From 5fbf4ccf6e77d696e4fa8d989fb18e5e1052de17 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20B=C3=B6hm?= Date: Tue, 17 Oct 2023 20:49:59 -0400 Subject: [PATCH] docs: Add section on database access control --- docs/pages/_meta.json | 2 +- docs/pages/export.mdx | 28 ++++++++++++++++++++++++++++ docs/pages/overview.mdx | 2 +- docs/pages/roadmap.mdx | 2 +- server/app/errors.py | 2 +- server/app/main.py | 2 +- 6 files changed, 33 insertions(+), 5 deletions(-) diff --git a/docs/pages/_meta.json b/docs/pages/_meta.json index 6329a38..d51d4c4 100644 --- a/docs/pages/_meta.json +++ b/docs/pages/_meta.json @@ -7,7 +7,7 @@ "type": "separator", "title": "Guides" }, - "overview": "Overview", + "overview": "System overview", "connect": "Connecting the first sensor", "data": "Data format", "export": "Working with the data", diff --git a/docs/pages/export.mdx b/docs/pages/export.mdx index 998ca03..5b040f9 100644 --- a/docs/pages/export.mdx +++ b/docs/pages/export.mdx @@ -62,3 +62,31 @@ You can access the other tables in the same way, e.g. to explore configurations `(sensor_identifier, revision)` to match each measurement with the associated configuration. + +## Database access control + +The server should be the only user with write access to the database. If you want to give other people read access to the data, you should create a read-only user: + +```sql +CREATE ROLE reader WITH LOGIN PASSWORD '12345678'; +GRANT CONNECT ON DATABASE database TO reader; +GRANT USAGE ON SCHEMA public TO reader; +-- Grant read-only access to all tables in the public schema +GRANT SELECT ON ALL TABLES IN SCHEMA public TO reader; +``` + + + See the [PostgreSQL documentation](https://www.postgresql.org/docs/) for more + details on managing users and permissions. + + +To restrict read-only access to certain networks, sensors, or attributes, you can use views. Instead of granting the `reader` user access to all tables, we can grant access only to measurements from a certain sensor: + +```sql +CREATE VIEW measurement_single_sensor AS +SELECT * +FROM measurement +WHERE sensor_identifier = '81bf7042-e20f-4a97-ac44-c15853e3618f'; +-- Grant read-only access only to the view +GRANT SELECT ON measurement_single_sensor TO reader; +``` diff --git a/docs/pages/overview.mdx b/docs/pages/overview.mdx index 54b86de..5624336 100644 --- a/docs/pages/overview.mdx +++ b/docs/pages/overview.mdx @@ -1,4 +1,4 @@ -# Overview +# System overview Tenta consists of a server and a dashboard. The server communicates with the sensors via an intermediate MQTT broker and exposes a REST API for the dashboard. Data is stored in a PostgreSQL+TimescaleDB database. diff --git a/docs/pages/roadmap.mdx b/docs/pages/roadmap.mdx index 04e682d..1a24f33 100644 --- a/docs/pages/roadmap.mdx +++ b/docs/pages/roadmap.mdx @@ -14,4 +14,4 @@ --- -If you have ideas that are not listed here, don't hesitate to open a discussion on GitHub! 🍰 +If you have a feature in mind that's not listed here, don't hesitate to open a discussion on GitHub! 🍰 diff --git a/server/app/errors.py b/server/app/errors.py index 7006507..9b586f7 100644 --- a/server/app/errors.py +++ b/server/app/errors.py @@ -7,7 +7,7 @@ ######################################################################################## -async def handler(request, exc): +async def handle(request, exc): """Return JSON instead of the default text/plain for handled exceptions.""" return starlette.responses.JSONResponse( status_code=exc.status_code, diff --git a/server/app/main.py b/server/app/main.py index 2e9298c..88926c2 100644 --- a/server/app/main.py +++ b/server/app/main.py @@ -551,7 +551,7 @@ async def lifespan(app): starlette.middleware.Middleware(auth.AuthenticationMiddleware), ], exception_handlers={ - starlette.exceptions.HTTPException: errors.handler, + starlette.exceptions.HTTPException: errors.handle, 500: errors.panic, }, )