MPMXKD-17 fixed CREATE table grants

2 years ago · 18679082b9
parent b5cfa4f662
commit 18679082b9
6 changed files with 10 additions and 11 deletions
--- a/group_vars/all/pgadmin4.yml
+++ b/group_vars/all/pgadmin4.yml
@ -1,7 +1,4 @@
 ---
-pgadmin4_base_hostname: "{{ stage }}-pgadmin4-01.{{ domain }}"
-pgadmin4_base_url: "https://{{ pgadmin4_base_hostname }}"
-
 pgadmin4_oidc_realm: "stage-pgadmin4"
 pgadmin4_oidc_client_id: "stage-pgadmin4"
 pgadmin4_oidc_dev_username: "pgadmin-dev"
--- a/group_vars/all/services.yml
+++ b/group_vars/all/services.yml
@ -15,6 +15,8 @@ shared_service_hostname_kibana: "{{ stage }}-elastic-stack-kibana-01-kibana.{{ d
 shared_service_host_management: "{{ stage }}-management-01"
 shared_service_url_management: "https://{{ shared_service_hostname_management }}"
 shared_service_hostname_management: "{{ shared_service_host_management }}-connect.{{ domain_env }}"
+shared_service_url_pgadmin4: "https://{{ shared_service_hostname_pgadmin4 }}"
+shared_service_hostname_pgadmin4: "{{ stage }}-pgadmin4-01-pgadmin4.{{ domain_env }}"

 shared_service_hostname_logstash: "{{ stage }}-elastic-stack-logstash-01"

--- a/roles/pgadmin4/tasks/main.yml
+++ b/roles/pgadmin4/tasks/main.yml
@ -70,7 +70,7 @@
 # Initialize Login process against Keycloak server
 - name: "Initialize SSO Login on Pgadmin4"
  uri:
-    url: "{{ pgadmin4_base_url }}/authenticate/login"
+    url: "{{ shared_service_url_pgadmin4 }}/authenticate/login"
    method: GET
    body_format: form-urlencoded
    body:
--- a/roles/pgadmin4/vars/main.yml
+++ b/roles/pgadmin4/vars/main.yml
@ -40,7 +40,7 @@ pgadmin4_docker:
            [
              '"traefik.enable=true"',
              '"traefik.http.routers.{{ pgadmin_id }}.service={{ pgadmin_id }}"',
-              '"traefik.http.routers.{{ pgadmin_id }}.rule=Host(`{{ pgadmin4_base_hostname }}`)"',
+              '"traefik.http.routers.{{ pgadmin_id }}.rule=Host(`{{ pgadmin_id }}.{{ domain_env }}`)"',
              '"traefik.http.routers.{{ pgadmin_id }}.entrypoints=websecure"',
              '"traefik.http.routers.{{ pgadmin_id }}.tls=true"',
              '"traefik.http.routers.{{ pgadmin_id }}.tls.certresolver=letsencrypt"',
--- a/roles/pgadmin4_realm/defaults/main.yml
+++ b/roles/pgadmin4_realm/defaults/main.yml
@ -5,13 +5,13 @@ current_realm_clients:
  - name: "{{ pgadmin4_oidc_client_id }}"
    base_url: ""
    clientId: "{{ pgadmin4_oidc_client_id }}"
-    admin_url: "{{ pgadmin4_base_url }}"
-    root_url: "{{ pgadmin4_base_url }}"
+    admin_url: "{{ shared_service_url_pgadmin4 }}"
+    root_url: "{{ shared_service_url_pgadmin4 }}"
    redirect_uris:
-      - "{{ pgadmin4_base_url }}/*"
+      - "{{ shared_service_url_pgadmin4 }}/*"
    secret: "{{ pgadmin4_oidc_client_secret }}"
    web_origins:
-      - "{{ pgadmin4_base_url }}/"
+      - "{{ shared_service_url_pgadmin4 }}/"

 current_realm_users:
  - username: "{{ pgadmin4_oidc_dev_username }}"
--- a/roles/postgres/tasks/_update_database_state.yml
+++ b/roles/postgres/tasks/_update_database_state.yml
@ -152,9 +152,9 @@
  become: true
  become_user: "{{ postgres_admin_user }}"

- name: Revoke CREATE privilege on public schema from postgres_readonly group
+- name: "Revoke CREATE privilege on public schema for group postgres_readonly"
  community.postgresql.postgresql_privs:
-    role: "public"
+    role: "postgres_readonly"
    type: schema
    priv: CREATE
    objs: public