add read only for grafana

Author: JuArce

infra/aggregation_mode/ansible/playbooks/pg_monitor.yaml

@@ -22,6 +22,8 @@
         db_password: "{{ lookup('ini', 'db_password', file=config_file) }}"
         monitor_pgdata: "{{ lookup('ini', 'monitor_pgdata', file=config_file, default='/var/lib/postgresql/monitor') }}"
         monitor_port: "{{ lookup('ini', 'monitor_port', file=config_file, default='5432') }}"
+        grafana_postgres_user: "{{ lookup('ini', 'grafana_postgres_user', file=config_file) }}"
+        grafana_postgres_password: "{{ lookup('ini', 'grafana_postgres_password', file=config_file) }}"
       no_log: true
 
     - name: Debug vars
@@ -113,3 +115,22 @@
       shell: |
         psql -d pg_auto_failover -c "ALTER USER autoctl_node PASSWORD '{{ db_password }}';"
       no_log: true
+
+    - name: Create Grafana read-only user on monitor
+      become: true
+      become_user: postgres
+      shell: |
+        psql -d pg_auto_failover << 'EOF'
+        DO $$
+        BEGIN
+          IF NOT EXISTS (SELECT FROM pg_catalog.pg_user WHERE usename = '{{ grafana_postgres_user }}') THEN
+            CREATE USER {{ grafana_postgres_user }} WITH PASSWORD '{{ grafana_postgres_password }}';
+          ELSE
+            ALTER USER {{ grafana_postgres_user }} WITH PASSWORD '{{ grafana_postgres_password }}';
+          END IF;
+        END
+        $$;
+        GRANT CONNECT ON DATABASE pg_auto_failover TO {{ grafana_postgres_user }};
+        GRANT pg_read_all_data TO {{ grafana_postgres_user }};
+        EOF
+      no_log: true

infra/aggregation_mode/ansible/playbooks/pg_node.yaml

@@ -22,6 +22,8 @@
         node_pgdata: "{{ lookup('ini', 'node_pgdata', file=config_file, default='/var/lib/postgresql/node') }}"
         node_port: "{{ lookup('ini', 'node_port', file=config_file, default='5432') }}"
         backup_dir: "{{ lookup('ini', 'backup_dir', file=config_file, default='/var/lib/backup') }}"
+        grafana_postgres_user: "{{ lookup('ini', 'grafana_postgres_user', file=config_file) }}"
+        grafana_postgres_password: "{{ lookup('ini', 'grafana_postgres_password', file=config_file) }}"
       no_log: true
 
     - name: Create backup directory
@@ -141,3 +143,23 @@
         psql -d {{ db_name }} -c "ALTER USER pgautofailover_replicator PASSWORD '{{ db_password }}';"
       when: is_writable.stdout == 't'
       no_log: true
+
+    - name: Create Grafana read-only user
+      become: true
+      become_user: postgres
+      shell: |
+        psql -d {{ db_name }} << 'EOF'
+        DO $$
+        BEGIN
+          IF NOT EXISTS (SELECT FROM pg_catalog.pg_user WHERE usename = '{{ grafana_postgres_user }}') THEN
+            CREATE USER {{ grafana_postgres_user }} WITH PASSWORD '{{ grafana_postgres_password }}';
+          ELSE
+            ALTER USER {{ grafana_postgres_user }} WITH PASSWORD '{{ grafana_postgres_password }}';
+          END IF;
+        END
+        $$;
+        GRANT CONNECT ON DATABASE {{ db_name }} TO {{ grafana_postgres_user }};
+        GRANT pg_read_all_data TO {{ grafana_postgres_user }};
+        EOF
+      when: is_writable.stdout == 't'
+      no_log: true