added readaccess role; refactored init scripts; run init script as postgres user

docker-entrypoint-initdb-core.d/1.1.0_01_revoke_public.sh

@@ -0,0 +1,7 @@
+#! /usr/bin/env bash
+
+psql <<-EOF
+\c ${POSTGRES_DB}
+
+REVOKE ALL ON schema public FROM public;
+EOF

docker-entrypoint-initdb-core.d/1.1.0_02_master_create_ro_user.sh

@@ -1,36 +0,0 @@
-#! /usr/bin/env bash
-
-if [ "${POSTGRES_MASTER_MODE}" != 1 ]
-then
-  echo "Database is not in master mode. Exiting."
-  exit 0
-fi
-
-psql <<-EOF
-CREATE USER ${POSTGRES_RO_USER} WITH ENCRYPTED PASSWORD '${POSTGRES_RO_PASSWORD}';-- NOINHERIT;
-
-\c ${POSTGRES_DB}
-
-REVOKE ALL ON DATABASE ${POSTGRES_DB} FROM ${POSTGRES_RO_USER};
-GRANT CONNECT ON DATABASE ${POSTGRES_DB} TO ${POSTGRES_RO_USER};
-
-REVOKE ALL ON SCHEMA public FROM ${POSTGRES_RO_USER};
-REVOKE CREATE ON SCHEMA public FROM ${POSTGRES_RO_USER};
-GRANT USAGE ON SCHEMA public TO ${POSTGRES_RO_USER};
-
-REVOKE ALL ON ALL TABLES IN SCHEMA public FROM ${POSTGRES_RO_USER};
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO ${POSTGRES_RO_USER};
-ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM ${POSTGRES_RO_USER};
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ${POSTGRES_RO_USER};
-
-REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM ${POSTGRES_RO_USER};
-GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO ${POSTGRES_RO_USER};
-ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM ${POSTGRES_RO_USER};
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO ${POSTGRES_RO_USER};
-
-REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM ${POSTGRES_RO_USER};
-GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO ${POSTGRES_RO_USER};
-ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM ${POSTGRES_RO_USER};
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO ${POSTGRES_RO_USER};
-
-EOF

docker-entrypoint-initdb-core.d/1.1.0_05_create_readaccess_role.sh

@@ -0,0 +1,29 @@
+#! /usr/bin/env bash
+
+psql <<-EOF
+CREATE ROLE readaccess;
+
+REVOKE ALL ON DATABASE ${POSTGRES_DB} FROM readaccess;
+GRANT CONNECT ON DATABASE ${POSTGRES_DB} TO readaccess;
+
+\c ${POSTGRES_DB}
+
+REVOKE ALL ON SCHEMA public FROM readaccess;
+REVOKE CREATE ON SCHEMA public FROM readaccess;
+GRANT USAGE ON SCHEMA public TO readaccess;
+
+REVOKE ALL ON ALL TABLES IN SCHEMA public FROM readaccess;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO readaccess;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON TABLES FROM readaccess;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO readaccess;
+
+REVOKE ALL ON ALL SEQUENCES IN SCHEMA public FROM readaccess;
+GRANT USAGE ON ALL SEQUENCES IN SCHEMA public TO readaccess;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON SEQUENCES FROM readaccess;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE ON SEQUENCES TO readaccess;
+
+REVOKE ALL ON ALL FUNCTIONS IN SCHEMA public FROM readaccess;
+GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO readaccess;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public REVOKE ALL ON FUNCTIONS FROM readaccess;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO readaccess;
+EOF

docker-entrypoint-initdb-core.d/1.1.0_15_master_create_ro_user.sh

@@ -0,0 +1,12 @@
+#! /usr/bin/env bash
+
+if [ "${POSTGRES_MASTER_MODE}" != 1 ]
+then
+  echo "Database is not in master mode. Exiting."
+  exit 0
+fi
+
+psql <<-EOF
+CREATE USER ${POSTGRES_RO_USER} WITH ENCRYPTED PASSWORD '${POSTGRES_RO_PASSWORD}';-- NOINHERIT;
+GRANT readaccess to ${POSTGRES_RO_USER};
+EOF

docker-entrypoint.sh

@@ -153,7 +153,7 @@ if [ "$1" = 'postgres' ]; then
                 echo "Running core migrate"
                 migrate.py --folder /docker-entrypoint-initdb-core.d/ --init
 
-                export PGUSER="${POSTGRES_USER}"
+                #export PGUSER="${POSTGRES_USER}"
                 export PGDATABASE="${POSTGRES_DB}"
                 echo "Running user migrate"
                 migrate.py --folder /docker-entrypoint-initdb.d/ --init