1-- this file is run by test/create_db.sh to create users for each
2-- component with the appropriate permissions.
3
4-- These lines require MariaDB 10.1+
5CREATE USER IF NOT EXISTS 'policy'@'localhost';
6CREATE USER IF NOT EXISTS 'sa'@'localhost';
7CREATE USER IF NOT EXISTS 'sa_ro'@'localhost';
8CREATE USER IF NOT EXISTS 'ocsp_resp'@'localhost';
9CREATE USER IF NOT EXISTS 'revoker'@'localhost';
10CREATE USER IF NOT EXISTS 'importer'@'localhost';
11CREATE USER IF NOT EXISTS 'mailer'@'localhost';
12CREATE USER IF NOT EXISTS 'cert_checker'@'localhost';
13CREATE USER IF NOT EXISTS 'test_setup'@'localhost';
14CREATE USER IF NOT EXISTS 'badkeyrevoker'@'localhost';
15CREATE USER IF NOT EXISTS 'proxysql'@'localhost';
16
17-- Storage Authority
18GRANT SELECT,INSERT ON certificates TO 'sa'@'localhost';
19GRANT SELECT,INSERT,UPDATE ON certificateStatus TO 'sa'@'localhost';
20GRANT SELECT,INSERT ON issuedNames TO 'sa'@'localhost';
21GRANT SELECT,INSERT,UPDATE ON certificatesPerName TO 'sa'@'localhost';
22GRANT SELECT,INSERT,UPDATE ON registrations TO 'sa'@'localhost';
23GRANT SELECT,INSERT on fqdnSets TO 'sa'@'localhost';
24GRANT SELECT,INSERT,UPDATE ON orders TO 'sa'@'localhost';
25GRANT SELECT,INSERT ON requestedNames TO 'sa'@'localhost';
26GRANT SELECT,INSERT,DELETE ON orderFqdnSets TO 'sa'@'localhost';
27GRANT SELECT,INSERT,UPDATE ON authz2 TO 'sa'@'localhost';
28GRANT SELECT,INSERT ON orderToAuthz2 TO 'sa'@'localhost';
29GRANT INSERT,SELECT ON serials TO 'sa'@'localhost';
30GRANT SELECT,INSERT ON precertificates TO 'sa'@'localhost';
31GRANT SELECT,INSERT ON keyHashToSerial TO 'sa'@'localhost';
32GRANT SELECT,INSERT ON blockedKeys TO 'sa'@'localhost';
33GRANT SELECT,INSERT,UPDATE ON newOrdersRL TO 'sa'@'localhost';
34GRANT SELECT ON incidents TO 'sa'@'localhost';
35GRANT SELECT,INSERT,UPDATE ON crlShards TO 'sa'@'localhost';
36GRANT SELECT,INSERT,UPDATE ON revokedCertificates TO 'sa'@'localhost';
37
38GRANT SELECT ON certificates TO 'sa_ro'@'localhost';
39GRANT SELECT ON certificateStatus TO 'sa_ro'@'localhost';
40GRANT SELECT ON issuedNames TO 'sa_ro'@'localhost';
41GRANT SELECT ON certificatesPerName TO 'sa_ro'@'localhost';
42GRANT SELECT ON registrations TO 'sa_ro'@'localhost';
43GRANT SELECT on fqdnSets TO 'sa_ro'@'localhost';
44GRANT SELECT ON orders TO 'sa_ro'@'localhost';
45GRANT SELECT ON requestedNames TO 'sa_ro'@'localhost';
46GRANT SELECT ON orderFqdnSets TO 'sa_ro'@'localhost';
47GRANT SELECT ON authz2 TO 'sa_ro'@'localhost';
48GRANT SELECT ON orderToAuthz2 TO 'sa_ro'@'localhost';
49GRANT SELECT ON serials TO 'sa_ro'@'localhost';
50GRANT SELECT ON precertificates TO 'sa_ro'@'localhost';
51GRANT SELECT ON keyHashToSerial TO 'sa_ro'@'localhost';
52GRANT SELECT ON blockedKeys TO 'sa_ro'@'localhost';
53GRANT SELECT ON newOrdersRL TO 'sa_ro'@'localhost';
54GRANT SELECT ON incidents TO 'sa_ro'@'localhost';
55GRANT SELECT ON crlShards TO 'sa_ro'@'localhost';
56GRANT SELECT ON revokedCertificates TO 'sa_ro'@'localhost';
57
58-- OCSP Responder
59GRANT SELECT ON certificateStatus TO 'ocsp_resp'@'localhost';
60
61-- Revoker Tool
62GRANT SELECT,UPDATE ON registrations TO 'revoker'@'localhost';
63GRANT SELECT ON certificates TO 'revoker'@'localhost';
64GRANT SELECT ON precertificates TO 'revoker'@'localhost';
65GRANT SELECT ON keyHashToSerial TO 'revoker'@'localhost';
66GRANT SELECT,UPDATE ON blockedKeys TO 'revoker'@'localhost';
67
68-- Expiration mailer
69GRANT SELECT ON certificates TO 'mailer'@'localhost';
70GRANT SELECT ON registrations TO 'mailer'@'localhost';
71GRANT SELECT,UPDATE ON certificateStatus TO 'mailer'@'localhost';
72GRANT SELECT ON fqdnSets TO 'mailer'@'localhost';
73
74-- Cert checker
75GRANT SELECT ON certificates TO 'cert_checker'@'localhost';
76GRANT SELECT ON authz2 TO 'cert_checker'@'localhost';
77
78-- Bad Key Revoker
79GRANT SELECT,UPDATE ON blockedKeys TO 'badkeyrevoker'@'localhost';
80GRANT SELECT ON keyHashToSerial TO 'badkeyrevoker'@'localhost';
81GRANT SELECT ON certificateStatus TO 'badkeyrevoker'@'localhost';
82GRANT SELECT ON precertificates TO 'badkeyrevoker'@'localhost';
83GRANT SELECT ON registrations TO 'badkeyrevoker'@'localhost';
84
85-- ProxySQL --
86GRANT ALL PRIVILEGES ON monitor TO 'proxysql'@'localhost';
87
88-- Test setup and teardown
89GRANT ALL PRIVILEGES ON * to 'test_setup'@'localhost';
View as plain text