Update PostGIS base Docker image for Azure mock database: 12-3.1 -> 15-3.5

jarkkoka · jarkkoka · commit f7aa2fe9e229 · 2025-02-21T12:11:07.000+02:00
In PostgreSQL 15, full schema privileges must be separately granted to users
performing database migrations.

Make the JORE4 administrator role the owner of the public schema for all
databases. In PostgreSQL 12, this was the default.
diff --git a/azuredbmock/Dockerfile b/azuredbmock/Dockerfile
@@ -1,5 +1,5 @@
-# Builder docker image.
-FROM postgis/postgis:12-3.1
+# base Docker image
+FROM postgis/postgis:15-3.5
 
 # fix collations to use fi_FI
 RUN localedef -i fi_FI -c -f UTF-8 -A /usr/share/locale/locale.alias fi_FI.UTF-8
diff --git a/azuredbmock/migrations/02-create-network-database.sql b/azuredbmock/migrations/02-create-network-database.sql
@@ -1,3 +1,6 @@
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
 -- Create the extensions used, see https://hasura.io/docs/latest/graphql/core/deployment/postgres-requirements.html
 -- Create the extensions in the public schema, since we'd need to give additional privileges ("use schema") to any
 -- user who wishes to use these in the future. Also, Hasura would require additional setup to be able to use the
@@ -6,5 +9,19 @@ CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
 CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public;
 CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
 
--- Allow Hasura to create new schemas.
-GRANT CREATE ON DATABASE xxx_db_hasura_name_xxx TO xxx_db_hasura_username_xxx;
+-- Allow Hasura to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_hasura_name_xxx TO xxx_db_hasura_username_xxx;
+
+-- Grant select permissions on information_schema and pg_catalog to the Hasura
+-- user.
+GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO xxx_db_hasura_username_xxx;
+
+-- Grant required privileges in the public schema to the Hasura user.
+GRANT ALL ON SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_hasura_username_xxx;
+
+-- Allow the JORE3-Importer role to connect to the network database.
+-- The schema-specific privileges are granted in Hasura migrations.
+GRANT CONNECT ON DATABASE xxx_db_hasura_name_xxx TO xxx_db_jore3importer_username_xxx;
diff --git a/azuredbmock/migrations/03-create-auth-database.sql b/azuredbmock/migrations/03-create-auth-database.sql
@@ -1,3 +1,12 @@
--- Create database and give ALL privileges to the auth role.
 CREATE DATABASE xxx_db_auth_name_xxx;
-GRANT ALL ON DATABASE xxx_db_auth_name_xxx TO xxx_db_auth_username_xxx;
+
+-- Allow the auth role to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_auth_name_xxx TO xxx_db_auth_username_xxx;
+
+\connect xxx_db_auth_name_xxx;
+
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+-- Grant full schema access to the public schema to the auth role.
+GRANT ALL ON SCHEMA public TO xxx_db_auth_username_xxx;
diff --git a/azuredbmock/migrations/04-create-jore3importer-database.sql b/azuredbmock/migrations/04-create-jore3importer-database.sql
@@ -1,3 +1,19 @@
--- Create database and give ALL privileges to the jore3importer role.
 CREATE DATABASE xxx_db_jore3importer_name_xxx;
-GRANT ALL ON DATABASE xxx_db_jore3importer_name_xxx TO xxx_db_jore3importer_username_xxx;
+
+-- Allow the jore3importer role to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_jore3importer_name_xxx TO xxx_db_jore3importer_username_xxx;
+
+\connect xxx_db_jore3importer_name_xxx;
+
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
+-- Create the extensions that JORE3-Importer needs. In PostgreSQL v15 server,
+-- an ordinary user (without admin roles) may not be able to create extensions.
+CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
+CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public;
+
+-- Grant privileges in the public schema to the jore3importer role.
+GRANT USAGE ON SCHEMA public TO xxx_db_jore3importer_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_jore3importer_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_jore3importer_username_xxx;
diff --git a/azuredbmock/migrations/05-create-timetables-database.sql b/azuredbmock/migrations/05-create-timetables-database.sql
@@ -1,6 +1,7 @@
--- Create database and allow Hasura to create new schemas in it.
 CREATE DATABASE xxx_db_timetables_name_xxx;
-GRANT CREATE ON DATABASE xxx_db_timetables_name_xxx TO xxx_db_hasura_username_xxx;
+
+-- Allow Hasura to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_timetables_name_xxx TO xxx_db_hasura_username_xxx;
 
 -- Interval outputs by default are using the sql format ('3 4:05:06'). Here we
 -- are switching to ISO 8601 format ('P3DT4H5M6S').
@@ -9,5 +10,21 @@ ALTER DATABASE xxx_db_timetables_name_xxx SET intervalstyle = 'iso_8601';
 -- Switch database context to be able to add extensions there.
 \connect xxx_db_timetables_name_xxx;
 
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
 CREATE EXTENSION IF NOT EXISTS btree_gist WITH SCHEMA public;
 CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public;
+
+-- Grant select permissions on information_schema and pg_catalog to Hasura.
+GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog TO xxx_db_hasura_username_xxx;
+
+-- Grant required privileges in the public schema to Hasura.
+GRANT ALL ON SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_hasura_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_hasura_username_xxx;
+
+-- Allow the timetables-api role to connect to the timetables database.
+-- The schema-specific privileges are granted in Hasura migrations.
+GRANT CONNECT ON DATABASE xxx_db_timetables_name_xxx TO xxx_db_timetables_api_username_xxx;
diff --git a/azuredbmock/migrations/06-create-stopregistry-database.sql b/azuredbmock/migrations/06-create-stopregistry-database.sql
@@ -1,14 +1,23 @@
--- Create database and give ALL privileges to Tiamat in it.
 CREATE DATABASE xxx_db_tiamat_name_xxx;
-GRANT ALL ON DATABASE xxx_db_tiamat_name_xxx TO xxx_db_tiamat_username_xxx;
+
+-- Allow Tiamat to connect and create new schemas.
+GRANT CONNECT, CREATE ON DATABASE xxx_db_tiamat_name_xxx TO xxx_db_tiamat_username_xxx;
 
 -- Switch database context to initialise it to the state where Tiamat can use
 -- it.
 \connect xxx_db_tiamat_name_xxx;
 
+-- Make the JORE4 admin role the owner of the public schema.
+ALTER SCHEMA public OWNER TO CURRENT_USER;
+
 CREATE EXTENSION IF NOT EXISTS pg_trgm WITH SCHEMA public;
 CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
 
+-- Grant required privileges in the public schema to Tiamat.
+GRANT ALL ON SCHEMA public TO xxx_db_tiamat_username_xxx;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO xxx_db_tiamat_username_xxx;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO xxx_db_tiamat_username_xxx;
+
 -- Create "topology" schema and install the "postgis_topology" extension to it.
 -- The Tiamat role needs ownership to the schema and its tables.
 CREATE SCHEMA IF NOT EXISTS topology;
