Authorization

SlashDB users can be granted permissions to:

• Personal Information
• Data
• SlashDB Configurations

Personal Information

The very basic authorization is to the API (and GUI) and some of the account information.

A user who knows credentials and has not been granted any permissions is able to access only his own user configuration and change only some of those settings: password, API key, full name, email.

For example user john makes a GET request for his user information using API. Request is authenticated by passing john's ApiKey.

curl -i "https//localhost/userdef/john.json" \
-H "apikey: 3pewxln1nnrm3lcz04vuj0rmisveya6q"

or viewing it in GUI by clicking on user's name (john) in upper right corner and selecting settings from dropdown menu

to show with modal with user's information.

Data

As described in the intro at the top of this document, access to data for each user is determined by database mappings.

By mapping SlashDB users to actual database logins:

• we leverage security mechanisms which are built into databases (GRANT, GROUPS, ROLES etc.),
• each SlashDB account can have different effective privileges on database objects (e.g. only SELECT),
• we avoid maintenance of complicated logic of permissions to resources in the API.

These mappings are configured on the User Configuration screen.

Access to data via Data Discovery

Authenticated SlashDB user have access only to databases that were set in the user's database mappings and only those databases will be listed on the Data Discovery home page /db.

Example

Let's give "mike" only read permission by mapping him to database login "ro_hr" that is granted only SELECT.

MySQL "ro_hr" login

SlashDB user "mike"

We can get data with no problem.

curl -i 'http://localhost/db/hr/departments.json' -H 'apikey: pgtw8mgdamjzx99m5mxf8sfeipwkdw0u'
HTTP/1.1 200 OK

But we can't create and we get explanation of the problem in header "Warning" and in the body of the response.

curl -i -X POST 'http://localhost/db/hr/departments.json' \
-H 'apikey: pgtw8mgdamjzx99m5mxf8sfeipwkdw0u' \
-d '{"dept_name": "New Dept", "dept_no": "d020"}'

HTTP/1.1 404 Not Found
Warning: (_mysql_exceptions.OperationalError) (1142, "INSERT command denied to user 'ro_hr'@'pc140.home' for table 'departments'")

{"http_code": 404, "description": "(_mysql_exceptions.OperationalError) (1142, \"INSERT command denied to user 'ro_hr'@'pc140.home' for table 'departments'\")"}

Access to data via SQL Pass-Thru

Two levels of authorization have to be configured to execute query:

1. The user must be allowed to execute the query. When we want to execute query Query Configuration we can define list of users allowed to execute SQL Pass-Thru query.

2. Database login that will be used to execute query in database must have right privileges.

SlashDB Configurations

SlashDB contains database, user and SQL Pass-Thru query configurations. Typically modifying those is restricted to user "admin", but regular users can be given permission to access and modify those settings too. These are particularly useful if you need to create one or more power user with certain administrative privileges granted to them.

In Database Configuration we can:

• allow users to view/edit specific database definition
• allow users to connect/disconnect specific database

In User Configuration we can:

• allow other users to view/edit the specific user configuration
• allow the user to view list of databases, users, SQL Pass-Thru queries
• allow the user to create new databases, users and SQL Pass-Thru queries

In Query Configuration we can:

• allow users to view/edit the query configuration
• allow users to run the SQL Pass-Thru query