From 98f5d75429aac76952a223a90b9e7d1a3cfeddc7 Mon Sep 17 00:00:00 2001
From: xbgmsharp <xbgmsharp@gmail.com>
Date: Fri, 25 Nov 2022 22:33:54 +0100
Subject: [PATCH] Add grafana_auth apache proxy auth role

---
 initdb/02_6_signalk_roles.sql | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/initdb/02_6_signalk_roles.sql b/initdb/02_6_signalk_roles.sql
index 93ef6a7..00bd657 100644
--- a/initdb/02_6_signalk_roles.sql
+++ b/initdb/02_6_signalk_roles.sql
@@ -53,6 +53,14 @@ GRANT SELECT ON TABLE api.metrics,api.logbook,api.moorages,api.stays,api.metadat
 GRANT SELECT ON TABLE api.logs_view,api.moorages_view,api.stays_view TO grafana;
 --GRANT SELECT ON TABLE api.logs_view,api.moorages_view,api.stays_view,api.vessels_view TO grafana;
 
+-- Grafana_auth authticator user and role with login, read-only on auth.accounts, limit 10 connections
+CREATE ROLE grafana_auth WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOBYPASSRLS NOREPLICATION CONNECTION LIMIT 10 LOGIN PASSWORD 'mysecretpassword';
+comment on role grafana_auth is
+    'Role that grafana as authenticator via apache.';
+GRANT USAGE ON SCHEMA auth TO grafana_auth;
+--GRANT USAGE, SELECT ON SEQUENCE auth.accounts_pkey TO grafana_auth;
+GRANT SELECT ON TABLE auth.accounts TO grafana_auth;
+
 -- User:
 -- nologin, web api only
 -- read-only for all and Read-Write on logbook, stays and moorage except for specific (name, notes) COLUMNS