RestHeart ACL - User access controls for databases

Question

I'm using restheart 6, with mongoAclAuthorizer and mongoRealmAuthenticator.

I have no problem managing users or databases, but I'm not understanding how to restrict a user to access only the databases I allow.

I'm reading the documentation (https://restheart.org/docs/security/authorization/) about ACL, but I didn't find what I need. By looking at the examples, looks like a user from the role "users" would be able to access all databases.

I guess the answer is in the predicate. Let's say I have two users: userA and userB both with the role "user". I want userA to access database1 and userB to access database2.

The way the doc shows, looks like it's missing something that I wrote in brackets, which I know it doesn't exists, it is only to exemplify) ([user=userA] and [user=userB]).

role: user
predicate: [user=userA] and path-prefix[path="/database1"] and method[value="GET"] 
role: user
predicate: [user=userB] and path-prefix[path="/database2"] and method[value="GET"]

Can anyone help me?

Does anyone knows where is the "predicate" documentation? – mcardia May 27 '21 at 14:54 — mcardia, May 27 '21 at 14:54

score 2 · Accepted Answer · answered May 27 '21 at 14:27

It's easier than it looks. The roles "admin" and "user" are not mandatory. You can create your own roles and use them as needed.

In my case above, I created four new roles: role-database1-rw, role-database1-ro, role-database2-rw and role-database2-ro.

And I've attached the userA to the roles role-database1-rw and role-database2-ro, and the userB to to the roles role-database1-ro and role-database2-rw.

Then, I created the ACLs:

roles: role-database1-rw
predicate: "path-prefix[/database1] and (method[GET] or method[POST] or method[PUT] or method[DELETE])"

roles: role-database1-ro
predicate": "path-prefix[/database1] and method[GET]"

roles: role-database2-rw
predicate: "path-prefix[/database2] and (method[GET] or method[POST] or method[PUT] or method[DELETE])"

roles: role-database2-ro
predicate: "path-prefix[/database2] and method[GET]"

This way, the userA can read from database1 and 2 and write on database1. And the userB can read from database1 and 2 and write on database2.

Let us know if we can improve the documentation, we are working to upgrade it for v6 and it's quite a load of work https://github.com/SoftInstigate/restheart-website — mturatti, May 28 '21 at 08:06

RestHeart ACL - User access controls for databases

1 Answers1