROLE analyst CONNECTION LIMIT 10;
ALTER ROLE analyst SET statement_timeout TO '15min';
ALTER ROLE analyst SET work_mem TO '128MB';
ALTER ROLE analyst SET temp_buffers TO '128MB';
-- breakpad group and RW and RO users
-- these are our main users
ALTER ROLE breakpad WITH NOLOGIN;
GRANT breakpad TO breakpad_ro GRANTED BY postgres;
GRANT breakpad TO breakpad_rw GRANTED BY postgres;
-- breakpad_metrics user for nightly batch updates from metrics
GRANT breakpad TO breakpad_metrics GRANTED BY postgres;
-- monitor and processor roles for data processing
GRANT breakpad_rw TO processor GRANTED BY postgres;
GRANT breakpad_rw TO monitor GRANTED BY postgres;
GRANT processor TO monitor GRANTED BY postgres;
-- monitoring group and separate users for ganglia and nagios
ALTER ROLE monitoring WITH NOLOGIN;
GRANT monitoring TO ganglia GRANTED BY postgres;
GRANT monitoring TO nagiosdaemon GRANTED BY postgres;
-- replicator role for replication
ALTER ROLE replicator WITH SUPERUSER;