I'm using restheart 6, with mongoAclAuthorizer and mongoRealmAuthenticator.
I have no problem managing users or databases, but I'm not understanding how to restrict a user to access only the databases I allow.
I'm reading the documentation (https://restheart.org/docs/security/authorization/) about ACL, but I didn't find what I need. By looking at the examples, looks like a user from the role "users" would be able to access all databases.
I guess the answer is in the predicate. Let's say I have two users: userA and userB both with the role "user". I want userA to access database1 and userB to access database2.
The way the doc shows, looks like it's missing something that I wrote in brackets, which I know it doesn't exists, it is only to exemplify) ([user=userA] and [user=userB]).
role: user
predicate: [user=userA] and path-prefix[path="/database1"] and method[value="GET"]
role: user
predicate: [user=userB] and path-prefix[path="/database2"] and method[value="GET"]
Can anyone help me?
It's easier than it looks. The roles "admin" and "user" are not mandatory. You can create your own roles and use them as needed.
In my case above, I created four new roles: role-database1-rw, role-database1-ro, role-database2-rw and role-database2-ro.
And I've attached the userA to the roles role-database1-rw and role-database2-ro, and the userB to to the roles role-database1-ro and role-database2-rw.
Then, I created the ACLs:
roles: role-database1-rw
predicate: "path-prefix[/database1] and (method[GET] or method[POST] or method[PUT] or method[DELETE])"
roles: role-database1-ro
predicate": "path-prefix[/database1] and method[GET]"
roles: role-database2-rw
predicate: "path-prefix[/database2] and (method[GET] or method[POST] or method[PUT] or method[DELETE])"
roles: role-database2-ro
predicate: "path-prefix[/database2] and method[GET]"
This way, the userA can read from database1 and 2 and write on database1. And the userB can read from database1 and 2 and write on database2.