~egtann/sum

ref: 3ad06d2ce33f600fad1f43c140160a67ade13a55 sum/man/man5/sf.conf.5 -rw-r--r-- 3.8 KiB
3ad06d2c — Evan Tann add sf.conf.5 man page 11 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
.Dd $Mdocdate$
.Dt SF.CONF 5
.Os
.Sh NAME
.Nm sf.conf
.Nd sf configuration file
.Sh DESCRIPTION
The
.Xr sf 1
utility applies privileges in your sql database according to rules or
definitions specified in
.Nm .
.Pp
This is an overview of the sections in this manual page:
.Bl -inset
.It Sx RULES
provides rules for allowing and denying access to data.
.It Sx STATEMENTS
provides a complete list of allowed statements in rules.
.It Sx EXAMPLES
provides some example rulesets.
.El
.Pp
The current line can be extended over multiple lines using a backslash
.Pq Sq \e .
Comments can be put at the start of lines in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
.Pp
Macros can be defined that will later by expanded in context.  Macro names must
start with a letter, digit, or underscore and may contain any of those
characters.
Macro names may not be reserved words (for example
.Ic deny ,
.Cm all ,
.Cm any ) .
.Pp
The top-most rule in
.Nm
must be
.Ic deny Cm all .
This will ensure that the same privileges are applied on each run, allowing you
to run
.Xr sf 1
multiple times and get the same behavior on each run.  This requirement is
enforced by
.Xr sf 1 .
.Sh RULES
.Xr sf 1
has the ability to
.Ic deny
and
.Ic allow
users access to data in a SQL server.  Filter rules determine which of these
actions are taken; filter parameters specify the users, databases, tables,
statements and columns to which a rule applies.
.Pp
The rules are applied in sequential order, from first to last.  If a later rule
overrides an earlier rule, the last rule's behavior will apply.
.Pp
Most parameters are optional.  If a parameter is specified, the rule only
applies to that user, database, table, statement, or column.
.Pp
The following actions can be used in the filter:
.Bl -tag -width Ds
.It Cm deny Pq Cm all | Ar user
The access is denied across all databases for the user.
.It Cm allow Pq Cm all | Ar user
The access is allowed across all databases for the user.
.It Cm db Pq Cm any | Cm Ar database
Restrict or allow access to a database.
.It Cm table Pq Cm any | Cm Ar table
Restrict or allow access to a table.
.It Cm statement Pq Cm any | Cm Ar statement
Restrict or allow access to a statement such as
.Cm select ,
.Cm insert , No or
.Cm alter .
.It Cm column Pq Cm any | Ar column
Restrict or allow access to a column.  Removing the column definition from the
rule is equivalent to
.Cm column Cm any .
.Sh STATEMENTS
.Pp
Any of the following statements may be used in rules following the
.Cm statement
directive:
.Bd -literal -offset indent
alter
create
delete
drop
event
execute
file
index
insert
process
proxy
references
reload
select
shutdown
super
trigger
update
usage
.Sh EXAMPLES
In this example, we use macros to store variables and lists which will be
replaced or expanded at runtime.
.Bd -literal -offset indent
read  = { bob jim }
write = _dashboard
crud  = { select insert update delete }

deny all
allow root

allow $read db any table any statement select
deny $read db dashboard table admins statement any \e
	column password
deny $read db dashboard table { password_resets oauth_tokens }
allow $write db any table any statement $crud
.Ed
.Pp
First we
.Cm deny all
to reset privileges in the database, then we selectively allow users to access
it.  The root user is given full privileges, and since it does not have any
deny rules apply to it in the ruleset, it is also given the
.Cm grant option .
.Pp
The users bob and jim will each have access to run select queries across any
database and table, but we specifically deny access to the password column in
the admins table and the entirety of the password_resets and oauth_tokens
tables.  The user _dashboard will have privileges to run select, insert,
update, and delete throughout the database.  We use \e to extend our rule onto
the next line.
.Sh SEE ALSO
.Xr sf 1