From 61a4c152b3e10d87e7595d79630d9744709277b2 Mon Sep 17 00:00:00 2001
From: Mateusz Kwiatkowski <mateuszkwiatkowski@users.noreply.github.com>
Date: Fri, 5 Dec 2025 19:36:03 +0100
Subject: [PATCH] fix: reduce database privileges for kine user (#860)

* Reduce MySQL privileges for kine user

* Reduce PostgreSQL privileges for kine user
---
 internal/datastore/mysql.go      | 2 +-
 internal/datastore/postgresql.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/datastore/mysql.go b/internal/datastore/mysql.go
index c75521c..6e907f8 100644
--- a/internal/datastore/mysql.go
+++ b/internal/datastore/mysql.go
@@ -29,7 +29,7 @@ const (
 	mysqlShowGrantsStatement       = "SHOW GRANTS FOR `%s`@`%%`"
 	mysqlCreateDBStatement         = "CREATE DATABASE IF NOT EXISTS %s"
 	mysqlCreateUserStatement       = "CREATE USER `%s`@`%%` IDENTIFIED BY '%s'"
-	mysqlGrantPrivilegesStatement  = "GRANT ALL PRIVILEGES ON `%s`.* TO `%s`@`%%`"
+	mysqlGrantPrivilegesStatement  = "GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, INDEX ON `%s`.* TO `%s`@`%%`"
 	mysqlDropDBStatement           = "DROP DATABASE IF EXISTS `%s`"
 	mysqlDropUserStatement         = "DROP USER IF EXISTS `%s`"
 	mysqlRevokePrivilegesStatement = "REVOKE ALL PRIVILEGES ON `%s`.* FROM `%s`"
diff --git a/internal/datastore/postgresql.go b/internal/datastore/postgresql.go
index 7bd1034..41dabac 100644
--- a/internal/datastore/postgresql.go
+++ b/internal/datastore/postgresql.go
@@ -25,7 +25,7 @@ const (
 	postgresqlShowOwnershipStatement      = "SELECT 't' FROM pg_catalog.pg_database AS d WHERE d.datname = ? AND pg_catalog.pg_get_userbyid(d.datdba) = ?"
 	postgresqlShowTableOwnershipStatement = "SELECT 't' from pg_tables where tableowner = ? AND tablename = ?"
 	postgresqlKineTableExistsStatement    = "SELECT 't' FROM pg_tables WHERE schemaname = ? AND tablename  = ?"
-	postgresqlGrantPrivilegesStatement    = "GRANT ALL PRIVILEGES ON DATABASE %s TO %s"
+	postgresqlGrantPrivilegesStatement    = "GRANT CONNECT, CREATE ON DATABASE %s TO %s"
 	postgresqlChangeOwnerStatement        = "ALTER DATABASE %s OWNER TO %s"
 	postgresqlRevokePrivilegesStatement   = "REVOKE ALL PRIVILEGES ON DATABASE %s FROM %s"
 	postgresqlDropRoleStatement           = "DROP ROLE %s"