21 lines
819 B
MySQL
21 lines
819 B
MySQL
|
-- Roles used by the application.
|
||
|
|
-- NF-AUDIT: audit_log must be append-only at the SQL level. The application
|
||
|
|
-- writes via mimic_audit_writer (INSERT only). The standard mimic_app role
|
||
|
|
-- has SELECT on audit_log but no UPDATE/DELETE.
|
||
|
|
--
|
||
|
|
-- This file runs once at container init. Production deployment uses Ansible
|
||
|
|
-- to apply the same grants idempotently.
|
||
|
|
|
||
|
|
DO $$
|
||
|
|
BEGIN
|
||
|
|
IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mimic_audit_writer') THEN
|
||
|
|
CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'CHANGE_ME';
|
||
|
|
END IF;
|
||
|
|
END
|
||
|
|
$$;
|
||
|
|
|
||
|
|
-- The mimic_app user is created by the official image entrypoint
|
||
|
|
-- via $POSTGRES_USER. We only need to make sure the audit writer exists.
|
||
|
|
-- Per-table grants are applied by the application's bootstrap step after
|
||
|
|
-- migrations land (so the audit_log table actually exists).
|