fix(rbac): auto-create RLS policy on user creation#185
Open
KinshukSS2 wants to merge 1 commit into
Open
Conversation
Closes Issue istSOS#28 — eliminates two-step user provisioning. After POST /Users, a newly created user had no RLS policy and could not access any data until an administrator separately called POST /Policies. This commit fixes that by automatically calling the appropriate policy function inside the same transaction as user creation. Changes: - api/app/v1/endpoints/create/user.py * Add module-level _POLICY_FN_MAP (viewer/editor/obs_manager/sensor). * Capture app_role before get_db_role_for_rbac() remaps it, so the correct policy function can be dispatched. * After GRANT, call sensorthings.<role>_policy([username], policyname) with policyname = '{username}_default'. Administrator is skipped — admins bypass RLS by privilege, not by policy. * Policy functions already exist in the DB (istsos_auth.sql); no migration required. - api/app/v1/endpoints/functions.py * Add docstrings to _validate_role_identifier() and set_role(). - api/app/v1/endpoints/create/data_array_observation.py * Import shared set_role() helper (was already using the correct upstream version; this import makes the dependency explicit). - api/tests/test_rls_policy_creation.py (new) * Tests: correct policy function per role, administrator exclusion, naming convention, users_ as text[]. - api/tests/test_rbac_set_role_safety.py (new) * Tests: identifier validation, injection rejection, shared helper usage in data_array_observation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Description
Summary
POST /Usersnow automatically attaches the user's default RLS policy in the same transaction as user creation. No separatePOST /Policiescall is required.What changed
api/app/v1/endpoints/create/user.pyAdded
_POLICY_FN_MAP(module-level constant) and a policy dispatch block after theGRANTstatement:After
GRANT,app_roleis captured beforeget_db_role_for_rbac()remaps it, then:Notes
istsos_auth.sql). No migration needed.api/app/v1/endpoints/functions.pyDocstrings added to:
_validate_role_identifier()set_role()api/tests/test_rls_policy_creation.py(new, 12 tests)Covers:
{username}_defaultnaming conventionusers_passed aslist[str](maps totext[])api/tests/test_rbac_set_role_safety.py(new, 8 tests)Covers:
set_role()identifier validationValueErrordata_array_observationconfirmed to use shared helperContext
The
set_role()SQL injection fix was already merged upstream (cbbcd78) before this PR.The unique change here is the auto-policy dispatch in
create_user().Testing
Result