From a865e91ce7f6d7386f3c52c55374d5bd3a44e90b Mon Sep 17 00:00:00 2001 From: xbgmsharp Date: Fri, 25 Nov 2022 22:22:29 +0100 Subject: [PATCH] Allow anonymous role to excecute telegram and pushover registration function --- initdb/02_6_signalk_roles.sql | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/initdb/02_6_signalk_roles.sql b/initdb/02_6_signalk_roles.sql index ca3b076..a08022a 100644 --- a/initdb/02_6_signalk_roles.sql +++ b/initdb/02_6_signalk_roles.sql @@ -18,6 +18,8 @@ select current_database(); -- api_anonymous role in the database with which to execute anonymous web requests, limit 10 connections -- api_anonymous allows JWT token generation with an expiration time via function api.login() from auth.accounts table create role api_anonymous WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOLOGIN NOBYPASSRLS NOREPLICATION CONNECTION LIMIT 10; +--comment on role api_anonymous is +-- 'The role that PostgREST will switch to when a user is not authenticated.'; -- Limit to 10 connections --alter user api_anonymous connection limit 10; grant usage on schema api to api_anonymous; @@ -27,17 +29,23 @@ grant execute on function api.signup(text,text,text,text) to api_anonymous; -- explicitly limit EXECUTE privileges to pgrest db-pre-request function grant execute on function public.check_jwt() to api_anonymous; -- explicitly limit EXECUTE privileges to only telegram bot auth function -grant execute on function api.bot(text,text) to api_anonymous; +grant execute on function api.bot(text,bigint) to api_anonymous; -- explicitly limit EXECUTE privileges to only pushover subscription validation function +grant execute on function api.generate_otp_fn(text) to api_anonymous; grant execute on function api.pushover_fn(text,text) to api_anonymous; +grant execute on function api.telegram_fn(text,text) to api_anonymous; -- authenticator -- login role create role authenticator NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT login password 'mysecretpassword'; +comment on role authenticator is + 'Role that serves as an entry-point for API servers such as PostgREST.'; grant api_anonymous to authenticator; -- Grafana user and role with login, read-only, limit 10 connections CREATE ROLE grafana WITH NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOBYPASSRLS NOREPLICATION CONNECTION LIMIT 10 LOGIN PASSWORD 'mysecretpassword'; +--comment on role grafana is +-- 'Role that grafana will use for authenticated web users.'; GRANT USAGE ON SCHEMA api TO grafana; GRANT USAGE, SELECT ON SEQUENCE api.logbook_id_seq,api.metadata_id_seq,api.moorages_id_seq,api.stays_id_seq TO grafana; GRANT SELECT ON TABLE api.metrics,api.logbook,api.moorages,api.stays,api.metadata TO grafana; @@ -49,6 +57,8 @@ GRANT SELECT ON TABLE api.logs_view,api.moorages_view,api.stays_view TO grafana; -- nologin, web api only -- read-only for all and Read-Write on logbook, stays and moorage except for specific (name, notes) COLUMNS CREATE ROLE user_role WITH NOLOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOBYPASSRLS NOREPLICATION; +--comment on role user_role is +-- 'Role that PostgREST will switch to for authenticated web users.'; GRANT user_role to authenticator; GRANT USAGE ON SCHEMA api TO user_role; GRANT USAGE, SELECT ON SEQUENCE api.logbook_id_seq,api.metadata_id_seq,api.moorages_id_seq,api.stays_id_seq TO user_role; @@ -100,6 +110,8 @@ REVOKE TRUNCATE, DELETE, TRIGGER, INSERT ON TABLE api.vessel_p_view FROM user_ro -- nologin -- insert-update-only for api.metrics,api.logbook,api.moorages,api.stays,api.metadata and sequences and process_queue CREATE ROLE vessel_role WITH NOLOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE NOINHERIT NOBYPASSRLS NOREPLICATION; +--comment on role vessel_role is +-- 'Role that PostgREST will switch to for authenticated web vessels.'; GRANT vessel_role to authenticator; GRANT USAGE ON SCHEMA api TO vessel_role; GRANT INSERT, UPDATE, SELECT ON TABLE api.metrics,api.logbook,api.moorages,api.stays,api.metadata TO vessel_role; @@ -147,6 +159,10 @@ CREATE POLICY api_user_role ON api.metadata TO user_role CREATE POLICY api_scheduler_role ON api.metadata TO scheduler USING (client_id = current_setting('vessel.client_id', false)) WITH CHECK (client_id = current_setting('vessel.client_id', false)); +-- Allow scheduler to update and select based on the client_id +--CREATE POLICY grafana_role ON api.metadata TO grafana +-- USING (client_id = client_id) +-- WITH CHECK (client_id = client_id); ALTER TABLE api.metrics ENABLE ROW LEVEL SECURITY; -- Administrator can see all rows and add any rows @@ -238,6 +254,9 @@ CREATE POLICY api_user_role ON auth.vessels TO user_role WITH CHECK (mmsi = current_setting('vessel.mmsi', false) AND owner_email = current_setting('request.jwt.claims', false)::json->>'email' ); +--CREATE POLICY grafana_role ON auth.vessels TO grafana +-- USING (owner_email = owner_email) +-- WITH CHECK (owner_email = owner_email); -- Be sure to enable row level security on the table ALTER TABLE auth.accounts ENABLE ROW LEVEL SECURITY;