Merged PR 3870: Add BillingDB reader and permissions

This PR adds a new user creation to the DWH section of the script. This includes both creating the user and describing how to give the proper grants. The explanation is simply a pattern and needs to be adjusted on run time, since it depends on what is the scope of the integration at the time of deploying. You can read more on the topic here: https://www.notion.so/knowyourguest-superhog/Currency-Rates-for-apps-integration-1600446ff9c9804faa66f982f294e6e8?pvs=4 Related work items: #25608
2024-12-18 13:38:11 +00:00 · 2024-12-18 13:38:11 +00:00 · c550492c61
commit c550492c61
parent 73cd9b2dcc 70d296594f
1 changed files with 14 additions and 0 deletions
--- a/human-script.md
+++ b/human-script.md
@ -436,6 +436,7 @@ Follow this to deploy the entire data infra.
  - A user `dbt_user`, with `dwh_builder` role.
  - A user `powerbi_user`, with `consumer` role.
  - A user `airbyte user`, with permission to create new schemas.
+  - A user `billingdb_reader`, with permission to read some tables from the reporting schema.
  - *Note: replace the password fields with serious passwords and note them down.*
  - *Note: replace the name of the admin user*

@ -464,6 +465,8 @@ Follow this to deploy the entire data infra.
  CREATE ROLE powerbi_user LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
  GRANT consumer to powerbi_user;

+  CREATE ROLE billingdb_reader LOGIN PASSWORD 'password' VALID UNTIL 'infinity';
+
  CREATE ROLE modeler INHERIT; 
  -- You might want to create a first personal user with modeler role here

@ -514,6 +517,17 @@ Follow this to deploy the entire data infra.
    ALTER DEFAULT PRIVILEGES IN SCHEMA sync_<some-new-source> GRANT SELECT ON TABLES TO modeler;
    ```
  
+  - This script also doesn't specify exactly which tables should the `billingdb_reader` read from, since providing full access to the entire reporting schema would be excessive. You can specify which tables should be readable by the user like this:
+
+  ```sql
+  -- Login as dbt_user
+
+  GRANT USAGE ON SCHEMA reporting TO billingdb_reader;
+  GRANT SELECT ON TABLE reporting.<some_table> TO billingdb_reader;
+  GRANT SELECT ON TABLE reporting.<some_other_table> TO billingdb_reader;
+  ...
+  ```
+
 ## 050. Web Gateway

 We will deploy a dedicated VM to act as a web server for internal services.