Bah 2768 | Creating read only users for mart DB and openMRS DB

bahmni-lite/.env

@@ -113,10 +113,15 @@ [email protected]
 METABASE_ADMIN_FIRST_NAME=Admin
 METABASE_ADMIN_PASSWORD=Admin@123
 METABASE_DB_NAME=metabase
-METABASE_DB_USER=metabase-user
+METABASE_DB_USER=postgres
+METABASE_DB_USERNAME=metabase_user
 METABASE_DB_PASSWORD=password
 METABASE_DB_HOST=metabasedb
 METABASE_DB_PORT=5432
+METABASE_OPENMRS_DB_PASSWORD=password
+METABASE_OPENMRS_DB_USERNAME=readonly_openmrs_user
+METABASE_MART_DB_USERNAME=readonly_mart_user
+METABASE_MART_DB_PASSWORD=password
 
 #Metabase Postgres Environment Variables
 METABASE_POSTGRES_IMAGE_TAG=15.1
@@ -127,5 +132,8 @@ BAHMNI_MART_IMAGE_TAG=latest
 MART_CRON_TIME="*/15 * * * *"
 MART_DB_HOST=martdb
 MART_DB_NAME=martdb
-MART_DB_USERNAME=bahmni-mart
-MART_DB_PASSWORD=password
+MART_DB_USERNAME=mart_user
+MART_DB_PASSWORD=password
+MART_DB_USER=postgres
+MART_OPENMRS_DB_USERNAME=readonly_openmrs_user
+MART_OPENMRS_DB_PASSWORD=password

bahmni-lite/db_init_scripts/init_mart_db.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+
+psql -tc "SELECT 1 FROM pg_database WHERE datname = '${MART_DB_NAME}'" | grep -q 1 || psql -c "CREATE DATABASE ${MART_DB_NAME}"
+psql -c "REVOKE ALL ON DATABASE ${MART_DB_NAME} FROM PUBLIC;"
+psql -c "CREATE USER ${MART_DB_USERNAME} WITH ENCRYPTED PASSWORD '${MART_DB_PASSWORD}';"
+psql -c "GRANT ALL ON DATABASE ${MART_DB_NAME} TO ${MART_DB_PASSWORD};"
+
+psql -c "CREATE ROLE readaccess;"
+psql -c "GRANT USAGE ON SCHEMA public TO readaccess;"
+psql -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;"
+
+psql -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;"
+
+psql -c "CREATE USER ${MART_OPENMRS_DB_USERNAME} WITH ENCRYPTED PASSWORD '${MART_OPENMRS_DB_PASSWORD}';"
+psql -c "GRANT readaccess ON DATABSE ${OPENMRS_DB_NAME} TO ${MART_OPENMRS_DB_USERNAME};"

bahmni-lite/db_init_scripts/init_metabase_db.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+set -e
+psql -tc "SELECT 1 FROM pg_database WHERE datname = '${METABASE_DB_NAME}'" | grep -q 1 || psql -c "CREATE DATABASE ${METABASE_DB_NAME}"
+psql -c "REVOKE ALL ON DATABASE ${METABASE_DB_NAME} FROM PUBLIC;"
+psql -c "CREATE USER ${METABASE_DB_USERNAME} WITH ENCRYPTED PASSWORD '${METABASE_DB_PASSWORD}';"
+psql -c "GRANT ALL ON DATABASE ${METABASE_DB_NAME} TO ${METABASE_DB_USERNAME};"
+
+psql -c "CREATE ROLE readaccess;"
+psql -c "GRANT USAGE ON SCHEMA public TO readaccess;"
+psql -c "GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;"
+
+psql -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;"
+
+psql -c "CREATE USER ${METABASE_OPENMRS_DB_USERNAME} WITH ENCRYPTED PASSWORD '${METABASE_OPENMRS_DB_PASSWORD}';"
+psql -c "GRANT readaccess ON DATABSE ${OPENMRS_DB_NAME} TO ${METABASE_OPENMRS_DB_USERNAME};"
+psql -c "CREATE USER ${METABASE_MART_DB_USERNAME} WITH ENCRYPTED PASSWORD '${METABASE_MART_DB_PASSWORD}';"
+psql -c "GRANT readaccess ON DATABSE ${MART_DB_NAME} TO ${METABASE_MART_DB_USERNAME};"