[ee] feat: datatable permissions via Postgres roles + RLS#9981
Draft
diegoimbert wants to merge 1 commit into
Draft
[ee] feat: datatable permissions via Postgres roles + RLS#9981diegoimbert wants to merge 1 commit into
diegoimbert wants to merge 1 commit into
Conversation
Opt-in, EE-gated permissions for data tables, enforced natively by Postgres roles and row-level security. Non-admin queries connect directly as a per-user login role (tamper-proof against arbitrary user SQL); admins connect as the owner and keep full access. Adds a Permissions modal (Access + Row policies tabs) to the data table settings, get/set/sync endpoints, and enforcement in both the postgresql and DuckDB executors. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Deploying windmill with
|
| Latest commit: |
1d1ffed
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://871f2b6e.windmill.pages.dev |
| Branch Preview URL: | https://datatable-permissions-rls.windmill.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Opt-in, EE-gated permissions for data tables, enforced natively by Postgres roles + row-level security. Off by default (a data table with no config keeps the legacy behavior where every workspace member has full access).
Because data table queries run arbitrary user SQL, identity can't be injected via a session GUC (spoofable) or
SET ROLE(escapable). So a non-admin query connects directly as a per-user login role (wm_u_<hash>, workspace-scoped, HMAC-derived password) —current_useris then authoritative and can't be escalated. Grants + RLS enforce; admins connect as the owner (RLS not forced) and keep full access;CREATEonpublicis revoked from principals so no table escapes policy.Design/security details:
docs/datatable-permissions.md.Changes
windmill-common/workspaces.rs):DataTablePermissions/Grant/Policy/Principal, deterministic role-name + password derivation,get_datatable_resource_from_db_checked(enforcement entrypoint). Permissions are owned by dedicated endpoints, preserved acrossedit_datatable_config.datatable_permissions_ee.rs, companion PR): reconcile creates/updates roles, group memberships, grants and RLS policies from config and revokes anything no longer present (declarative, fail-closed) via_wm_principals/_wm_policiesregistries;resolve_datatable_accessroutes admins→owner, members→principal, no-access→denied. OSS stub + module switch (pipeline_advancedpattern).pg_executorandduckdb_executor(ATTACH 'datatable://…'), keyed on the job'spermissioned_as_email.get/set/sync_datatable_permissions(admin-gated) + OpenAPI.DataTablePermissionsButton.sveltein the data table settings row — Access + Row-policies tabs,$enterpriseLicense/eeOnlygating.docs/datatable-permissions.md.Security review
An adversarial review found and this PR fixes: DuckDB
ATTACHbypassing enforcement (now checked);wm_email()returning the definer underSECURITY DEFINER(nowsession_user, so row policies actually work); reconcile being additive-only (now revokes removed/downgraded access). Remaining known limitations (agent-worker + trigger paths resolve unchecked; resource-datatable provisioning is best-effort) are documented.Screenshots
Test plan
--features enterprise,privateand a valid license; enable permissions on an instance data table.postgresqljob as that user sees only granted tables and an admin sees all.owner = wm_email(); confirm row filtering for the principal and full visibility for the admin.ATTACH 'datatable://main'script — same enforcement.🤖 Generated with Claude Code
EE companion PR: windmill-labs/windmill-ee-private#650