hans/Nominatim
1
0
Fork 1
mirror of https://github.com/osm-search/Nominatim.git synced 2026-03-10 03:54:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Moves db grant statements to dedicated script

Browse Source 
Centralizes all read-only access grants into a single SQL script, ensuring permissions are managed in one place.
This commit is contained in:
Itz-Agasta
2026-01-27 17:49:51 +05:30
parent 67ecf5f6a0
commit ff1f1b06d9
5 changed files with 50 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
lib-sql/grants.sql Normal file
View File

@@ -0,0 +1,50 @@
-- SPDX-License-Identifier: GPL-2.0-only
--
-- This file is part of Nominatim. (https://nominatim.org)
--
-- Copyright (C) 2026 by the Nominatim developer community.
-- For a full list of authors see the git log.
--
-- Grant read-only access to the web user for all Nominatim tables.
-- Core tables
GRANT SELECT ON import_status TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON country_name TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON nominatim_properties TO "{{config.DATABASE_WEBUSER}}";
-- Location tables
GRANT SELECT ON location_property_tiger TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON location_property_osmline TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON location_area TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}";
-- Search tables
{% if not db.reverse_only %}
GRANT SELECT ON search_name TO "{{config.DATABASE_WEBUSER}}";
{% endif %}
-- Main place tables
GRANT SELECT ON placex TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON place_addressline TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}";
-- OSM data tables
GRANT SELECT ON planet_osm_ways TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON planet_osm_rels TO "{{config.DATABASE_WEBUSER}}";
-- Error/delete tracking tables
GRANT SELECT ON import_polygon_error TO "{{config.DATABASE_WEBUSER}}";
GRANT SELECT ON import_polygon_delete TO "{{config.DATABASE_WEBUSER}}";
-- Country grid
GRANT SELECT ON country_osm_grid TO "{{config.DATABASE_WEBUSER}}";
-- Tokenizer tables (word table)
{% if 'word' in db.tables %}
GRANT SELECT ON word TO "{{config.DATABASE_WEBUSER}}";
{% endif %}
-- Tiger import table (if exists)
{% if 'location_property_tiger_import' in db.tables %}
GRANT SELECT ON location_property_tiger_import TO "{{config.DATABASE_WEBUSER}}";
{% endif %}

18
lib-sql/tables.sql
View File

@@ -11,7 +11,6 @@ CREATE TABLE import_status (
sequence_id integer, sequence_id integer,
indexed boolean indexed boolean
); );
GRANT SELECT ON import_status TO "{{config.DATABASE_WEBUSER}}" ;
drop table if exists import_osmosis_log; drop table if exists import_osmosis_log;
CREATE TABLE import_osmosis_log ( CREATE TABLE import_osmosis_log (
@@ -23,14 +22,11 @@ CREATE TABLE import_osmosis_log (
event text event text
); );
GRANT SELECT ON TABLE country_name TO "{{config.DATABASE_WEBUSER}}";
DROP TABLE IF EXISTS nominatim_properties; DROP TABLE IF EXISTS nominatim_properties;
CREATE TABLE nominatim_properties ( CREATE TABLE nominatim_properties (
property TEXT NOT NULL, property TEXT NOT NULL,
value TEXT value TEXT
); );
GRANT SELECT ON TABLE nominatim_properties TO "{{config.DATABASE_WEBUSER}}";
drop table IF EXISTS location_area CASCADE; drop table IF EXISTS location_area CASCADE;
CREATE TABLE location_area ( CREATE TABLE location_area (
@@ -66,7 +62,6 @@ CREATE TABLE location_property_tiger (
partition SMALLINT NOT NULL, partition SMALLINT NOT NULL,
linegeo GEOMETRY NOT NULL, linegeo GEOMETRY NOT NULL,
postcode TEXT); postcode TEXT);
GRANT SELECT ON location_property_tiger TO "{{config.DATABASE_WEBUSER}}";
drop table if exists location_property_osmline; drop table if exists location_property_osmline;
CREATE TABLE location_property_osmline ( CREATE TABLE location_property_osmline (
@@ -90,7 +85,6 @@ CREATE UNIQUE INDEX idx_osmline_place_id ON location_property_osmline USING BTRE
CREATE INDEX idx_osmline_geometry_sector ON location_property_osmline USING BTREE (geometry_sector) {{db.tablespace.address_index}}; CREATE INDEX idx_osmline_geometry_sector ON location_property_osmline USING BTREE (geometry_sector) {{db.tablespace.address_index}};
CREATE INDEX idx_osmline_linegeo ON location_property_osmline USING GIST (linegeo) {{db.tablespace.search_index}} CREATE INDEX idx_osmline_linegeo ON location_property_osmline USING GIST (linegeo) {{db.tablespace.search_index}}
WHERE startnumber is not null; WHERE startnumber is not null;
GRANT SELECT ON location_property_osmline TO "{{config.DATABASE_WEBUSER}}";
drop table IF EXISTS search_name; drop table IF EXISTS search_name;
{% if not db.reverse_only %} {% if not db.reverse_only %}
@@ -106,7 +100,6 @@ CREATE TABLE search_name (
) {{db.tablespace.search_data}}; ) {{db.tablespace.search_data}};
CREATE UNIQUE INDEX idx_search_name_place_id CREATE UNIQUE INDEX idx_search_name_place_id
ON search_name USING BTREE (place_id) {{db.tablespace.search_index}}; ON search_name USING BTREE (place_id) {{db.tablespace.search_index}};
GRANT SELECT ON search_name to "{{config.DATABASE_WEBUSER}}" ;
{% endif %} {% endif %}
drop table IF EXISTS place_addressline; drop table IF EXISTS place_addressline;
@@ -203,11 +196,6 @@ CREATE INDEX idx_placex_rank_boundaries_sector ON placex
DROP SEQUENCE IF EXISTS seq_place; DROP SEQUENCE IF EXISTS seq_place;
CREATE SEQUENCE seq_place start 1; CREATE SEQUENCE seq_place start 1;
GRANT SELECT on placex to "{{config.DATABASE_WEBUSER}}" ;
GRANT SELECT on place_addressline to "{{config.DATABASE_WEBUSER}}" ;
GRANT SELECT ON planet_osm_ways to "{{config.DATABASE_WEBUSER}}" ;
GRANT SELECT ON planet_osm_rels to "{{config.DATABASE_WEBUSER}}" ;
GRANT SELECT on location_area to "{{config.DATABASE_WEBUSER}}" ;
-- Table for synthetic postcodes. -- Table for synthetic postcodes.
DROP TABLE IF EXISTS location_postcodes; DROP TABLE IF EXISTS location_postcodes;
@@ -232,7 +220,6 @@ CREATE INDEX IF NOT EXISTS idx_location_postcodes_postcode
{{db.tablespace.search_index}}; {{db.tablespace.search_index}};
CREATE INDEX IF NOT EXISTS idx_location_postcodes_osmid CREATE INDEX IF NOT EXISTS idx_location_postcodes_osmid
ON location_postcodes USING BTREE (osm_id) {{db.tablespace.search_index}}; ON location_postcodes USING BTREE (osm_id) {{db.tablespace.search_index}};
GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}" ;
-- Table to store location of entrance nodes -- Table to store location of entrance nodes
DROP TABLE IF EXISTS placex_entrance; DROP TABLE IF EXISTS placex_entrance;
@@ -245,7 +232,6 @@ CREATE TABLE placex_entrance (
); );
CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance
USING BTREE (place_id, osm_id) {{db.tablespace.search_index}}; USING BTREE (place_id, osm_id) {{db.tablespace.search_index}};
GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}" ;
-- Create an index on the place table for lookups to populate the entrance -- Create an index on the place table for lookups to populate the entrance
-- table -- table
@@ -267,7 +253,6 @@ CREATE TABLE import_polygon_error (
newgeometry GEOMETRY(Geometry, 4326) newgeometry GEOMETRY(Geometry, 4326)
); );
CREATE INDEX idx_import_polygon_error_osmid ON import_polygon_error USING BTREE (osm_type, osm_id); CREATE INDEX idx_import_polygon_error_osmid ON import_polygon_error USING BTREE (osm_type, osm_id);
GRANT SELECT ON import_polygon_error TO "{{config.DATABASE_WEBUSER}}";
DROP TABLE IF EXISTS import_polygon_delete; DROP TABLE IF EXISTS import_polygon_delete;
CREATE TABLE import_polygon_delete ( CREATE TABLE import_polygon_delete (
@@ -277,7 +262,6 @@ CREATE TABLE import_polygon_delete (
type TEXT NOT NULL type TEXT NOT NULL
); );
CREATE INDEX idx_import_polygon_delete_osmid ON import_polygon_delete USING BTREE (osm_type, osm_id); CREATE INDEX idx_import_polygon_delete_osmid ON import_polygon_delete USING BTREE (osm_type, osm_id);
GRANT SELECT ON import_polygon_delete TO "{{config.DATABASE_WEBUSER}}";
DROP SEQUENCE IF EXISTS file; DROP SEQUENCE IF EXISTS file;
CREATE SEQUENCE file start 1; CREATE SEQUENCE file start 1;
@@ -308,5 +292,3 @@ CREATE INDEX planet_osm_rels_relation_members_idx ON planet_osm_rels USING gin(p
CREATE INDEX IF NOT EXISTS idx_place_interpolations CREATE INDEX IF NOT EXISTS idx_place_interpolations
ON place USING gist(geometry) {{db.tablespace.address_index}} ON place USING gist(geometry) {{db.tablespace.address_index}}
WHERE osm_type = 'W' and address ? 'interpolation'; WHERE osm_type = 'W' and address ? 'interpolation';
GRANT SELECT ON table country_osm_grid to "{{config.DATABASE_WEBUSER}}";

2
lib-sql/tiger_import_finish.sql
View File

@@ -13,8 +13,6 @@ CREATE INDEX IF NOT EXISTS idx_location_property_tiger_parent_place_id_imp
CREATE UNIQUE INDEX IF NOT EXISTS idx_location_property_tiger_place_id_imp CREATE UNIQUE INDEX IF NOT EXISTS idx_location_property_tiger_place_id_imp
ON location_property_tiger_import (place_id) {{db.tablespace.aux_index}}; ON location_property_tiger_import (place_id) {{db.tablespace.aux_index}};
GRANT SELECT ON location_property_tiger_import TO "{{config.DATABASE_WEBUSER}}";
DROP TABLE IF EXISTS location_property_tiger; DROP TABLE IF EXISTS location_property_tiger;
ALTER TABLE location_property_tiger_import RENAME TO location_property_tiger; ALTER TABLE location_property_tiger_import RENAME TO location_property_tiger;

6
src/nominatim_db/tokenizer/icu_tokenizer.py
View File

@@ -144,10 +144,6 @@ class ICUTokenizer(AbstractTokenizer):
with conn.cursor() as cur: with conn.cursor() as cur:
cur.execute('SET max_parallel_workers_per_gather TO 0') cur.execute('SET max_parallel_workers_per_gather TO 0')
sqlp = SQLPreprocessor(conn, config)
sqlp.run_string(conn,
'GRANT SELECT ON tmp_word TO "{{config.DATABASE_WEBUSER}}"')
conn.commit()
self._create_base_indices(config, 'tmp_word') self._create_base_indices(config, 'tmp_word')
self._create_lookup_indices(config, 'tmp_word') self._create_lookup_indices(config, 'tmp_word')
self._move_temporary_word_table('tmp_word') self._move_temporary_word_table('tmp_word')
@@ -245,11 +241,9 @@ class ICUTokenizer(AbstractTokenizer):
word text, word text,
info jsonb info jsonb
) {{db.tablespace.search_data}}; ) {{db.tablespace.search_data}};
GRANT SELECT ON word TO "{{config.DATABASE_WEBUSER}}";
DROP SEQUENCE IF EXISTS seq_word; DROP SEQUENCE IF EXISTS seq_word;
CREATE SEQUENCE seq_word start 1; CREATE SEQUENCE seq_word start 1;
GRANT SELECT ON seq_word to "{{config.DATABASE_WEBUSER}}";
""") """)
conn.commit() conn.commit()

3
src/nominatim_db/tools/migration.py
View File

@@ -137,7 +137,6 @@ def create_placex_entrance_table(conn: Connection, config: Configuration, **_: A
); );
CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance
USING BTREE (place_id, osm_id) {{db.tablespace.search_index}}; USING BTREE (place_id, osm_id) {{db.tablespace.search_index}};
GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}" ;
""") """)
@@ -250,8 +249,6 @@ def create_place_postcode_table(conn: Connection, config: Configuration, **_: An
geometry Geometry(Geometry, 4326) NOT NULL geometry Geometry(Geometry, 4326) NOT NULL
) )
""") """)
sqlp.run_string(conn,
'GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}"')
# remove postcodes from the various auxillary tables # remove postcodes from the various auxillary tables
cur.execute( cur.execute(
""" """