Rules

Rules can deny or allow access to tables or rewrite the SQL statement by adding a where clause. Rules are not attached to tables but applied to the incoming SQL statement before it actually runs in the database engine.

Incoming statements are matched against the rules in a prioritized order, and if there is a match, the rule will be applied.

A rule is applied to a statement if one or more matches are positive:

username matches the name of the user.
service matches the kind of service used. Always sql.
request matches the type of statement. Can be either select, insert, update or delete.
schema matches the schema of the tables in the statement.
table matches the tables in the statement.
iprange matches the IP address the statement comes from (CIDR block).

Default for all is *, which means that it will match all.

A rule has three outcomes:

It will allow access
It will deny access
It will limit access

A limit rule should always have a filter, which is a where clause.

Rules with lower priority are matched first.

SQL statements with multiple tables (like JOIN, UNION, WITH or sub-queries) can match multiple rules. For a such statement to run all matched rules must either allow or limit.

When using rules, it is a good idea to add a "stop block" rule, so unmatched statements don't go through. A "stop block" rule should have the highest priority of all rules:

{
  "priority": 1000,
  "access": "deny"
}

This stops any statement, which are not allowed or limited in prior matches rules.

Create a new rule

HTTP
CLI

Create a new rule, which will limit the records the user 'joe' can 'delete' from 'my_schema.my_table'
POST https://api.centia.io/api/v4/rules HTTP/1.1
Content-Type: application/json
Authorization: Bearer abc123

{
    "priority": 1,
    "username": "joe",
    "request": "delete",
    "schema": "my_schema",
    "table": "my_table"
    "access": "limit",
    "filter": "user='joe'",
}

Create multiple rules
POST https://api.centia.io/api/v4/rules HTTP/1.1
Content-Type: application/json
Authorization: Bearer abc123

{
    "rules": [
        {
            "priority": 1,
            "username": "joe",
            "request": "delete",
            "schema": "my_schema",
            "table": "my_table"
            "access": "limit",
            "filter": "user='joe'"
        },
        {
            "priority": 1,
            "username": "peter",
            "request": "delete",
            "schema": "my_schema",
            "table": "my_table"
            "access": "limit",
            "filter": "user='peter'"
        }
    ]

}

Create a new rule
centia rule add

Get rules

HTTP
CLI

Get single rules
GET https://api.centia.io/api/v4/rules/1,2 HTTP/1.1
Accept: application/json
Authorization: Bearer abc123

Get all rules
GET https://api.centia.io/api/v4/rules HTTP/1.1
Accept: application/json
Authorization: Bearer abc123

Create a new user
centia rule get

Update a rule

HTTP
CLI

Update single rules
PATCH https://api.centia.io/api/v4/rules/1,2 HTTP/1.1
Content-Type: application/json
Authorization: Bearer abc123

{
    "priority": 2
}

Update a rule
centia rule update 1

Delete a rule

HTTP
CLI

Delete single rules
DELETE https://api.centia.io/api/v4/rules/1,2 HTTP/1.1
Authorization: Bearer abc123

Delete a rule
centia rule drop 1

Create a new rule​

Get rules​

Update a rule​

Delete a rule​

Create a new rule

Get rules

Update a rule

Delete a rule