X-Git-Url: https://git.openstreetmap.org/chef.git/blobdiff_plain/e0cd7ddfb11237afe38cf0db8a395f61b9595ea4..c6726761006fc15978d7e15466c08d394d644fce:/cookbooks/db/recipes/master.rb

diff --git a/cookbooks/db/recipes/master.rb b/cookbooks/db/recipes/master.rb
index c2450a7a4..58e0be741 100644
--- a/cookbooks/db/recipes/master.rb
+++ b/cookbooks/db/recipes/master.rb
@@ -84,30 +84,88 @@ postgresql_extension "btree_gist" do
   only_if { node[:postgresql][:clusters][node[:db][:cluster]] && node[:postgresql][:clusters][node[:db][:cluster]][:version] >= 9.0 }
 end
 
+CGIMAP_PERMISSIONS = {
+  "changeset_comments" => [:select],
+  "changeset_tags" => [:select],
+  "changesets" => [:select, :update],
+  "client_applications" => [:select],
+  "current_node_tags" => [:select, :insert, :delete],
+  "current_nodes" => [:select, :insert, :update],
+  "current_nodes_id_seq" => [:update],
+  "current_relation_members" => [:select, :insert, :delete],
+  "current_relation_tags" => [:select, :insert, :delete],
+  "current_relations" => [:select, :insert, :update],
+  "current_relations_id_seq" => [:update],
+  "current_way_nodes" => [:select, :insert, :delete],
+  "current_way_tags" => [:select, :insert, :delete],
+  "current_ways" => [:select, :insert, :update],
+  "current_ways_id_seq" => [:update],
+  "issues" => [:select],
+  "node_tags" => [:select, :insert],
+  "nodes" => [:select, :insert],
+  "oauth_access_grants" => [:select],
+  "oauth_access_tokens" => [:select],
+  "oauth_applications" => [:select],
+  "oauth_nonces" => [:select, :insert],
+  "oauth_nonces_id_seq" => [:update],
+  "oauth_tokens" => [:select],
+  "relation_members" => [:select, :insert],
+  "relation_tags" => [:select, :insert],
+  "relations" => [:select, :insert],
+  "reports" => [:select],
+  "user_blocks" => [:select],
+  "user_roles" => [:select],
+  "users" => [:select],
+  "way_nodes" => [:select, :insert],
+  "way_tags" => [:select, :insert],
+  "ways" => [:select, :insert]
+}.freeze
+
+PLANETDUMP_PERMISSIONS = {
+  "note_comments" => :select,
+  "notes" => :select,
+  "users" => :select
+}.freeze
+
+PLANETDIFF_PERMISSIONS = {
+  "changeset_comments" => :select,
+  "changeset_tags" => :select,
+  "changesets" => :select,
+  "node_tags" => :select,
+  "nodes" => :select,
+  "relation_members" => :select,
+  "relation_tags" => :select,
+  "relations" => :select,
+  "users" => :select,
+  "way_nodes" => :select,
+  "way_tags" => :select,
+  "ways" => :select
+}.freeze
+
+PROMETHEUS_PERMISSIONS = {
+  "delayed_jobs" => :select
+}.freeze
+
 %w[
+  acls
   active_storage_attachments
   active_storage_blobs
   active_storage_variant_records
   ar_internal_metadata
-  delayed_jobs
-  issue_comments
-  issues
-  oauth_openid_requests
-  reports
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  acls
+  changeset_comments
+  changeset_tags
+  changesets
   changesets_subscribers
+  client_applications
+  current_node_tags
+  current_nodes
+  current_relation_members
+  current_relation_tags
+  current_relations
+  current_way_nodes
+  current_way_tags
+  current_ways
+  delayed_jobs
   diary_comments
   diary_entries
   diary_entry_subscriptions
@@ -115,147 +173,34 @@ end
   gps_points
   gpx_file_tags
   gpx_files
+  issue_comments
+  issues
   languages
   messages
-  redactions
-  schema_migrations
-  user_preferences
-  user_tokens
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  note_comments
-  notes
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "planetdump" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  changeset_comments
-  changeset_tags
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  users
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select],
-                "planetdump" => [:select],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[changesets].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :update],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  current_nodes
-  current_relations
-  current_ways
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert, :update],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  current_node_tags
-  current_relation_members
-  current_relation_tags
-  current_way_nodes
-  current_way_tags
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert, :delete],
-                "backup" => [:select]
-  end
-end
-
-%w[
   node_tags
   nodes
-  relation_members
-  relation_tags
-  relations
-  way_nodes
-  way_tags
-  ways
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert],
-                "planetdiff" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  client_applications
+  note_comments
+  notes
   oauth_access_grants
   oauth_access_tokens
   oauth_applications
+  oauth_nonces
+  oauth_openid_requests
   oauth_tokens
+  redactions
+  relation_members
+  relation_tags
+  relations
+  reports
+  schema_migrations
   user_blocks
+  user_preferences
   user_roles
+  user_tokens
+  users
+  way_nodes
+  way_tags
+  ways
 ].each do |table|
   postgresql_table table do
     cluster node[:db][:cluster]
@@ -263,21 +208,10 @@ end
     owner "openstreetmap"
     permissions "openstreetmap" => [:all],
                 "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  oauth_nonces
-].each do |table|
-  postgresql_table table do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:select, :insert, :update, :delete],
-                "cgimap" => [:select, :insert],
+                "cgimap" => CGIMAP_PERMISSIONS[table],
+                "planetdump" => PLANETDUMP_PERMISSIONS[table],
+                "planetdiff" => PLANETDIFF_PERMISSIONS[table],
+                "prometheus" => PROMETHEUS_PERMISSIONS[table],
                 "backup" => [:select]
   end
 end
@@ -290,6 +224,9 @@ end
   changeset_comments_id_seq
   changesets_id_seq
   client_applications_id_seq
+  current_nodes_id_seq
+  current_relations_id_seq
+  current_ways_id_seq
   delayed_jobs_id_seq
   diary_comments_id_seq
   diary_entries_id_seq
@@ -304,6 +241,7 @@ end
   oauth_access_grants_id_seq
   oauth_access_tokens_id_seq
   oauth_applications_id_seq
+  oauth_nonces_id_seq
   oauth_openid_requests_id_seq
   oauth_tokens_id_seq
   redactions_id_seq
@@ -319,23 +257,7 @@ end
     owner "openstreetmap"
     permissions "openstreetmap" => [:all],
                 "rails" => [:usage],
-                "backup" => [:select]
-  end
-end
-
-%w[
-  current_nodes_id_seq
-  current_relations_id_seq
-  current_ways_id_seq
-  oauth_nonces_id_seq
-].each do |sequence|
-  postgresql_sequence sequence do
-    cluster node[:db][:cluster]
-    database "openstreetmap"
-    owner "openstreetmap"
-    permissions "openstreetmap" => [:all],
-                "rails" => [:usage],
-                "cgimap" => [:update],
+                "cgimap" => CGIMAP_PERMISSIONS[sequence],
                 "backup" => [:select]
   end
 end
@@ -352,6 +274,7 @@ systemd_service "monthly-reindex" do
   user "postgres"
   sandbox true
   restrict_address_families "AF_UNIX"
+  remove_ipc false
 end
 
 systemd_timer "monthly-reindex" do
@@ -375,6 +298,7 @@ systemd_service "yearly-reindex" do
   user "postgres"
   sandbox true
   restrict_address_families "AF_UNIX"
+  remove_ipc false
 end
 
 systemd_timer "yearly-reindex" do
@@ -385,3 +309,10 @@ end
 service "yearly-reindex.timer" do
   action [:enable, :start]
 end
+
+template "/etc/prometheus/exporters/sql_rails.collector.yml" do
+  source "sql_rails.yml.erb"
+  owner "root"
+  group "root"
+  mode "0644"
+end