From c25adbbd9c4f556aba40e7379bb6658c54e72190 Mon Sep 17 00:00:00 2001 From: Weimin Yu Date: Wed, 2 Oct 2019 11:05:46 -0400 Subject: [PATCH] Restrict nomulus user access to flyway table (#297) * Restrict nomulus user access to flyway table The regular read-write user should not have write permissions to the flyway metadata table. --- db/src/main/resources/sql/user/create_readwrite_user.sql | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/db/src/main/resources/sql/user/create_readwrite_user.sql b/db/src/main/resources/sql/user/create_readwrite_user.sql index e95b21a53..ce5b78b54 100644 --- a/db/src/main/resources/sql/user/create_readwrite_user.sql +++ b/db/src/main/resources/sql/user/create_readwrite_user.sql @@ -12,10 +12,12 @@ -- See the License for the specific language governing permissions and -- limitations under the License. -- --- Script to create a user with read-write permission to all tables. +-- Script to create a user with read-write permission to all tables (except for +-- WRITE permissions to flyway_schema_history). CREATE USER :username ENCRYPTED PASSWORD :'password'; GRANT CONNECT ON DATABASE postgres TO :username; GRANT USAGE ON SCHEMA public TO :username; GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO :username; GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO :username; +REVOKE INSERT, UPDATE, DELETE ON TABLE public.flyway_schema_history FROM :username;