From 9ad047787b7c04c6bcdb284c8f572ae71440914a Mon Sep 17 00:00:00 2001 From: Christian Chwala Date: Fri, 8 May 2026 18:58:50 +0200 Subject: [PATCH] fix(generate_config): correct migration template grants Migration 010 (a33fc90) retroactively fixed the two grant bugs for ctu_cz_tmobile, which was added by the generator in migration 009: Bug 1: migration 009 granted SELECT, INSERT, UPDATE on the security-barrier view cml_data_secure instead of the underlying hypertable cml_data. write_rawdata() inserts directly into cml_data, so the parser raised a permission error and silently dropped all CTU rows until migration 010 added the missing table grant. Bug 2: migration 009 did not grant EXECUTE on update_cml_stats(TEXT, TEXT). The stats background thread calls this function as the user's PG role, so stats were never computed for CTU until migration 010 added the EXECUTE grant. This commit fixes the generator template so that any future user added via generate_config.py receives the correct grants from the start and does not require a follow-up migration. The fix mirrors exactly what migration 010 applied by hand: - GRANT SELECT, INSERT, UPDATE ON cml_data (not cml_data_secure) - GRANT SELECT ON cml_data_secure (read isolation for webserver/Grafana) - GRANT EXECUTE ON FUNCTION update_cml_stats(TEXT, TEXT) Also corrects the stale comment that incorrectly claimed all access goes through the security-barrier views. --- scripts/generate_config.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/scripts/generate_config.py b/scripts/generate_config.py index 22e7cfb..ca7a6de 100644 --- a/scripts/generate_config.py +++ b/scripts/generate_config.py @@ -272,11 +272,14 @@ def generate_users_json(users: list[dict], existing_json: dict) -> dict: -- current_user policy already installed on those tables. GRANT SELECT, INSERT, UPDATE ON cml_metadata, cml_stats TO {user_id}; --- cml_data has no RLS (compressed TimescaleDB hypertable). All user access --- goes through the security-barrier views. Any direct grant on cml_data — --- including SELECT — bypasses the WITH CHECK OPTION isolation boundary. -GRANT SELECT, INSERT, UPDATE ON cml_data_secure TO {user_id}; +-- cml_data has no RLS (compressed TimescaleDB hypertable). +-- Parser writes (write_rawdata) and stats updates (update_cml_stats) go +-- directly to cml_data. Read isolation for webserver/Grafana is provided +-- by the security-barrier views cml_data_secure / cml_data_1h_secure. +GRANT SELECT, INSERT, UPDATE ON cml_data TO {user_id}; +GRANT SELECT ON cml_data_secure TO {user_id}; GRANT SELECT ON cml_data_1h_secure TO {user_id}; +GRANT EXECUTE ON FUNCTION update_cml_stats(TEXT, TEXT) TO {user_id}; -- file_processing_log: parser INSERTs a row for every processed file; -- webserver_role only needs SELECT.