Skip to content

Latest commit

 

History

History
342 lines (235 loc) · 15.3 KB

README.md

File metadata and controls

342 lines (235 loc) · 15.3 KB

RethinkDB Proxy

Build Status npm version

Reverse proxy for RethinkDB

Make your RethinkDB publicly accessible through limiting what kind of queries can be executed on your RethinkDB database.

Currently, RethinkDB has no access control (although they're currently working on it). Anyone with access to a running instance has access to everything, including system tables. This is a simple solution to that problem that allows for limited access to RethinkDB.

Introduction by Example

First, start the proxy.

$ rethinkdb-proxy --port 8125

Using the proxy, getting all users in the users table is allowed.

r.connect({ port: 8125 }).then((conn) => {
  r.table('users').coerceTo('array').run(conn)
    .then((results) => {
      // We have some results!
      console.log(results); // [{ name: 'jorge' }, ... ]
    });
});

But deleting the users is not:

import rethinkDBProxy from 'rethinkdb-proxy';
rethinkDBProxy({ port: 8125 });

r.connect({ port: 8125 }).then((conn) => {
  r.table('users').delete('array').run(conn)
    .catch((err) => {
      // We get an error!
      console.log(err); // RqlClientError: Cannot execute query. "DELETE" query not allowed
    });
});

Try it!

You can try out rethinkdb-proxy by connecting to a publicly available proxy at rethinkdb-proxy.thejsj.com:8125. This database (named test) has two tables: countries and cities. You can run queries against it to see how rethindkb-proxy works.

JavasScript:

import r from 'rethinkdb';
r.connect({ host: 'rethinkdb-proxy.thejsj.com', port: 8125 })
 .then(function (conn) {
   r.table('countries').coerceTo('array').run(conn);
 });

Python:

import rethinkdb as r
conn = r.connect(host="rethinkdb-proxy.thejsj.com", port=8125)
r.table('countries').coerce_to('array').run(conn)

Installation

Install rethinkdb-proxy through npm.

npm install -g rehtinkdb-proxy

Running rethinkdb-proxy

CLI

rethinkdb-proxy comes with a CLI out-of-the box:

rethinkdb-proxy --port 8125 

Module

You can also import rethinkdb-proxy into Node.js:

import rethinkDBProxy from 'rethinkdb-proxy';
rethinkDBProxy({ port: 8125, allowInsert: true });

Options

Port

Module Parameter CLI Parameter Default API Reference
port --port 8125

Port in which to listen for driver connections. You should point your driver to this port.

RethinkDB Host

Module Parameter CLI Parameter Default API Reference
rdbHost --rdb-host localhost connect

Host in which RethinkDB is running.

RethinkDB Port

Module Parameter CLI Parameter Default API Reference
rdbPort --rdb-host localhost connect

Host in which RethinkDB is running.

Databases

Module Parameter CLI Parameter Default API Reference
dbs --dbs [ ]

Database to allow access to. By default, all database are allowed except rethinkdb.

Allow System Database Access

Module Parameter CLI Parameter Default API Reference
allowSysDbAccess --allow-sys-db-access false

Allow access to the rethinkdb database. This is not allowed by default because access to this database allows the user to delete all other data, cancel jobs, mess with the cluster, etc.

Tables

Module Parameter CLI Parameter Default API Reference
tables --tables [ ]

Tables to allow access to. Tables must include their database db.table.

Allow Writes

Module Parameter CLI Parameter Default API Reference
allowWrites --allow-writes false

Allow all operations that write to the database (insert, update, delete).

Allow insert

Module Parameter CLI Parameter Default API Reference
allowInsert --allow-insert false insert

Allow insert queries.

Allow update

Module Parameter CLI Parameter Default API Reference
allowUpdate --allow-update false update

Allow update queries.

Allow delete

Module Parameter CLI Parameter Default API Reference
allowDelete --allow-delete false delete

Allow delete queries.

Allow replace

Module Parameter CLI Parameter Default API Reference
allowReplace --allow-replace false replace

Allow replace queries.

Allow dbCreate

Module Parameter CLI Parameter Default API Reference
allowDbCreate --allow-db-create false dbCreate

Allow dbCreate queries

Allow dbDrop

Module Parameter CLI Parameter Default API Reference
allowDbDrop --allow-db-drop false dbDrop

Allow dbDrop queries

Allow tableCreate

Module Parameter CLI Parameter Default API Reference
allowTableCreate --allow-table-create false tableCreate

Allow tableCreate queries.

Allow tableDrop

Module Parameter CLI Parameter Default API Reference
allowTableDrop --allow-table-drop false tableDrop

Allow tableDrop queries.

Allow Indexes

Module Parameter CLI Parameter Default API Reference
allowIndexes --allow-indexes false

Allow all operations on indexes (indexCreate, indexDrop, indexRename).

Allow indexCreate

Module Parameter CLI Parameter Default API Reference
allowIndexCreate --allow-index-create false indexCreate

Allow indexCreate queries.

Allow indexDrop

Module Parameter CLI Parameter Default API Reference
allowIndexDrop --allow-index-drop false indexDrop

Allow indexDrop queries.

Allow indexRename

Module Parameter CLI Parameter Default API Reference
allowIndexRename --allow-index-rename false indexRename

Allow indexRename queries.

Allow reconfigure

Module Parameter CLI Parameter Default API Reference
allowReconfigure --allow-reconfigure false reconfigure

Allow reconfigure queries.

Allow rebalance

Module Parameter CLI Parameter Default API Reference
allowRebalance --allow-rebalance false rebalance

Allow rebalance queries.

Allow http

Module Parameter CLI Parameter Default API Reference
allowHttp --allow-http false http

Allow queries with the http term.

Allow js

Module Parameter CLI Parameter Default API Reference
allowJavascript --allow-javascript false js

Allow queries with the js term.

The Future

As of right now, there are many features that could be added to rethinkdb-proxy. If you have any suggestions, please submit an issue. If enough people use this, I'd be happy to implement them. Features for the future might include:

  • Access from the front-end, Firebase style (through http and/or websockets)
  • Authentication/User accounts (perhaps integration with Github/OAuth)
  • More robust access control (permissions per database, per table)
  • Options stored in the database

License

Copyright (c) 2015, Jorge Silva.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.