Skip to content

Access Control Lists

Jump to bottom Edit New page
Eldelshell edited this page May 7, 2020 · 2 revisions

Amforeas allows you to control the actions clients can perform on a database without any configuration on the database side. This is useful when you don't hace direct access to the database server.

You still might want to reduce visibility of resources in your database using user-level permissions.

For example, if you don't want Amforeas to access the "users_credit_cards" table, simply remove access to the user you use for amforeas to connect to the database from accesing this table.

Permissions

By default, amforeas run completely open so all methods are allowed. You can set two high level permissions:

  • all
  • none

Fine control is possible using the following permissions:

  • Meta
  • Read
  • Insert
  • Update
  • Delete
  • Exec

Alias Level ACL

For the given configuration

amforeas.alias5.jdbc.driver=PostgreSQL
amforeas.alias5.jdbc.username=sa2
amforeas.alias5.jdbc.password=sa2
amforeas.alias5.jdbc.database=foo_database
amforeas.alias5.jdbc.host=localhost
amforeas.alias5.jdbc.port=5432

The following ACLs apply to all resources that belong to the alias. So for example:

# Completely lock down all request to this alias
# GET /amforeas/alias5/users/1 > 405 Method Not Allowed
# DELETE /amforeas/alias5/users/1 > 405 Method Not Allowed
amforeas.alias5.acl.allow=none

# Only allow read operations
# GET /amforeas/alias5/users > 200 OK
# DELETE /amforeas/alias5/cars/1 > 405 Method Not Allowed
amforeas.alias5.acl.allow=read

# Only allow stored procedures or functions
# GET /amforeas/alias5/users > 405 Method Not Allowed
# DELETE /amforeas/alias5/cars/1 > 405 Method Not Allowed
# POST /amforeas/alias5/call/my_function > 200 OK
amforeas.alias5.acl.allow=exec

Resource level ACLs

Every resource can also be configured to override the alias ACL.

Some examples:

# Lock everything and give fine grained access to some resources
amforeas.alias5.acl.allow=none
amforeas.alias5.acl.rules.users.allow=read,delete
amforeas.alias5.acl.rules.movies.allow=read,insert,update
amforeas.alias5.acl.rules.cats.allow=all

# Lock only some special resources, but everything else is fine
amforeas.alias5.acl.allow=all
amforeas.alias5.acl.rules.users.allow=none
amforeas.alias5.acl.rules.movies.allow=none
amforeas.alias5.acl.rules.cats.allow=read

# You can also reference stored procedures
amforeas.alias5.acl.allow=read,insert,update,delete
amforeas.alias5.acl.rules.my_function_1.allow=exec
amforeas.alias5.acl.rules.my_function_2.allow=none

Amforeas is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or any later version.

Add a custom sidebar
Clone this wiki locally