Unclear how/when/where to create a role with minimal privileges to read timeseries data in docker-compose setup

[mrd0ll4r]

Describe the bug

I'm running Promscale together with Grafana and a bunch of other things via docker-compose. For that, I'd like to have a database role with read-only access to timeseries data to use with Grafana. (as the docs point out)
I can easily create a user and GRANT some permissions on the database in the timescale container, by mounting a script to /docker-entrypoint-initdb.d/. However, if I got this right, I'd need to grant permissions on schema prom_metric, which is created by Promscale, i.e., doesn't exist at this point.

Basically, I think this is what happens:

1. Database starts, does a bunch of setup
2. My user-creation script runs after all those setup steps, creates a role and attempts to GRANT SELECT ON ALL TABLES IN SCHEMA prom_metric, which fails
3. The promscale container starts and creates said schema, I think.

To Reproduce

docker-compose.yml:

version: '3.8'

services:
  db:
    image: timescale/timescaledb-ha:pg14-latest
    restart: unless-stopped
    ports:
      - 5433:5432/tcp
    healthcheck:
      test: /usr/bin/pg_isready -U postgres
      interval: 30s
      timeout: 10s
      retries: 5
    volumes:
      - timescaledb_data:/var/lib/postgresql/data
      - ./setup-grafana-db-user.sh:/docker-entrypoint-initdb.d/020_setup_grafana_user.sh
    environment:
      POSTGRES_PASSWORD: somepass
      POSTGRES_USER: postgres
      POSTGRES_DB: tsdb
      TSTUNE_PROFILE: promscale

  promscale:
    image: timescale/promscale:latest
    restart: unless-stopped
    ports:
      - 9201:9201/tcp
      - 9202:9202/tcp
    depends_on:
      db:
        condition: service_healthy
    volumes:
      - ./promscale_prometheus.yml:/prometheus.yml
      - ./rules.yml:/rules.yml
      - ./alerts.yml:/alerts.yml
    environment:
      PROMSCALE_DB_URI: postgres://postgres:somepass@db:5432/tsdb?sslmode=allow
      PROMSCALE_METRICS_RULES_CONFIG_FILE: /prometheus.yml

  grafana:
    image: grafana/grafana:9.3.2
    restart: on-failure
    volumes:
      - grafana_data:/var/lib/grafana
      - ./grafana/datasources.yml:/etc/grafana/provisioning/datasources/promscale.yml
    ports:
      - 3000:3000/tcp
    depends_on:
      db:
        condition: service_healthy

setup-grafana-db-user.sh:

#!/bin/bash -e

psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
  CREATE USER grafana WITH ENCRYPTED PASSWORD 'grafana';
  GRANT USAGE ON SCHEMA prom_metric TO grafana;
  GRANT SELECT ON ALL TABLES IN SCHEMA prom_metric TO grafana;
  GRANT EXECUTE ON ALL FUNCTIONS IN SCHEMA public TO grafana;
  ALTER DEFAULT PRIVILEGES IN SCHEMA prom_metric GRANT SELECT ON TABLES TO grafana;
  ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT EXECUTE ON FUNCTIONS TO grafana;
EOSQL

datasources.yml:

apiVersion: 1

datasources:
  - name: promscale-promql
    type: prometheus
    access: proxy
    url: http://promscale:9201
    isDefault: true
  - name: promscale-sql
    type: postgres
    url: db:5432
    database: tsdb
    user: grafana
    secureJsonData:
      password: 'grafana'
    jsonData:
      sslmode: 'disable'
      postgresVersion: 1200
      timescaledb: true

Expected behavior

Some way to create a non-privileged user that can read all metrics data (and probably execute some functions and whatnot).

Thanks! Best,