3.0 KiB
3.0 KiB
PostgreSQL Security Guide for QuantEngine
This document outlines the security configuration, role definitions, and access control policies for the quantengine schema in the PostgreSQL database.
1. Schema Isolation
The Quant Investment Engine operates strictly within the quantengine schema to prevent namespace pollution and protect system catalog tables.
- Schema:
quantengine - Default Database:
quantenginedb
2. Role Definitions & Privileges
To ensure the principle of least privilege, we define three main database roles:
A. Schema Owner (quantengine_owner)
- Purpose: Full access to schema objects, responsible for executing DDL (migrations, table creation).
- Permissions:
CREATE ROLE quantengine_owner WITH LOGIN PASSWORD 'OwnerPasswordSecure'; GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_owner; GRANT ALL PRIVILEGES ON SCHEMA quantengine TO quantengine_owner; ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT ALL ON TABLES TO quantengine_owner;
B. Read-Write Application Role (quantengine_app)
- Purpose: Used by the live .NET application to insert daily data feeds, update portfolio states, and insert qualitative sell strategy results.
- Permissions:
CREATE ROLE quantengine_app WITH LOGIN PASSWORD 'AppPasswordSecure'; GRANT CONNECT ON DATABASE quantenginedb TO quantengine_app; GRANT USAGE ON SCHEMA quantengine TO quantengine_app; -- Grant CRUD permissions on tables & sequences GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA quantengine TO quantengine_app; GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA quantengine TO quantengine_app; -- Restrict DDL operations ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO quantengine_app;
C. Read-Only Analytical Role (quantengine_readonly)
- Purpose: Used by external reporting tools, dashboards, or manual audit scripts.
- Permissions:
CREATE ROLE quantengine_readonly WITH LOGIN PASSWORD 'ReadonlyPasswordSecure'; GRANT CONNECT ON DATABASE quantenginedb TO quantengine_readonly; GRANT USAGE ON SCHEMA quantengine TO quantengine_readonly; GRANT SELECT ON ALL TABLES IN SCHEMA quantengine TO quantengine_readonly; ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT SELECT ON TABLES TO quantengine_readonly;
3. Configuration Best Practices
-
Connection String Hygiene:
- Never store connection strings with plaintext passwords in version control.
appsettings.jsonmust only contain placeholder configurations.- Inject the connection string at runtime using environment variables:
ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"
-
Network Security:
- Bind PostgreSQL only to local interfaces (
127.0.0.1) or secure private network interfaces. - Restrict access in
pg_hba.confto allow connections only from the Gitea runner or application host.
- Bind PostgreSQL only to local interfaces (