Adds ACLs to the routes

ai-Ev1lC0rP · Nov 10, 2021 · 3d94a82 · 3d94a82
1 parent bbe6ac9
commit 3d94a82
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 13 deletions.
diff --git a/docker/README.md b/docker/README.md
@@ -1,3 +1,3 @@
 # Supabase Docker
 
-This is a minimal Docker Compose setup for self-hosting Supabase. Follow the steps [here](https://supabase.io/docs/guides/self-hosting) to get started.
+This is a minimal Docker Compose setup for self-hosting Supabase. Follow the steps [here](https://supabase.io/docs/guides/hosting/docker) to get started.
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -13,7 +13,7 @@ services:
       KONG_DECLARATIVE_CONFIG: /var/lib/kong/kong.yml
       # https://github.com/supabase/cli/issues/14
       KONG_DNS_ORDER: LAST,A,CNAME
-      KONG_PLUGINS: request-transformer,cors,key-auth
+      KONG_PLUGINS: request-transformer,cors,key-auth,acl
   auth:
     container_name: supabase-auth
     image: supabase/gotrue:v2.1.8

diff --git a/docker/test.http b/docker/test.http
@@ -0,0 +1,22 @@
+## For use with the VS Code Extension "REST Client"
+## https://marketplace.visualstudio.com/items?itemName=humao.rest-client
+
+### [PostgREST] 401 Unauthorized: No API key found in request
+GET http://localhost:8000/rest/v1/ HTTP/1.1
+Content-Type: application/json
+
+### [PostgREST] 200 OK: anon key for PostgREST
+GET http://localhost:8000/rest/v1/ HTTP/1.1
+Content-Type: application/json
+apikey: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYyNzIwODU0MCwiZXhwIjoxOTc0MzYzNzQwfQ.zcaQfHd3VA7XgJmdGfmV86OLVJT9s2MTmSy-e69BpUY
+
+### [postgres-meta] 403 Forbidden: anon key not allowed
+GET http://localhost:8000/pg/tables HTTP/1.1
+content-type: application/json
+apikey: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYyNzIwODU0MCwiZXhwIjoxOTc0MzYzNzQwfQ.zcaQfHd3VA7XgJmdGfmV86OLVJT9s2MTmSy-e69BpUY
+
+
+### [postgres-meta] 200 OK: Service key is allowed
+GET http://localhost:8000/pg/tables HTTP/1.1
+content-type: application/json
+apikey: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjI3MjA4NTQwLCJleHAiOjE5NzQzNjM3NDB9.pkT3PNpO4DtO45Ac5HK_TKCx8sGLgNtV__pr_ZrRSAU
diff --git a/docker/volumes/kong.yml b/docker/volumes/kong.yml
@@ -1,5 +1,35 @@
 _format_version: "1.1"
+
+
+###
+### Consumers / Users
+###
+consumers:
+  - username: anon
+    keyauth_credentials:
+      - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYyNzIwODU0MCwiZXhwIjoxOTc0MzYzNzQwfQ.zcaQfHd3VA7XgJmdGfmV86OLVJT9s2MTmSy-e69BpUY
+  - username: service_role
+    keyauth_credentials:
+      - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjI3MjA4NTQwLCJleHAiOjE5NzQzNjM3NDB9.pkT3PNpO4DtO45Ac5HK_TKCx8sGLgNtV__pr_ZrRSAU
+
+###
+### Access Control List
+###
+acls:
+  - consumer: anon
+    group: anon
+  - consumer: service_role
+    group: admin
+
+
+
+
+###
+### API Routes
+###
 services:
+
+  ## Open Auth routes
   - name: auth-v1-open
     url: http://auth:9999/verify
     routes:
@@ -27,6 +57,8 @@ services:
           - /auth/v1/authorize
     plugins:
       - name: cors
+
+  ## Secure Auth routes
   - name: auth-v1
     _comment: "GoTrue: /auth/v1/* -> http://auth:9999/*"
     url: http://auth:9999/
@@ -38,8 +70,16 @@ services:
     plugins:
       - name: cors
       - name: key-auth
-        config:
+        config: 
           hide_credentials: false
+      - name: acl
+        config: 
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## Secure REST routes
   - name: rest-v1
     _comment: "PostgREST: /rest/v1/* -> http://rest:3000/*"
     url: http://rest:3000/
@@ -53,6 +93,14 @@ services:
       - name: key-auth
         config:
           hide_credentials: true
+      - name: acl
+        config: 
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## Secure Realtime routes
   - name: realtime-v1
     _comment: "Realtime: /realtime/v1/* -> ws://realtime:4000/socket/*"
     url: http://realtime:4000/socket/
@@ -64,8 +112,16 @@ services:
     plugins:
       - name: cors
       - name: key-auth
-        config:
+        config: 
           hide_credentials: false
+      - name: acl
+        config: 
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## Secure Storage routes
   - name: storage-v1
     _comment: "Storage: /storage/v1/* -> http://storage:5000/*"
     url: http://storage:5000/
@@ -76,6 +132,17 @@ services:
           - /storage/v1/
     plugins:
       - name: cors
+      - name: key-auth
+        config: 
+          hide_credentials: false
+      - name: acl
+        config: 
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## Secure Database routes
   - name: pg-meta
     _comment: "pg-meta: /pg/* -> http://pg-meta:8080/*"
     url: http://pg-meta:8080/
@@ -85,14 +152,11 @@ services:
         paths:
           - /pg/
     plugins:
-      - name: cors
       - name: key-auth
+        config: 
+          hide_credentials: false
+      - name: acl
         config:
-          hide_credentials: true
-consumers:
-  - username: anon
-    keyauth_credentials:
-      - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoiYW5vbiIsImlhdCI6MTYyNzIwODU0MCwiZXhwIjoxOTc0MzYzNzQwfQ.zcaQfHd3VA7XgJmdGfmV86OLVJT9s2MTmSy-e69BpUY
-  - username: service_role
-    keyauth_credentials:
-      - key: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb2xlIjoic2VydmljZV9yb2xlIiwiaWF0IjoxNjI3MjA4NTQwLCJleHAiOjE5NzQzNjM3NDB9.pkT3PNpO4DtO45Ac5HK_TKCx8sGLgNtV__pr_ZrRSAU
+          hide_groups_header: true 
+          allow:
+            - admin