71 lines
3.0 KiB
Markdown
71 lines
3.0 KiB
Markdown
# PostgreSQL Security Guide for QuantEngine
|
|
|
|
This document outlines the security configuration, role definitions, and access control policies for the `quantengine` schema in the PostgreSQL database.
|
|
|
|
---
|
|
|
|
## 1. Schema Isolation
|
|
|
|
The Quant Investment Engine operates strictly within the `quantengine` schema to prevent namespace pollution and protect system catalog tables.
|
|
|
|
* **Schema**: `quantengine`
|
|
* **Default Database**: `quantenginedb`
|
|
|
|
---
|
|
|
|
## 2. Role Definitions & Privileges
|
|
|
|
To ensure the principle of least privilege, we define three main database roles:
|
|
|
|
### A. Schema Owner (`quantengine_owner`)
|
|
* **Purpose**: Full access to schema objects, responsible for executing DDL (migrations, table creation).
|
|
* **Permissions**:
|
|
```sql
|
|
CREATE ROLE quantengine_owner WITH LOGIN PASSWORD 'OwnerPasswordSecure';
|
|
GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_owner;
|
|
GRANT ALL PRIVILEGES ON SCHEMA quantengine TO quantengine_owner;
|
|
ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT ALL ON TABLES TO quantengine_owner;
|
|
```
|
|
|
|
### B. Read-Write Application Role (`quantengine_app`)
|
|
* **Purpose**: Used by the live .NET application to insert daily data feeds, update portfolio states, and insert qualitative sell strategy results.
|
|
* **Permissions**:
|
|
```sql
|
|
CREATE ROLE quantengine_app WITH LOGIN PASSWORD 'AppPasswordSecure';
|
|
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_app;
|
|
GRANT USAGE ON SCHEMA quantengine TO quantengine_app;
|
|
|
|
-- Grant CRUD permissions on tables & sequences
|
|
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA quantengine TO quantengine_app;
|
|
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA quantengine TO quantengine_app;
|
|
|
|
-- Restrict DDL operations
|
|
ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO quantengine_app;
|
|
```
|
|
|
|
### C. Read-Only Analytical Role (`quantengine_readonly`)
|
|
* **Purpose**: Used by external reporting tools, dashboards, or manual audit scripts.
|
|
* **Permissions**:
|
|
```sql
|
|
CREATE ROLE quantengine_readonly WITH LOGIN PASSWORD 'ReadonlyPasswordSecure';
|
|
GRANT CONNECT ON DATABASE quantenginedb TO quantengine_readonly;
|
|
GRANT USAGE ON SCHEMA quantengine TO quantengine_readonly;
|
|
|
|
GRANT SELECT ON ALL TABLES IN SCHEMA quantengine TO quantengine_readonly;
|
|
ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT SELECT ON TABLES TO quantengine_readonly;
|
|
```
|
|
|
|
---
|
|
|
|
## 3. Configuration Best Practices
|
|
|
|
1. **Connection String Hygiene**:
|
|
* Never store connection strings with plaintext passwords in version control.
|
|
* `appsettings.json` must only contain placeholder configurations.
|
|
* Inject the connection string at runtime using environment variables:
|
|
`ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"`
|
|
|
|
2. **Network Security**:
|
|
* Bind PostgreSQL only to local interfaces (`127.0.0.1`) or secure private network interfaces.
|
|
* Restrict access in `pg_hba.conf` to allow connections only from the Gitea runner or application host.
|