@@ -9,6 +9,10 @@ CREATE USER xxx_db_hasura_username_xxx PASSWORD 'xxx_db_hasura_password_xxx';
99CREATE USER xxx_db_tiamat_username_xxx PASSWORD ' xxx_db_tiamat_password_xxx'
1010CREATE USER xxx_db_timetables_api_username_xxx PASSWORD ' xxx_db_timetables_api_password_xxx'
1111
12+ -- make the JORE4 admin user the owner of the public schema of the network and
13+ -- routes (default) database
14+ ALTER SCHEMA public OWNER TO CURRENT_USER ;
15+
1216-- Create the extensions used, see https://hasura.io/docs/latest/graphql/core/deployment/postgres-requirements.html
1317-- Create the extensions in the public schema, since we'd need to give additional privileges ("use schema") to any
1418-- user who wishes to use these in the future. Also, Hasura would require additional setup to be able to use the
@@ -20,10 +24,28 @@ CREATE EXTENSION IF NOT EXISTS btree_gist;
2024-- allow hasura to create new schemas
2125GRANT CREATE ON DATABASE xxx_db_hasura_name_xxx TO xxx_db_hasura_username_xxx;
2226
27+ -- grant select permissions on information_schema and pg_catalog to the hasura
28+ -- user
29+ GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO xxx_db_hasura_username_xxx;
30+ GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO xxx_db_hasura_username_xxx;
31+
32+ -- grant required privileges in the public schema to the hasura user
33+ GRANT ALL ON SCHEMA public TO xxx_db_hasura_username_xxx;
34+ GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
35+ GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_hasura_username_xxx;
36+
2337-- create database for auth and give ALL privileges to auth db user
2438CREATE DATABASE xxx_db_auth_name_xxx ;
2539GRANT ALL ON DATABASE xxx_db_auth_name_xxx TO xxx_db_auth_username_xxx;
2640
41+ \connect xxx_db_auth_name_xxx;
42+
43+ -- make the JORE4 admin user the owner of the public schema of the auth database
44+ ALTER SCHEMA public OWNER TO CURRENT_USER ;
45+
46+ -- grant full schema access to the public schema to the auth user
47+ GRANT ALL ON SCHEMA public TO xxx_db_auth_username_xxx;
48+
2749-- Make hasura role a member of jore3importer role because both roles must have
2850-- ownership of tables and sequences since both are responsible for populating
2951-- and truncating tables. In particular, sequence reset requires an ownership
@@ -34,6 +56,15 @@ GRANT xxx_db_jore3importer_username_xxx TO xxx_db_hasura_username_xxx;
3456CREATE DATABASE xxx_db_jore3importer_name_xxx ;
3557GRANT ALL ON DATABASE xxx_db_jore3importer_name_xxx TO xxx_db_jore3importer_username_xxx;
3658
59+ \connect xxx_db_jore3importer_name_xxx;
60+
61+ -- make the JORE4 admin user the owner of the public schema of the jore3importer
62+ -- database
63+ ALTER SCHEMA public OWNER TO CURRENT_USER ;
64+
65+ -- grant usage access to the public schema to the jore3importer user
66+ GRANT USAGE ON SCHEMA public TO xxx_db_jore3importer_username_xxx;
67+
3768-- create database for timetables and allow hasura to create new schemas in it
3869CREATE DATABASE xxx_db_timetables_name_xxx ;
3970GRANT CREATE ON DATABASE xxx_db_timetables_name_xxx TO xxx_db_hasura_username_xxx;
@@ -44,25 +75,53 @@ ALTER DATABASE xxx_db_timetables_name_xxx SET intervalstyle = 'iso_8601';
4475-- switch database context to timetables db to be able to add extensions there
4576\connect xxx_db_timetables_name_xxx;
4677
78+ -- make the JORE4 admin user the owner of the public schema of the timetables
79+ -- database
80+ ALTER SCHEMA public OWNER TO CURRENT_USER ;
81+
4782CREATE EXTENSION IF NOT EXISTS pgcrypto;
4883CREATE EXTENSION IF NOT EXISTS btree_gist;
4984
85+ -- grant select permissions on information_schema and pg_catalog to the hasura
86+ -- user
87+ GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO xxx_db_hasura_username_xxx;
88+ GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO xxx_db_hasura_username_xxx;
89+
90+ -- grant required privileges in the public schema to the hasura user
91+ GRANT ALL ON SCHEMA public TO xxx_db_hasura_username_xxx;
92+ GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
93+ GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_hasura_username_xxx;
94+
95+ -- grant usage to the public schema to the timetables-api user
96+ GRANT USAGE ON SCHEMA public TO xxx_db_timetables_api_username_xxx;
97+
5098-- create database for stop registry and give ALL privileges to Tiamat in it
5199CREATE DATABASE xxx_db_tiamat_name_xxx ;
52100GRANT ALL ON DATABASE xxx_db_tiamat_name_xxx TO xxx_db_tiamat_username_xxx;
53101
54102-- switch database context to stop db to initialize it to the state where tiamat can use it
55103\connect xxx_db_tiamat_name_xxx;
56104
105+ -- make the JORE4 admin user the owner of the public schema of the stop registry
106+ -- database
107+ ALTER SCHEMA public OWNER TO CURRENT_USER ;
108+
57109CREATE EXTENSION IF NOT EXISTS pg_trgm WITH SCHEMA public;
58110CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
59111
112+ -- grant access to the PostGIS tables and functions to the tiamat user
113+ GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_tiamat_username_xxx;
114+ GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_tiamat_username_xxx;
115+
60116CREATE SCHEMA IF NOT EXISTS topology AUTHORIZATION xxx_db_tiamat_username_xxx;
61117CREATE EXTENSION IF NOT EXISTS postgis_topology WITH SCHEMA topology;
62118-- the postgis_topology creates two tables
63119ALTER TABLE topology .layer OWNER TO xxx_db_tiamat_username_xxx;
64120ALTER TABLE topology .topology OWNER TO xxx_db_tiamat_username_xxx;
65121
122+ -- grant full schema access to the public schema to the tiamat user
123+ GRANT ALL ON SCHEMA public TO xxx_db_tiamat_username_xxx;
124+
66125-- grant hasura user read permissions to the tiamat database
67126GRANT CONNECT ON DATABASE xxx_db_tiamat_name_xxx TO xxx_db_hasura_username_xxx;
68127
0 commit comments