Mercurial > gemma
changeset 1798:40cbfd268aa9
Row level security for import jobs
Add imports to database as the actual login user. sys_admin then
only needs to read and update (state) import job data.
The way the policies for import_logs and track_imports are implemented
has the side effect, that a sys_admin can do anything with all of
them. More fine-grainded policies and changes to Go code are needed, if
this is a concern.
author | Tom Gottfried <tom@intevation.de> |
---|---|
date | Mon, 14 Jan 2019 17:43:28 +0100 |
parents | 67340ceecc5f |
children | 0e387e0e0d7c |
files | pkg/imports/queue.go schema/auth.sql |
diffstat | 2 files changed, 29 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/pkg/imports/queue.go Mon Jan 14 17:12:12 2019 +0100 +++ b/pkg/imports/queue.go Mon Jan 14 17:43:28 2019 +0100 @@ -286,7 +286,7 @@ if trysLeft >= 0 { tl = sql.NullInt64{Int64: int64(trysLeft), Valid: true} } - err := auth.RunAs(ctx, queueUser, func(conn *sql.Conn) error { + err := auth.RunAs(ctx, user, func(conn *sql.Conn) error { return conn.QueryRowContext( ctx, insertJobSQL,
--- a/schema/auth.sql Mon Jan 14 17:12:12 2019 +0100 +++ b/schema/auth.sql Mon Jan 14 17:43:28 2019 +0100 @@ -154,6 +154,34 @@ FOR ALL TO waterway_admin USING (utm_covers(area)); +-- Imports and import config + +CREATE POLICY same_country ON waterway.imports + FOR ALL TO waterway_admin + USING (users.current_user_country() = ( + SELECT country FROM users.list_users lu + WHERE lu.username = imports.username)); +ALTER table waterway.imports ENABLE ROW LEVEL SECURITY; + +-- The job running the import queue is running as sys_admin and login users +-- with that role should see all imports anyhow +CREATE POLICY read_all ON waterway.imports + FOR SELECT TO sys_admin + USING (true); +CREATE POLICY update_all ON waterway.imports + FOR UPDATE TO sys_admin + USING (true); + +CREATE POLICY parent_allowed ON waterway.import_logs + FOR ALL TO waterway_admin + USING (import_id IN (SELECT id FROM waterway.imports)); +ALTER table waterway.import_logs ENABLE ROW LEVEL SECURITY; + +CREATE POLICY parent_allowed ON waterway.track_imports + FOR ALL TO waterway_admin + USING (import_id IN (SELECT id FROM waterway.imports)); +ALTER table waterway.track_imports ENABLE ROW LEVEL SECURITY; + CREATE POLICY import_configuration_policy ON waterway.import_configuration FOR ALL TO waterway_admin USING (