I'm developing a small database for a library but I'm completely ignorant when it comes to roles and privileges.
I've spent quite some time googling but I still don't truly get the mechanisms.
My aim is to create 3 basic roles:
User with no login (not really an user, just someone who wants to see the books the library has in store, but he can't do any action besides just watching)
User with login (He can preorder books and do other actions)
Admin (He can add new books, authors, genres and can give the admin privileges to other users)
At first I thought I could create these 3 roles specifying the various privileges each one has and then, on the related website, every time someone would connect he would have been considered an "User with no login" until the login which would've determinated whether he is an Admin or not; reading the PostgreSQL documentation I understood it's nothing like this, or perhaps I got it wrong.
I really have no clue what to do, any help would be appreciated.
What you want to do is reasonable. Your webapp should log in with its connection pool as a user (say mywebapp) that is marked NOINHERIT and has no rights except to SET ROLE to three other roles. Each of those roles describes one of the categories of users you mention above. You'll also need to GRANT the rights to access any tables used to look up and authenticate users to the mywebapp user.
When servicing a request, if it's acting on behalf of an anonymous user it does SET ROLE anonymous_web_user; or whatever.
If it's acting as a named user, it does SET ROLE authenticated_user;. You'd GRANT the right to read the table you use for authenticating users to the mywebapp role so it can authenticate them in whatever way your app does so.
If it's acting as an admin, it does SET ROLE admin;. Or, if there aren't many admins and they need different rights, you can make them PostgreSQL users, and SET ROLE the_admin_user_name;. Again, your app would pre-authenticate them, and SET ROLE if it was satisfied with the user's authentication.
When a connection is returned to the pool it is vital that the pool run the query DISCARD ALL; to clear the connection's role setting.
So, for example, you might:
CREATE ROLE mywebapp WITH LOGIN NOINHERIT;
CREATE ROLE anonymous_web_user;
CREATE ROLE authenticated_user;
CREATE ROLE admin_user;
-- 'mywebapp' can become anyone, but by default doesn't
-- get the rights of any of them since it's marked NOINHERIT
GRANT admin_user TO mywebapp;
GRANT anonymous_web_user TO mywebapp;
GRANT authenticated_user TO mywebapp;
-- All admins are authenticated users, since authenticated_user
-- is INHERITable
GRANT authenticated_user TO admin_user;
-- All authenticated users have the rights of anon users too
GRANT anonymous_web_user TO authenticated_user;
-- The app must be able to look up users
GRANT SELECT ON some_users_table TO mywebapp;
-- but only admins can change them
GRANT ALL ON some_users_table TO admin_user;
...
See Role membership.
Related
I'm currently trying to find the best process for managing admin privileges throughout my PostgreSQL databases. What I am trying to do is assign permissions that are sufficient enough for in an admin role group where I can GRANT a user (another admin) to inherit the permissions of the role group; however, I'm not sure if this can be done or how to do this. The admin role group's privileges should be the following:
Able to add users
Able to view users and permissions in a database
Able to reset a user's password, dropping a user, or resetting a user's name
Able to show grants of a particular user
Able to add specific permissions for a user to a schema and table. (So have permissions to the database and tables)
For auditing purposes, should I even go with this approach of creating a role group or add a user (admin) with no role group? I remember reading that the role group would show as who did any changes rather than the specific user. Would appreciate clarification on this.
Thanks for reading my post.
I am currently trying to set up keycloak for a production scenario in which I have different contexts, each with users and admins. The admin should only be able to impersonate users from his context.
Giving an admin permission in the form of permissions to impersonate all users is not a problem. but how can I solve the above task? Can one of keycloak built in concepts (groups, roles, realms, scopes etc.) help me?
You have to enable --features=admin-fine-grained-authz and then.
Put your users into a group.
Create another user and grant this user "query-groups" and
"impersonation" roles (from the "realm-management" or "master-realm"
client, depending on the realm).
Go to your group, enable permissions, open "view" permission, and add a
user policy to allow the user to view a group, then repeat for "view-members" permission.
FInd more details here
and here
The MongoDB documentation indicates that a user can be created with any database as its authentication database. Is there any reason I would choose to create my user in the 'admin' database, unless I intended to grant it cluster level privileges?
Should I avoid creating users in the 'admin' database unless the above criteria applies?
Where the user is stored does not influence what privileges are granted to the user.
If you prefer to have all users defined in the same place, it makes sense to keep them in the admin database.
If your users have access to one database each and you prefer to have users defined in the database that they have access to, it could make sense to define them in the database they have access to.
In either case which databases the users have access to, and what operations they are allowed to perform, can be defined per user.
If you store users in admin database, but the client is connecting to another database, the authSource must be explicitly specified when connecting.
I have a database with an owner for it. My problem is that, though i have assigned a password for the owner, any other db user can access this database locally, even without password.
How can i configure the database so that only a specific user has access to it (only with right password)?
Making first steps with Dreamfactory and followed the tutorial I am not finding, how could I apply role to the user, when I want user to access some service (and not app).
Here
http://wiki.dreamfactory.com/DreamFactory/Tutorials/Accessing_SQL_tables
is described, how to create such role, but on User-tab there is no place to apply roles for services, there is only list of apps.
How could I achieve it?
I'll do my best to explain
Access to services is always controlled by Roles. You can have as many or as few Roles as you like.
Apps (API Keys) can have a default Role, but it is not required.
If the app has a default Role, then no JWT is needed to access. The call is made with API Key only, and the default Role is used to allow or deny access to services.
If the app does NOT have a default Role, then a user session (JWT) needs to be included in the call, in which case the User and App are correlated to a Role, and that Role is used to allow or deny access to services. A User may have a different Role for each App.
Assigning the user to app to role relationship is done via the User management tab.
So with that in mind, you need to create a role that defines access to your desired services. Then you need to assign that role to the user for a particular app (api key.) Then when you make your api calls you will make them with the user's session and the api key included, and the role will allow or deny access to services as you defined it.