Skip to content
This repository was archived by the owner on Apr 2, 2024. It is now read-only.
This repository was archived by the owner on Apr 2, 2024. It is now read-only.

Unclear how/when/where to create a role with minimal privileges to read timeseries data in docker-compose setup #1801

Open
Open
Unclear how/when/where to create a role with minimal privileges to read timeseries data in docker-compose setup#1801
@mrd0ll4r

Description

@mrd0ll4r
mrd0ll4r
opened on Dec 17, 2022

Describe the bug

I'm running Promscale together with Grafana and a bunch of other things via docker-compose. For that, I'd like to have a database role with read-only access to timeseries data to use with Grafana. (as the docs point out)
I can easily create a user and GRANT some permissions on the database in the timescale container, by mounting a script to /docker-entrypoint-initdb.d/. However, if I got this right, I'd need to grant permissions on schema prom_metric, which is created by Promscale, i.e., doesn't exist at this point.

Basically, I think this is what happens:

  1. Database starts, does a bunch of setup
  2. My user-creation script runs after all those setup steps, creates a role and attempts to GRANT SELECT ON ALL TABLES IN SCHEMA prom_metric, which fails
  3. The promscale container starts and creates said schema, I think.

To Reproduce

docker-compose.yml:

version: '3.8'

services:
  db:
    image: timescale/timescaledb-ha:pg14-latest
    restart: unless-stopped
    ports:
      - 5433:5432/tcp
    healthcheck:
      test: /usr/bin/pg_isready -U postgres
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - timescaledb_data:/var/lib/postgresql/data
      - ./setup-grafana-db-user.sh:/docker-entrypoint-initdb.d/020_setup_grafana_user.sh
    environment:
      POSTGRES_PASSWORD: somepass
      POSTGRES_USER: postgres
      POSTGRES_DB: tsdb
      TSTUNE_PROFILE: promscale

  promscale:
    image: timescale/promscale:latest
    restart: unless-stopped
    ports:
      - 9201:9201/tcp
      - 9202:9202/tcp
    depends_on:
      db:
        condition: service_healthy
    volumes:
      - ./promscale_prometheus.yml:/prometheus.yml
      - ./rules.yml:/rules.yml
      - ./alerts.yml:/alerts.yml
    environment:
      PROMSCALE_DB_URI: postgres://postgres:somepass@db:5432/tsdb?sslmode=allow
      PROMSCALE_METRICS_RULES_CONFIG_FILE: /prometheus.yml

  grafana:
    image: grafana/grafana:9.3.2
    restart: on-failure
    volumes:
      - grafana_data:/var/lib/grafana
      - ./grafana/datasources.yml:/etc/grafana/provisioning/datasources/promscale.yml
    ports:
      - 3000:3000/tcp
    depends_on:
      db:
        condition: service_healthy

setup-grafana-db-user.sh:

#!/bin/bash -e

psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
  CREATE USER grafana WITH ENCRYPTED PASSWORD 'grafana';
  GRANT USAGE ON SCHEMA prom_metric TO grafana;
  GRANT SELECT ON ALL TABLES IN SCHEMA prom_metric TO grafana;
  GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO grafana;
  ALTER DEFAULT PRIVILEGES IN SCHEMA prom_metric GRANT SELECT ON TABLES TO grafana;
  ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO grafana;
EOSQL

datasources.yml:

apiVersion: 1

datasources:
  - name: promscale-promql
    type: prometheus
    access: proxy
    url: http://promscale:9201
    isDefault: true
  - name: promscale-sql
    type: postgres
    url: db:5432
    database: tsdb
    user: grafana
    secureJsonData:
      password: 'grafana'
    jsonData:
      sslmode: 'disable'
      postgresVersion: 1200
      timescaledb: true

Expected behavior

Some way to create a non-privileged user that can read all metrics data (and probably execute some functions and whatnot).

Thanks! Best,

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions