mirror of
https://github.com/rommapp/romm.git
synced 2026-06-29 23:35:47 +00:00
26cf4b36f8
Addresses review feedback: granting ALL PRIVILEGES on *.* is overly broad, especially against a shared DB instance. A database-level grant on the `romm\_test%` wildcard pattern still lets the user CREATE the per-worker databases (romm_test_gw0, ...) needed by pytest-xdist, while confining it to that namespace — verified that out-of-namespace CREATE DATABASE is denied. PostgreSQL needs no equivalent change: its CI service user (POSTGRES_USER) is the container superuser. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
10 lines
595 B
SQL
10 lines
595 B
SQL
CREATE DATABASE IF NOT EXISTS romm_test;
|
|
CREATE USER IF NOT EXISTS 'romm_test'@'%' IDENTIFIED BY 'passwd';
|
|
-- Grant on the `romm_test%` namespace (the base DB plus the per-worker
|
|
-- `romm_test_gw0`, ... databases created under pytest-xdist). A database-level
|
|
-- grant on a wildcard pattern also lets the user CREATE matching databases,
|
|
-- while confining it to that namespace on a shared instance. The `\_` escapes
|
|
-- the underscore so it is matched literally rather than as a single-char wildcard.
|
|
GRANT ALL PRIVILEGES ON `romm\_test%`.* TO 'romm_test'@'%' WITH GRANT OPTION;
|
|
FLUSH PRIVILEGES;
|