Grants read-only access after import

Adds execution of grant statements to provide read-only privileges for the web user following table creation or via a dedicated function. Facilitates easier post-import permission management.
2026-01-27 17:53:25 +05:30
parent ff1f1b06d9
commit bf0ee6685b
2 changed files with 12 additions and 0 deletions
--- a/src/nominatim_db/tools/admin.py
+++ b/src/nominatim_db/tools/admin.py
@@ -16,6 +16,7 @@ from psycopg.types.json import Json
 from ..typing import DictCursorResult
 from ..config import Configuration
 from ..db.connection import connect, Cursor, register_hstore
+from ..db.sql_preprocessor import SQLPreprocessor
 from ..errors import UsageError
 from ..tokenizer import factory as tokenizer_factory
 from ..data.place_info import PlaceInfo
@@ -105,3 +106,12 @@ def clean_deleted_relations(config: Configuration, age: str) -> None:
            except psycopg.DataError as exc:
                raise UsageError('Invalid PostgreSQL time interval format') from exc
        conn.commit()
+
+
+def grant_ro_access(dsn: str, config: Configuration) -> None:
+    """ Grant read-only access to the web user for all Nominatim tables.
+        This can be used to grant access to a different user after import.
+    """
+    with connect(dsn) as conn:
+        sql = SQLPreprocessor(conn, config)
+        sql.run_sql_file(conn, 'grants.sql')
--- a/src/nominatim_db/tools/database_import.py
+++ b/src/nominatim_db/tools/database_import.py
@@ -157,6 +157,8 @@ def create_tables(conn: Connection, config: Configuration, reverse_only: bool =

    sql.run_sql_file(conn, 'tables.sql')

+    sql.run_sql_file(conn, 'grants.sql')
+

 def create_table_triggers(conn: Connection, config: Configuration) -> None:
    """ Create the triggers for the tables. The trigger functions must already