Make requests access controllable

[PittyXu]

Now, apis are open for all, and only support JWT in the plan. I think we can do some fine-grained control by putting some rules into configuration files or databases. My proposed control structure is as follows:

/**
 * Request access control
 * @param name rest path name, not directly expose table names
 * @param operation rest operation, READ COUNT CREATE UPDATE DELETE SCHEMA FUNCTION PROCEDURE
 * @param schema real database schema name
 * @param table real database table name
 * @param columns May it is a mapping for support alias to real database columns, and limit return columns
 * @param verifier for to verify params, may some limit regular or custom extension
 * @param permissions for to user permission filter, may support some roles like UNKNOWN, LOGIN, OWNER, ADMIN, CUSTOMER
 */
public record Access(String name, Operation operation, String schema, String table, Map<String, String> columns, String verifier, String[] permissions) {
}

[thadguidry]

My particular opinion on access control is to create a new DB user and within the databases' own Roles and Access controls, configure that user to only allow access for the types of operations warranted (READ, WRITE, etc.) and for only those tables / schema that the user should have access to.

It seems in your proposal, that you want to move access control (or some of it) into DB2Rest directly? That is inherently impossible, since there is always a reliance on a DB user and their given access, that you must configure with DB2Rest that makes connections with that said user. If access rights are even semi-controlled by DB2Rest, then that makes it, in my opinion, harder for everyone to reason with and makes setups harder to be more secure, not easier to secure?

Or did I misunderstand your intentions?

[PittyXu]

What I'm thinking is that the control granularity may vary among different databases, and not all teams have professional DBAs. And db2rest use spring default datasource, if integrating other modules may requires dependency on other private tables.

jcasbin is a good way for this.

[kdhrubo]

The suggestion is for implementing an access control with JWT - user and data access.
Noting to do with DB user used to connect to the database.

In other words, handle entitlement for the application user.

jcasbin is a good project that I believe does this.

[PittyXu]

It's a good way. And is it possible not to directly expose the table name to the rest.

[thadguidry]

what if you instead made a view of an existing table that was customized or had obfuscated column names? BTW, which database are you trying to support or currently using?

[PittyXu]

I use mariadb, in my opinion, for database should strictly, everything that is not in the access list is returned as 404.

[kdhrubo]

Why was this discussion closed?

Btw I am not in favor of db changes or writing rules in db tables. Ideally as much as possible DB2Rest should not force dba or anyone to add new tables and entries.

May be this won't apply if we were to support database schema evolution ever.

[kdhrubo]

@PittyXu
Security is now in place.
Docs only showing Basic auth, but API key support and JWT is also added. Need to update docs.

Closing