Hello everyone,
I’d like to offer my customers a graph database for knowledge management or just note taking.
So every customer would get a dedicated child database with a graph.
How would I secure each single child database, so that only the owner is allowed to query the database?
I saw this guide here. The problem for my case is that I want to restrict the role on a database and not only on collections.
So I’d somehow need to create a role which can only access the database, if it’s somehow referenced in the users collection. Would that work and be safe or am I missing something? To me this looks a bit like a hack.
My only idea would be the following:
I create a users collection with a metadata fiel like “owns_database”. So a user can own a database. Then on the server side code, I’d login the user (using fauna auth feature) and then check if the user owns the database thats being queried.
My problem here would be, that I do auth on my server side code and not built in with Fauna.
Is there a better solution for this, which is maybe even offered by Fauna?
Tokens are generated for an instance in a database. ABAC roles do not extend across databases. Even child databases.
From a login perspective, each user would login with credentials in the child database. So, in this don’t really consider them child databases. The fact that they exist as children of the same single database is convenient for organization and billing.
As one alternative, you may be able to manage users and logins through a common parent db. Then you could use ABAC roles on the parent db to create a Key for one of the child databases. Or maybe you could have a server which, having verified identity, could create an additional Token for an instance on the child database. Either way, the user ends up with 2 Keys/Tokens. One for parent db and one for the child db — if the user wants to read and/or make changes to both dbs, expect to use two clients using the respective Keys/Tokens.
Thank you for the answer and sorry for my late reply.
I think I’m gonna have to go with one database and a collection (or more) per user. In the users collection I would then have have an additional field which stores the names of their collections. So they login with the normal Fauna process and then my code queries which collections they can access.