docs: Add section on database access control

iterize · Oct 18, 2023 · 5fbf4cc · 5fbf4cc
1 parent a4514db
commit 5fbf4cc
Show file tree

Hide file tree

Showing 6 changed files with 33 additions and 5 deletions.
diff --git a/docs/pages/_meta.json b/docs/pages/_meta.json
@@ -7,7 +7,7 @@
     "type": "separator",
     "title": "Guides"
   },
-  "overview": "Overview",
+  "overview": "System overview",
   "connect": "Connecting the first sensor",
   "data": "Data format",
   "export": "Working with the data",

diff --git a/docs/pages/export.mdx b/docs/pages/export.mdx
@@ -62,3 +62,31 @@ You can access the other tables in the same way, e.g. to explore configurations
   `(sensor_identifier, revision)` to match each measurement with the associated
   configuration.
 </Callout>
+
+## Database access control
+
+The server should be the only user with write access to the database. If you want to give other people read access to the data, you should create a read-only user:
+
+```sql
+CREATE ROLE reader WITH LOGIN PASSWORD '12345678';
+GRANT CONNECT ON DATABASE database TO reader;
+GRANT USAGE ON SCHEMA public TO reader;
+-- Grant read-only access to all tables in the public schema
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO reader;
+```
+
+<Callout type="info" emoji="💡">
+  See the [PostgreSQL documentation](https://www.postgresql.org/docs/) for more
+  details on managing users and permissions.
+</Callout>
+
+To restrict read-only access to certain networks, sensors, or attributes, you can use views. Instead of granting the `reader` user access to all tables, we can grant access only to measurements from a certain sensor:
+
+```sql
+CREATE VIEW measurement_single_sensor AS
+SELECT *
+FROM measurement
+WHERE sensor_identifier = '81bf7042-e20f-4a97-ac44-c15853e3618f';
+-- Grant read-only access only to the view
+GRANT SELECT ON measurement_single_sensor TO reader;
+```
diff --git a/docs/pages/overview.mdx b/docs/pages/overview.mdx
@@ -1,4 +1,4 @@
-# Overview
+# System overview
 
 Tenta consists of a server and a dashboard. The server communicates with the sensors via an intermediate MQTT broker and exposes a REST API for the dashboard. Data is stored in a PostgreSQL+TimescaleDB database.
 

diff --git a/docs/pages/roadmap.mdx b/docs/pages/roadmap.mdx
@@ -14,4 +14,4 @@
 
 ---
 
-If you have ideas that are not listed here, don't hesitate to open a discussion on GitHub! 🍰
+If you have a feature in mind that's not listed here, don't hesitate to open a discussion on GitHub! 🍰
diff --git a/server/app/errors.py b/server/app/errors.py
@@ -7,7 +7,7 @@
 ########################################################################################
 
 
-async def handler(request, exc):
+async def handle(request, exc):
     """Return JSON instead of the default text/plain for handled exceptions."""
     return starlette.responses.JSONResponse(
         status_code=exc.status_code,

diff --git a/server/app/main.py b/server/app/main.py
@@ -551,7 +551,7 @@ async def lifespan(app):
         starlette.middleware.Middleware(auth.AuthenticationMiddleware),
     ],
     exception_handlers={
-        starlette.exceptions.HTTPException: errors.handler,
+        starlette.exceptions.HTTPException: errors.handle,
         500: errors.panic,
     },
 )