-- =============================================================================
-- 08_users.sql — ClickHouse users and grants
-- TODO: Replace 'ChangeMe' with strong passwords before production use.
--       Store passwords in a secrets manager (Vault, K8s secrets, etc.).
-- =============================================================================

CREATE USER IF NOT EXISTS data_writer IDENTIFIED WITH plaintext_password BY 'ChangeMe';
CREATE USER IF NOT EXISTS analyst     IDENTIFIED WITH plaintext_password BY 'ChangeMe';

-- data_writer: INSERT on raw table in ja4_logs (fed by correlator service)
GRANT INSERT ON ja4_logs.http_logs_raw TO data_writer;
GRANT SELECT ON ja4_logs.http_logs_raw TO data_writer;

-- analyst: read access on ja4_logs (parsed logs)
GRANT SELECT ON ja4_logs.http_logs              TO analyst;

-- analyst: read access on ja4_processing (analytics, ML, views, audit)
GRANT SELECT ON ja4_processing.ml_detected_anomalies  TO analyst;
GRANT SELECT ON ja4_processing.ml_all_scores          TO analyst;
GRANT SELECT ON ja4_processing.view_ai_features_1h    TO analyst;
GRANT SELECT ON ja4_processing.view_ip_recurrence     TO analyst;
GRANT SELECT ON ja4_processing.audit_logs             TO analyst;