Separate QuantEngine database deployment
This commit is contained in:
@@ -9,7 +9,7 @@ This document outlines the security configuration, role definitions, and access
|
||||
The Quant Investment Engine operates strictly within the `quantengine` schema to prevent namespace pollution and protect system catalog tables.
|
||||
|
||||
* **Schema**: `quantengine`
|
||||
* **Default Database**: `giteadb`
|
||||
* **Default Database**: `quantenginedb`
|
||||
|
||||
---
|
||||
|
||||
@@ -22,7 +22,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* **Permissions**:
|
||||
```sql
|
||||
CREATE ROLE quantengine_owner WITH LOGIN PASSWORD 'OwnerPasswordSecure';
|
||||
GRANT ALL PRIVILEGES ON DATABASE giteadb TO quantengine_owner;
|
||||
GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_owner;
|
||||
GRANT ALL PRIVILEGES ON SCHEMA quantengine TO quantengine_owner;
|
||||
ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT ALL ON TABLES TO quantengine_owner;
|
||||
```
|
||||
@@ -32,7 +32,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* **Permissions**:
|
||||
```sql
|
||||
CREATE ROLE quantengine_app WITH LOGIN PASSWORD 'AppPasswordSecure';
|
||||
GRANT CONNECT ON DATABASE giteadb TO quantengine_app;
|
||||
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_app;
|
||||
GRANT USAGE ON SCHEMA quantengine TO quantengine_app;
|
||||
|
||||
-- Grant CRUD permissions on tables & sequences
|
||||
@@ -48,7 +48,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* **Permissions**:
|
||||
```sql
|
||||
CREATE ROLE quantengine_readonly WITH LOGIN PASSWORD 'ReadonlyPasswordSecure';
|
||||
GRANT CONNECT ON DATABASE giteadb TO quantengine_readonly;
|
||||
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_readonly;
|
||||
GRANT USAGE ON SCHEMA quantengine TO quantengine_readonly;
|
||||
|
||||
GRANT SELECT ON ALL TABLES IN SCHEMA quantengine TO quantengine_readonly;
|
||||
@@ -63,7 +63,7 @@ To ensure the principle of least privilege, we define three main database roles:
|
||||
* Never store connection strings with plaintext passwords in version control.
|
||||
* `appsettings.json` must only contain placeholder configurations.
|
||||
* Inject the connection string at runtime using environment variables:
|
||||
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=giteadb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
|
||||
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
|
||||
|
||||
2. **Network Security**:
|
||||
* Bind PostgreSQL only to local interfaces (`127.0.0.1`) or secure private network interfaces.
|
||||
|
||||
Reference in New Issue
Block a user