From 912476ef2c59e9897d651f1db25601085fb10e65 Mon Sep 17 00:00:00 2001 From: "Bachor, Pascal, SIT.BS" Date: Tue, 2 Jul 2024 14:13:09 +0000 Subject: [PATCH 1/2] Don't access database with a superuser. Create dedicated read user --- puppet/oss/compose.yaml | 5 +++-- puppet/oss/postgresql_init/roles.sql | 9 +++++++++ puppet/oss/read-database.ini | 4 ++++ 3 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 puppet/oss/postgresql_init/roles.sql create mode 100644 puppet/oss/read-database.ini diff --git a/puppet/oss/compose.yaml b/puppet/oss/compose.yaml index 00812f8..449c7e6 100644 --- a/puppet/oss/compose.yaml +++ b/puppet/oss/compose.yaml @@ -39,6 +39,7 @@ services: - PUPPETDB_USER=${POSTGRES_USER:-puppetdb} volumes: - puppetdb:/opt/puppetlabs/server/data/puppetdb + - ./read-database.ini:/etc/puppetlabs/puppetdb/conf.d/read-database.ini:ro restart: always ports: - 8081:8081 @@ -50,8 +51,8 @@ services: hostname: postgres environment: - POSTGRES_DB=${POSTGRES_DB:-puppetdb} - - POSTGRES_USER=${POSTGRES_USER:-puppetdb} - - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-puppetdb} + - POSTGRES_USER=postgres + - POSTGRES_PASSWORD=postgres healthcheck: test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}'"] interval: 10s diff --git a/puppet/oss/postgresql_init/roles.sql b/puppet/oss/postgresql_init/roles.sql new file mode 100644 index 0000000..8a99e74 --- /dev/null +++ b/puppet/oss/postgresql_init/roles.sql @@ -0,0 +1,9 @@ +CREATE USER puppetdb PASSWORD 'puppetdb'; +CREATE USER puppetdb_read PASSWORD 'puppetdb_read'; + +REVOKE CREATE ON SCHEMA public FROM public; +GRANT CREATE ON SCHEMA public TO puppetdb; + +ALTER DEFAULT PRIVILEGES FOR USER puppetdb IN SCHEMA public GRANT SELECT ON tables TO puppetdb_read; +ALTER DEFAULT PRIVILEGES FOR USER puppetdb IN SCHEMA public GRANT USAGE ON sequences TO puppetdb_read; +ALTER DEFAULT PRIVILEGES FOR USER puppetdb IN SCHEMA public GRANT EXECUTE ON functions TO puppetdb_read; diff --git a/puppet/oss/read-database.ini b/puppet/oss/read-database.ini new file mode 100644 index 0000000..1aa64de --- /dev/null +++ b/puppet/oss/read-database.ini @@ -0,0 +1,4 @@ +[read-database] +subname = //postgres:5432/puppetdb +username = puppetdb_read +password = puppetdb_read From 32bd5a29d521863070588c69101e4d1c2796a392 Mon Sep 17 00:00:00 2001 From: "Bachor, Pascal, SIT.BS" Date: Wed, 3 Jul 2024 09:34:24 +0200 Subject: [PATCH 2/2] Make postgres initialization / super user configurable --- puppet/oss/compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/puppet/oss/compose.yaml b/puppet/oss/compose.yaml index 449c7e6..efbbbf6 100644 --- a/puppet/oss/compose.yaml +++ b/puppet/oss/compose.yaml @@ -51,8 +51,8 @@ services: hostname: postgres environment: - POSTGRES_DB=${POSTGRES_DB:-puppetdb} - - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=postgres + - POSTGRES_USER=${POSTGRES_SUPERUSER:-postgres} + - POSTGRES_PASSWORD=${POSTGRES_SUPERUSER_PASSWORD:-postgres} healthcheck: test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}'"] interval: 10s