Row-Level Access How-to
Manage row-level access policies⚓︎
Row-level access control allows administrators to define filters limiting which data rows users can query. See Row-level Access Control for a description of the feature.
This page demonstrates how to create, modify, delete, and verify row policies which implement the row-level access control feature.
Row-level access overview⚓︎
Data administrators define and group sets of filters and associate them to roles.
When receiving a query, the Hydrolix cluster combines all row policies for all roles associated with the querying account.
The query system enforces data access permissions by returning only the rows in the raw Hydrolix partitions that pass the combined filter.
Before you begin⚓︎
Accompanying the instructions on this page are a tiny sample transform and data set for familiarizing yourself with row-level access controls.
Consider also reading Policy design and Combining row policies when working with production-grade systems.
Required permissions⚓︎
The account used to configure row policies requires several permissions.
- Row policy management permissions.
add_rowpolicychange_rowpolicyview_rowpolicydelete_rowpolicyadd_role_rowpolicy-
remove_role_rowpolicy -
Role management permissions for role creation.
-
add_role -
For using the UI the following are useful
view_roleview_table
Row policy requirements⚓︎
Each row policy must be uniquely named in a table, must include a valid filter, and refer to an existing role.
Quick links⚓︎
| Action | ||
|---|---|---|
| Create a row policy | create using UI | create using API |
| View a row policy | view using UI | view using API |
| Update a row policy | update using UI | update using API |
| Delete a row policy | delete using UI | delete using API |
Demonstration table⚓︎
The demonstration table for the examples in this how-to is news.requests. The table holds multi-CDN request level data for different sections of a media site. The example row policies install filters to limit access to the Sports section.
Minimal demonstration data and transform are available. This informational table describes the contents of the columns, but especially those used in filter criteria.
| Column | Type | Description |
|---|---|---|
section |
string |
A media section, like Business, Lifestyle, Culture, Sports |
client_ip |
ip |
The requester's IPv4 or IPv6 address; perhaps anonymized or truncated |
client_country_iso_code |
string |
An ISO-3166-2 country code |
response_status_code |
uint8 |
The logged numeric HTTP status code |
response_bytes_total |
uint32 |
Number of bytes in the HTTP response payload sent to the client |
The examples below demonstrate row policy management using the above table.
Manage row policies in the UI⚓︎
(Optional) Create role in UI⚓︎
Here, we demonstrate creating an empty role that will serve only as a container for the row policies on the news.requests table.
- In the top right corner of the screen, click the + Add new button.
- Select the Role option in the right sidebar.
- Enter a unique role name, and any description.
- Click Create role.
Create in UI⚓︎
- In the top right corner of the screen, click the + Add new button.
- Select the Row policy option in the right sidebar.
- Select an existing Table to which the new row policy will apply.
- Enter a unique Name for this row policy in this table.
- Enter any valid SQL expression, that evaluates to
TRUEto allow users to see the corresponding rows. - Use Add Roles to attach the row policy to one or more existing roles.
- Select Restrictive or not. See Combining row policies.
- Click Create row policy.
View in UI⚓︎
- Click Security in the left sidebar.
- Click Row Policies in the top bar.
- Select the Table for the row policies you wish to view.
Update in UI⚓︎
- Click Security in the left sidebar.
- Click Row Policies in the top bar.
- Select the Table holding the row policies.
- Click any text in the desired row or use the vertical ellipsis (⋮) and select the Edit option to open the row policy editor.
- Use the Edit Row Policy page to make changes to the row policy.
- Click Save Changes.
Delete in UI⚓︎
- Click Security in the left sidebar.
- Click Row Policies in the top bar.
- Select the Table for the row policies you wish to view.
- Use the vertical ellipsis (⋮) and select the Delete option on the row policy you wish to remove.
- Cilck Delete on the confirmation dialog.
Deleting a row policy changes data access rules immediately
Deleting a row policy removes it from roles and changes access rules immediately. This could allow broader or unfiltered table access to accounts formerly constrained by the row policy.
Manage row policies with the API⚓︎
General workflow⚓︎
- Acquire an auth token using Login to Hydrolix. See also acquiring auth tokens.
- Use Create role or choose an existing role to which to assign the row policies.
- Create a row policy with the desired filter, assigned roles, and restrictive setting.
- Wait a few seconds for the row policies to go into effect in the query system.
Login to the API⚓︎
Get the bearer token, which is good for the next 24 hours, to authenticate future API calls. This command assumes you've set the $HDX_HOSTNAME, $HDX_USER and $HDX_PASSWORD environment variables:
export HDX_TOKEN=$( curl -v -X POST -H "Content-Type: application/json" \ https://$HDX_HOSTNAME/config/v1/login/ \ -d "{ \"username\":\"$HDX_USER\", \"password\":\"$HDX_PASSWORD\" }" | jq -r ".auth_token.access_token" )
(Optional) Create role with API⚓︎
Row policies must be associated with an existing role. See Roles and row policies. In this example, we're creating an empty role.
Use the Create role endpoint.
Create with API⚓︎
A new row policy object must contain
- A row policy
nameunique for this table - A valid
filter. See Filters and composition - A list of
roles. You must supply at least one role and all specified roles must already exist
Use the Create a row policy endpoint.
An error example⚓︎
The Config API returns an HTTP 400 status code for the following row policy.
There are three problems with the following update:
- Row policy named
section-sportsexists - The
filterhas an unmatched ending parenthesis); it's invalid SQL - The
roleslist is empty
Any one of these problems would be reason for an HTTP 400.
View with API⚓︎
List all row policies⚓︎
This example shows multiple row policies. Creation of isocode-us-fr isn't demonstrated on this page, but is shown in the output below.
Use the Get row policies endpoint.
Get a single row policy⚓︎
Use the Get a row policy endpoint.
Update with API⚓︎
Change an existing row policy⚓︎
This example switches the filter to use the SQL IN operator. All other fields remain untouched.
Use Partially update a row policy to change an existing row policy.
Replace an existing row policy⚓︎
This example renames the row policy to include the table name to demonstrate replacing an existing policy completely.
Use the Update a row policy endpoint to replace the entire policy.
Delete with API⚓︎
This example removes the row policy created earlier on this page.
Use Delete a row policy to remove a row policy from the system completely.
Upon success, the server returns HTTP status code 204 and no content.
Verification steps⚓︎
Changes to row policies are applied immediately to accounts querying the tables. There is a brief delay as the updated row policies are combined, distributed to the query services, and applied to new incoming queries.
To verify the installed row policies match your intended data access plan, apply the roles to an account and issue queries using that account. A service account is convenient for programmatic verification.
The single row policy associated with the role news_requests_sports allows accounts with that role to see only rows where the section column contains exactly the value Sports. Here's an example of a simple verification step.
Troubleshoot⚓︎
Problem: Expected row policy not in effect⚓︎
If a row policy doesn't seem to affect a user as expected, verify the role associated to the row policy matches one the user's roles.
- Locate the row policies for the table, and identify the roles for the row policies.
- Visit Security > Row Policies in the UI, and select the desired table.
- Use List tables and Get row policies
- Examine the roles associated with a user.
- Visit Security > Users in the UI.
- Use List users or Get user to see the user's roles.
- Confirm the association of the row policies to a role associated with the user.
Related material⚓︎
Demonstration samples⚓︎
Here is an example transform and several rows of data used in illustrating the row policies feature.
Demonstration transform⚓︎
Demonstration data⚓︎
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 | |