Moves db grant statements to dedicated script

Centralizes all read-only access grants into a single SQL script, ensuring permissions are managed in one place.
2026-03-13 14:24:08 +00:00 · 2026-01-27 17:49:51 +05:30
parent 67ecf5f6a0
commit ff1f1b06d9
5 changed files with 50 additions and 29 deletions
--- a/lib-sql/grants.sql
+++ b/lib-sql/grants.sql
@@ -0,0 +1,50 @@
+-- SPDX-License-Identifier: GPL-2.0-only
+--
+-- This file is part of Nominatim. (https://nominatim.org)
+--
+-- Copyright (C) 2026 by the Nominatim developer community.
+-- For a full list of authors see the git log.
+--
+-- Grant read-only access to the web user for all Nominatim tables.
+
+-- Core tables
+GRANT SELECT ON import_status TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON country_name TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON nominatim_properties TO "{{config.DATABASE_WEBUSER}}";
+
+-- Location tables
+GRANT SELECT ON location_property_tiger TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON location_property_osmline TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON location_area TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}";
+
+-- Search tables
+{% if not db.reverse_only %}
+GRANT SELECT ON search_name TO "{{config.DATABASE_WEBUSER}}";
+{% endif %}
+
+-- Main place tables
+GRANT SELECT ON placex TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON place_addressline TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}";
+
+-- OSM data tables
+GRANT SELECT ON planet_osm_ways TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON planet_osm_rels TO "{{config.DATABASE_WEBUSER}}";
+
+-- Error/delete tracking tables
+GRANT SELECT ON import_polygon_error TO "{{config.DATABASE_WEBUSER}}";
+GRANT SELECT ON import_polygon_delete TO "{{config.DATABASE_WEBUSER}}";
+
+-- Country grid
+GRANT SELECT ON country_osm_grid TO "{{config.DATABASE_WEBUSER}}";
+
+-- Tokenizer tables (word table)
+{% if 'word' in db.tables %}
+GRANT SELECT ON word TO "{{config.DATABASE_WEBUSER}}";
+{% endif %}
+
+-- Tiger import table (if exists)
+{% if 'location_property_tiger_import' in db.tables %}
+GRANT SELECT ON location_property_tiger_import TO "{{config.DATABASE_WEBUSER}}";
+{% endif %}
--- a/lib-sql/tables.sql
+++ b/lib-sql/tables.sql
@@ -11,7 +11,6 @@ CREATE TABLE import_status (
  sequence_id integer,
  indexed boolean
  );
-GRANT SELECT ON import_status TO "{{config.DATABASE_WEBUSER}}" ;

 drop table if exists import_osmosis_log;
 CREATE TABLE import_osmosis_log (
@@ -23,14 +22,11 @@ CREATE TABLE import_osmosis_log (
  event text
  );

-GRANT SELECT ON TABLE country_name TO "{{config.DATABASE_WEBUSER}}";
-
 DROP TABLE IF EXISTS nominatim_properties;
 CREATE TABLE nominatim_properties (
    property TEXT NOT NULL,
    value TEXT
 );
-GRANT SELECT ON TABLE nominatim_properties TO "{{config.DATABASE_WEBUSER}}";

 drop table IF EXISTS location_area CASCADE;
 CREATE TABLE location_area (
@@ -66,7 +62,6 @@ CREATE TABLE location_property_tiger (
  partition SMALLINT NOT NULL,
  linegeo GEOMETRY NOT NULL,
  postcode TEXT);
-GRANT SELECT ON location_property_tiger TO "{{config.DATABASE_WEBUSER}}";

 drop table if exists location_property_osmline;
 CREATE TABLE location_property_osmline (
@@ -90,7 +85,6 @@ CREATE UNIQUE INDEX idx_osmline_place_id ON location_property_osmline USING BTRE
 CREATE INDEX idx_osmline_geometry_sector ON location_property_osmline USING BTREE (geometry_sector) {{db.tablespace.address_index}};
 CREATE INDEX idx_osmline_linegeo ON location_property_osmline USING GIST (linegeo) {{db.tablespace.search_index}}
  WHERE startnumber is not null;
-GRANT SELECT ON location_property_osmline TO "{{config.DATABASE_WEBUSER}}";

 drop table IF EXISTS search_name;
 {% if not db.reverse_only %}
@@ -106,7 +100,6 @@ CREATE TABLE search_name (
  ) {{db.tablespace.search_data}};
 CREATE UNIQUE INDEX idx_search_name_place_id
  ON search_name USING BTREE (place_id) {{db.tablespace.search_index}};
-GRANT SELECT ON search_name to "{{config.DATABASE_WEBUSER}}" ;
 {% endif %}

 drop table IF EXISTS place_addressline;
@@ -203,11 +196,6 @@ CREATE INDEX idx_placex_rank_boundaries_sector ON placex

 DROP SEQUENCE IF EXISTS seq_place;
 CREATE SEQUENCE seq_place start 1;
-GRANT SELECT on placex to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT on place_addressline to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT ON planet_osm_ways to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT ON planet_osm_rels to "{{config.DATABASE_WEBUSER}}" ;
-GRANT SELECT on location_area to "{{config.DATABASE_WEBUSER}}" ;

 -- Table for synthetic postcodes.
 DROP TABLE IF EXISTS location_postcodes;
@@ -232,7 +220,6 @@ CREATE INDEX IF NOT EXISTS idx_location_postcodes_postcode
  {{db.tablespace.search_index}};
 CREATE INDEX IF NOT EXISTS idx_location_postcodes_osmid
  ON location_postcodes USING BTREE (osm_id) {{db.tablespace.search_index}};
-GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}" ;

 -- Table to store location of entrance nodes
 DROP TABLE IF EXISTS placex_entrance;
@@ -245,7 +232,6 @@ CREATE TABLE placex_entrance (
  );
 CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance
  USING BTREE (place_id, osm_id) {{db.tablespace.search_index}};
-GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}" ;

 -- Create an index on the place table for lookups to populate the entrance
 -- table
@@ -267,7 +253,6 @@ CREATE TABLE import_polygon_error (
  newgeometry GEOMETRY(Geometry, 4326)
  );
 CREATE INDEX idx_import_polygon_error_osmid ON import_polygon_error USING BTREE (osm_type, osm_id);
-GRANT SELECT ON import_polygon_error TO "{{config.DATABASE_WEBUSER}}";

 DROP TABLE IF EXISTS import_polygon_delete;
 CREATE TABLE import_polygon_delete (
@@ -277,7 +262,6 @@ CREATE TABLE import_polygon_delete (
  type TEXT NOT NULL
  );
 CREATE INDEX idx_import_polygon_delete_osmid ON import_polygon_delete USING BTREE (osm_type, osm_id);
-GRANT SELECT ON import_polygon_delete TO "{{config.DATABASE_WEBUSER}}";

 DROP SEQUENCE IF EXISTS file;
 CREATE SEQUENCE file start 1;
@@ -308,5 +292,3 @@ CREATE INDEX planet_osm_rels_relation_members_idx ON planet_osm_rels USING gin(p
 CREATE INDEX IF NOT EXISTS idx_place_interpolations
    ON place USING gist(geometry) {{db.tablespace.address_index}}
    WHERE osm_type = 'W' and address ? 'interpolation';
-
-GRANT SELECT ON table country_osm_grid to "{{config.DATABASE_WEBUSER}}";
--- a/lib-sql/tiger_import_finish.sql
+++ b/lib-sql/tiger_import_finish.sql
@@ -13,8 +13,6 @@ CREATE INDEX IF NOT EXISTS idx_location_property_tiger_parent_place_id_imp
 CREATE UNIQUE INDEX IF NOT EXISTS idx_location_property_tiger_place_id_imp
  ON location_property_tiger_import (place_id) {{db.tablespace.aux_index}};

-GRANT SELECT ON location_property_tiger_import TO "{{config.DATABASE_WEBUSER}}";
-
 DROP TABLE IF EXISTS location_property_tiger;
 ALTER TABLE location_property_tiger_import RENAME TO location_property_tiger;

--- a/src/nominatim_db/tokenizer/icu_tokenizer.py
+++ b/src/nominatim_db/tokenizer/icu_tokenizer.py
@@ -144,10 +144,6 @@ class ICUTokenizer(AbstractTokenizer):
            with conn.cursor() as cur:
                cur.execute('SET max_parallel_workers_per_gather TO 0')

-            sqlp = SQLPreprocessor(conn, config)
-            sqlp.run_string(conn,
-                            'GRANT SELECT ON tmp_word TO "{{config.DATABASE_WEBUSER}}"')
-            conn.commit()
        self._create_base_indices(config, 'tmp_word')
        self._create_lookup_indices(config, 'tmp_word')
        self._move_temporary_word_table('tmp_word')
@@ -245,11 +241,9 @@ class ICUTokenizer(AbstractTokenizer):
                      word text,
                      info jsonb
                    ) {{db.tablespace.search_data}};
-                GRANT SELECT ON word TO "{{config.DATABASE_WEBUSER}}";

                DROP SEQUENCE IF EXISTS seq_word;
                CREATE SEQUENCE seq_word start 1;
-                GRANT SELECT ON seq_word to "{{config.DATABASE_WEBUSER}}";
            """)
            conn.commit()

--- a/src/nominatim_db/tools/migration.py
+++ b/src/nominatim_db/tools/migration.py
@@ -137,7 +137,6 @@ def create_placex_entrance_table(conn: Connection, config: Configuration, **_: A
              );
            CREATE UNIQUE INDEX idx_placex_entrance_place_id_osm_id ON placex_entrance
              USING BTREE (place_id, osm_id) {{db.tablespace.search_index}};
-            GRANT SELECT ON placex_entrance TO "{{config.DATABASE_WEBUSER}}" ;
              """)


@@ -250,8 +249,6 @@ def create_place_postcode_table(conn: Connection, config: Configuration, **_: An
                    geometry Geometry(Geometry, 4326) NOT NULL
                )
                """)
-            sqlp.run_string(conn,
-                            'GRANT SELECT ON location_postcodes TO "{{config.DATABASE_WEBUSER}}"')
            # remove postcodes from the various auxillary tables
            cur.execute(
                """