# HG changeset patch # User Tom Gottfried # Date 1547484208 -3600 # Node ID 40cbfd268aa9424d5548a1e02a7aeac396b613a3 # Parent 67340ceecc5f29fc7a4ab5fee48a0c06cc4cfffd Row level security for import jobs Add imports to database as the actual login user. sys_admin then only needs to read and update (state) import job data. The way the policies for import_logs and track_imports are implemented has the side effect, that a sys_admin can do anything with all of them. More fine-grainded policies and changes to Go code are needed, if this is a concern. diff -r 67340ceecc5f -r 40cbfd268aa9 pkg/imports/queue.go --- a/pkg/imports/queue.go Mon Jan 14 17:12:12 2019 +0100 +++ b/pkg/imports/queue.go Mon Jan 14 17:43:28 2019 +0100 @@ -286,7 +286,7 @@ if trysLeft >= 0 { tl = sql.NullInt64{Int64: int64(trysLeft), Valid: true} } - err := auth.RunAs(ctx, queueUser, func(conn *sql.Conn) error { + err := auth.RunAs(ctx, user, func(conn *sql.Conn) error { return conn.QueryRowContext( ctx, insertJobSQL, diff -r 67340ceecc5f -r 40cbfd268aa9 schema/auth.sql --- a/schema/auth.sql Mon Jan 14 17:12:12 2019 +0100 +++ b/schema/auth.sql Mon Jan 14 17:43:28 2019 +0100 @@ -154,6 +154,34 @@ FOR ALL TO waterway_admin USING (utm_covers(area)); +-- Imports and import config + +CREATE POLICY same_country ON waterway.imports + FOR ALL TO waterway_admin + USING (users.current_user_country() = ( + SELECT country FROM users.list_users lu + WHERE lu.username = imports.username)); +ALTER table waterway.imports ENABLE ROW LEVEL SECURITY; + +-- The job running the import queue is running as sys_admin and login users +-- with that role should see all imports anyhow +CREATE POLICY read_all ON waterway.imports + FOR SELECT TO sys_admin + USING (true); +CREATE POLICY update_all ON waterway.imports + FOR UPDATE TO sys_admin + USING (true); + +CREATE POLICY parent_allowed ON waterway.import_logs + FOR ALL TO waterway_admin + USING (import_id IN (SELECT id FROM waterway.imports)); +ALTER table waterway.import_logs ENABLE ROW LEVEL SECURITY; + +CREATE POLICY parent_allowed ON waterway.track_imports + FOR ALL TO waterway_admin + USING (import_id IN (SELECT id FROM waterway.imports)); +ALTER table waterway.track_imports ENABLE ROW LEVEL SECURITY; + CREATE POLICY import_configuration_policy ON waterway.import_configuration FOR ALL TO waterway_admin USING (