Add a short description here!
Project description
FastAPI Row Security 🚣♂️
Row-Level Security (RLS) in SQLAlchemy for PostgreSQL with Row Security Policies:
- Restrict access to specific rows 🔒 minimizing unauthorized data exposure.
- Perfect for Scalability and Multi-Tenancy: keep the data playground organized 🏢, ensuring each tenant plays in their own sandbox.
Warning Understand that the database superuser bypasses all permission checks, except the right to log in. This is a dangerous privilege and should not be used in combination with RLS.
Installation
Use pip to install from PyPI:
pip install fastapi-rowsecurity
Basic Usage
In your SQLAlchemy model, create a classmethod
named __rls_policies__
that returns a list of Permissive
or Restrictive
policies:
from fastapi_rowsecurity import Permissive, set_rls_policies
from fastapi_rowsecurity.principals import Authenticated, UserOwner
Base = declarative_base()
set_rls_policies(Base) # <- create all policies
class Item(Base):
__tablename__ = "items"
id = Column(Integer, primary_key=True)
title = Column(String, index=True)
owner_id = Column(Integer, ForeignKey("users.id"))
owner = relationship("User", back_populates="items")
@classmethod
def __rls_policies__(cls):
return [
Permissive(principal=Authenticated, policy="SELECT"),
Permissive(principal=UserOwner, policy=["INSERT", "UPDATE", "DELETE"]),
]
The above implies that any authenticated user can read all items; but can only insert, update or delete owned items.
principal
: any Boolean expression as a string;policy
: any ofALL
/SELECT
/INSERT
/UPDATE
/DELETE
.
Next, attach the current_user_id
(or other runtime parameters that you need) to the user session:
# ... def get_session() -> Session:
session.execute(text(f"SET app.current_user_id = {current_user_id}"))
Find a simple example in the .
Backlog first release
- Change policies when model changes (prio!!)
- Documentation
then ...
- Support for Alembic
- How to deal with
BYPASSRLS
such as table owners? - When item is tried to delete, no error is raised?
- Python 3.11
Final note
At the moment this module is work-in-progress and therefore experimental. All feedback and ideas are 100% welcome! So feel free to contribute or reach out to me!
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for fastapi-rowsecurity-0.1b1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | d9706d4b49cd3a9174ed0943b0b4a0f8c4bfd1476c954f10009c99ab20ffd734 |
|
MD5 | b8e6199829330b0bc321ecff7e0486b1 |
|
BLAKE2b-256 | 915b2a5d051f21e78662ca0a9151247fbe39fbfd755e8076ff67722e9fdacc1f |
Hashes for fastapi_rowsecurity-0.1b1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a723b8ca68cbc1bdf455cba66cf440e657b47eeecd10d7cda810ec36cfc58726 |
|
MD5 | 390f5669f22af285db826e1e6001bdf2 |
|
BLAKE2b-256 | ca89cb4b77ddc691a3601ac36a5b024b7259c8b46c10439afc6ced853a8681f6 |