feat(observability): create grafana_reader read-only DB role

Add Flyway V68 migration that provisions a read-only PostgreSQL role scoped to audit_log, documents, and transcription_blocks. The role's password is injected via the new ${grafanaDbPassword} Flyway placeholder, which FlywayConfig reads from the GRAFANA_DB_PASSWORD env var. The migration is idempotent: CREATE on first run, ALTER on re-run. Adds a Testcontainers integration test asserting positive grants on the three intended tables and a negative grant on app_users (NFR-SEC-01). Refs #651. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 19:20:39 +02:00
parent 0801da8df0
commit f4ffd8acee
3 changed files with 78 additions and 0 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/config/FlywayConfig.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/config/FlywayConfig.java
@@ -7,12 +7,15 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;

 import javax.sql.DataSource;
+import java.util.Map;

@Configuration
@RequiredArgsConstructor
@Slf4j
 public class FlywayConfig {

+    private static final String GRAFANA_DB_PASSWORD_FALLBACK = "changeme-grafana-db-password";
+
    private final DataSource dataSource;

    @Bean(name = "flyway")
@@ -21,6 +24,7 @@ public class FlywayConfig {
        Flyway flyway = Flyway.configure()
                .dataSource(dataSource)
                .locations("classpath:db/migration")
+                .placeholders(Map.of("grafanaDbPassword", resolveGrafanaDbPassword()))
                .baselineOnMigrate(true)
                .baselineVersion("4")
                .load();
@@ -28,4 +32,14 @@ public class FlywayConfig {
        log.info("Flyway: {} migration(s) applied.", result.migrationsExecuted);
        return flyway;
    }
+
+    private String resolveGrafanaDbPassword() {
+        String value = System.getenv("GRAFANA_DB_PASSWORD");
+        if (value == null || value.isBlank()) {
+            log.warn("GRAFANA_DB_PASSWORD is not set; the grafana_reader role will use a non-secret fallback. "
+                    + "Set GRAFANA_DB_PASSWORD in production to enable the Grafana PostgreSQL datasource.");
+            return GRAFANA_DB_PASSWORD_FALLBACK;
+        }
+        return value;
+    }
 }
--- a/backend/src/main/resources/db/migration/V68__add_grafana_reader_role.sql
+++ b/backend/src/main/resources/db/migration/V68__add_grafana_reader_role.sql
@@ -0,0 +1,17 @@
+-- Read-only role used by the Grafana PostgreSQL datasource for the PO Overview
+-- dashboard (issue #651). Password is injected at migration time via the Flyway
+-- placeholder ${grafanaDbPassword}, supplied by FlywayConfig from the
+-- GRAFANA_DB_PASSWORD environment variable.
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = 'grafana_reader') THEN
+        EXECUTE format('CREATE ROLE grafana_reader WITH LOGIN PASSWORD %L', '${grafanaDbPassword}');
+    ELSE
+        EXECUTE format('ALTER ROLE grafana_reader WITH LOGIN PASSWORD %L', '${grafanaDbPassword}');
+    END IF;
+END
+$$;
+
+GRANT CONNECT ON DATABASE ${flyway:database} TO grafana_reader;
+GRANT USAGE  ON SCHEMA   public               TO grafana_reader;
+GRANT SELECT ON audit_log, documents, transcription_blocks TO grafana_reader;