TL;TR: What are the required privileges for the read-only connection user?
Here is how I’m setting up the kongro
user which I’m configuring the Kong with via KONG_PG_RO_USER=kongro
:
CREATE USER kongro WITH PASSWORD 'secret';
GRANT CONNECT ON DATABASE kong TO kongro;
GRANT USAGE ON SCHEMA public TO kongro;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO kongro;
GRANT REFERENCES ON ALL TABLES IN SCHEMA public TO kongro;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO kongro;
However, I still see in the logs the messages like this:
could not rebuild router: could not load routes:
[postgres] ERROR: permission denied for relation routes (stale router will be used)
If I replace the kongro
with username for the read-write connection, those disappear from the logs and all seems working fine.
How to configure the read-only connection user?