Skip to content

Activation

💡 TL;DR - Row Level Security with Grant Permissions on User Roles

Security requires persistent store to identify valid users and their roles. These can be stores such as LDAP or Microsoft AD, or a security sql database.

Projects are initially created without security. Use the command below to add security using your own database, which enables you to Add User properties for Grant declarations,

For example, use your IDE's terminal window positioned at your project root:

cd <project-root>  # typically done in your IDE
ApiLogicServer add-auth --db-url=mysql+pymysql://root:p@localhost:3306/authdb

You can use the SQLite version: 

cd <project-root>  # typically done in your IDE
ApiLogicServer add-auth --db-url=auth

 

Security Database Structure

authdb

Except for the sample project, projects are created with security disabled. So, a typical project creation sequence might be:

  1. Create your project without security

    • Verify connectivity, API operation, Admin App operation, etc.

  2. Activate Security

This page describes how to activate security.

 

Explore Security Samples

You might want to begin by exploring the samples below.

 

Northwind Sqlite Sample

Security is automatically enabled when building the sample app. Explore / test it as described in Authorization.

Or, you can create the sample application without customizations, and then add security using the add-auth command; click here:

ApiLogicServer add-auth --db_url=auth

The add-auth command will:

  1. Add the sqlite database and models, using ApiLogicServer add-db --db_url=auth --bind_key=authentication
  2. Add `User.Login`` endpoint to the User model
  3. Set SECURITY_ENABLED in conf/config.py
  4. Configure your Authentication-Provider, using your own Authentication-Provider
  5. Add Sample authorizations to security/declare_security.py

 

Postgres Docker northwind

You can use the docker databases as shown below. (If you haven't already done so, recall you must first docker network create dev-network # only required once).

docker run -d --name postgresql-container --net dev-network -p 5432:5432 -e PGDATA=/pgdata -e POSTGRES_PASSWORD=p apilogicserver/postgres:latest

ApiLogicServer create --project_name=postgres-nw --db_url=postgresql://postgres:p@localhost/postgres

cd postgres-nw
ApiLogicServer add-auth --project_name=. --db_url=postgresql://postgres:p@localhost/authdb

Let's review how this database was created.

1. Create the Postgres NW database

You can find the creation information here:

PostgreSQL-authdb-create

After using the Postgres CLI to create the database, verify it exists:

PostgreSQL-authdb

 

MySQL docker classicmodels

As noted above, you can use the docker databases as shown below. (If you haven't already done so, recall you must first docker network create dev-network # only required once).

docker run --name mysql-container --net dev-network -p 3306:3306 -d -e MYSQL_ROOT_PASSWORD=p apilogicserver/mysql8.0:latest

ApiLogicServer create --project_name=classicmodels  --db_url=classicmodels

cd classicmodels
ApiLogicServer add-auth --project_name=. --db_url=mysql+pymysql://root:p@localhost:3306/authdb

 

Using your own authdb

In most cases, you will create your own authdb:

  1. To use the same kind of DBMS you are using for your data

  2. To introduce additional properties for use in Grants -- see the first section below

Add User properties for Grants

For example, the nw security example has the following mulit-tenant example:

Grant(  on_entity = models.Category,    # illustrate multi-tenant - u1 shows only row 1
        to_role = Roles.tenant,
        filter = lambda : models.Category.Client_id == Security.current_user().client_id)  # User table attributes

Here, our custom authdb has added the client_id column to the User table, and we are using that to restrict tenants to their own companies' data.

Pre-created authdb scripts

For example, use this Dockerfile to create a MySQL docker image for your project, including authdb.

After release 08.00.05, those files are created in new projects. For earlier versions, create these files in devops/docker.

 

Pre-created in Docker Samples

A sample security database is pre-created in the MySQL and Postgres Sample Docker Databases.

 

Appendix: Internals

The Security Manager and sqlite Authentication-Provider are built into created projects from the system's prototype project.