Authorization
SlashDB users can be granted permissions to:
Personal Information
The very basic authorization is to the API (and GUI) and some of the account information.
A user who knows credentials and has not been granted any permissions is able to access only his own user configuration and change only some of those settings: password, API key, full name, email.
For example user john makes a GET request for his user information using API. Request is authenticated by passing john's ApiKey.
curl -i "https//localhost/userdef/john.json" \
-H "apikey: 3pewxln1nnrm3lcz04vuj0rmisveya6q"
or viewing it in GUI by clicking on user's name (john) in upper right corner and selecting settings
from dropdown menu
to show with modal with user's information.
Data
As described in the intro at the top of this document, access to data for each user is determined by database mappings.
By mapping SlashDB users to actual database logins:
- we leverage security mechanisms which are built into databases (GRANT, GROUPS, ROLES etc.),
- each SlashDB account can have different effective privileges on database objects (e.g. only SELECT),
- we avoid maintenance of complicated logic of permissions to resources in the API.
These mappings are configured on the User Configuration screen.
Access to data via Data Discovery
Authenticated SlashDB user have access only to databases that were set in the user's database mappings and only those databases will be listed on the Data Discovery home page /db
.
Example
Let's give "mike" only read permission by mapping him to database login "ro_hr" that is granted only SELECT.
MySQL "ro_hr" login
SlashDB user "mike"
We can get data with no problem.
curl -i 'http://localhost/db/hr/departments.json' -H 'apikey: pgtw8mgdamjzx99m5mxf8sfeipwkdw0u'
HTTP/1.1 200 OK
But we can't create and we get explanation of the problem in header "Warning" and in the body of the response.
curl -i -X POST 'http://localhost/db/hr/departments.json' \
-H 'apikey: pgtw8mgdamjzx99m5mxf8sfeipwkdw0u' \
-d '{"dept_name": "New Dept", "dept_no": "d020"}'
HTTP/1.1 404 Not Found
Warning: (_mysql_exceptions.OperationalError) (1142, "INSERT command denied to user 'ro_hr'@'pc140.home' for table 'departments'")
{"http_code": 404, "description": "(_mysql_exceptions.OperationalError) (1142, \"INSERT command denied to user 'ro_hr'@'pc140.home' for table 'departments'\")"}
Access to data via SQL Pass-Thru
Two levels of authorization have to be configured to execute query:
-
The user must be allowed to execute the query. When we want to execute query Query Configuration we can define list of users allowed to execute SQL Pass-Thru query.
-
Database login that will be used to execute query in database must have right privileges.
SlashDB Configurations
SlashDB contains database, user and SQL Pass-Thru query configurations. Typically modifying those is restricted to user "admin", but regular users can be given permission to access and modify those settings too. These are particularly useful if you need to create one or more power user with certain administrative privileges granted to them.
In Database Configuration we can:
- allow users to view/edit specific database definition
- allow users to connect/disconnect specific database
In User Configuration we can:
- allow other users to view/edit the specific user configuration
- allow the user to view list of databases, users, SQL Pass-Thru queries
- allow the user to create new databases, users and SQL Pass-Thru queries
In Query Configuration we can:
- allow users to view/edit the query configuration
- allow users to run the SQL Pass-Thru query