Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security invoker to shipping views to enable row-level security #368

Merged
merged 8 commits into from
Aug 23, 2023
Merged

Add security invoker to shipping views to enable row-level security #368

merged 8 commits into from
Aug 23, 2023

Conversation

davereinhart
Copy link
Contributor

@davereinhart davereinhart commented Jul 31, 2023
edited
Loading

Requires ID3C PR: seattleflu/id3c#328

Adds security_invoker = true to shipping views to implement row-level security added in the above PR. Adds cascadia and reporter-cascadia roles, and related constraints to enforce row-level security on appropriate tables.

@davereinhart davereinhart requested a review from a team as a code owner July 31, 2023 16:33
bencap
bencap reviewed Aug 2, 2023
View reviewed changes
Copy link
Contributor

@bencap bencap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I think the tests are failing because of the lack of a tag but you may be waiting for the ID3C PR?

And then similar to the PR in ID3C, I think we need to update our sqitch.conf file here as well to be able to deploy.

@davereinhart
Replace sqitch.conf with a template with customizable database URIs
f0afcb0 
Databases are no longer directly accessible, and each environment may have connections to ID3C configured differently, so replacing hard coded URIs with placeholders. `sqitch.template.conf` should be copied to `sqitch.conf` and the database connection URIs should updated in that file prior to running sqitch commands.
@davereinhart
add sqitch tag
4ee1018
@davereinhart davereinhart force-pushed the shipping-views-security-invoker branch 3 times, most recently from af5d20f to cdd54bf Compare August 18, 2023 21:16
@davereinhart
Add new role and contstraint for row-level security.
313aab5 
Implementing project-specific row-level security with newly added role and related constraint on sample table.
@davereinhart
Add trigger function to enforce row-level security on sequencing tables.
39902c4 
Adds trigger functions to ensure that row-level security for sequencing data matches the security in place on the corresponding sample record.

The `access_role` value is initially set on the sample record (enforced with a check constraint) and then must match across related sequencing records (enforced with these trigger functions).
@davereinhart
Add sqitch tag
9e8f522
@davereinhart
Add Cascadia reporter role for read-only access
1e13387
@davereinhart davereinhart force-pushed the shipping-views-security-invoker branch from b9962fd to 1e13387 Compare August 21, 2023 18:09
bencap
bencap approved these changes Aug 22, 2023
View reviewed changes
Copy link
Contributor

@bencap bencap left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally and roles + access control + rls checks looked good

@davereinhart davereinhart merged commit 8ae5c55 into master Aug 23, 2023
4 checks passed
@davereinhart davereinhart deleted the shipping-views-security-invoker branch August 23, 2023 19:08
@davereinhart
Copy link
Contributor Author

Deployed via sqitch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bencap bencap bencap approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@davereinhart @bencap