Files
QuantEngineByItz/docs/POSTGRESQL_SECURITY_GUIDE.md
T
kjh2064 6ed3de2749
WBS-9.3 - NULL Policy CI Gate / NULL Policy Validation (push) Failing after 6s
Quant Engine CI/CD Pipeline / validate-core (push) Failing after 11s
Quant Engine CI/CD Pipeline / validate-ui-and-storage (push) Has been skipped
Separate QuantEngine database deployment
2026-07-01 13:55:03 +09:00

3.0 KiB

PostgreSQL Security Guide for QuantEngine

This document outlines the security configuration, role definitions, and access control policies for the quantengine schema in the PostgreSQL database.


1. Schema Isolation

The Quant Investment Engine operates strictly within the quantengine schema to prevent namespace pollution and protect system catalog tables.

  • Schema: quantengine
  • Default Database: quantenginedb

2. Role Definitions & Privileges

To ensure the principle of least privilege, we define three main database roles:

A. Schema Owner (quantengine_owner)

  • Purpose: Full access to schema objects, responsible for executing DDL (migrations, table creation).
  • Permissions:
    CREATE ROLE quantengine_owner WITH LOGIN PASSWORD 'OwnerPasswordSecure';
    GRANT ALL PRIVILEGES ON DATABASE quantenginedb TO quantengine_owner;
    GRANT ALL PRIVILEGES ON SCHEMA quantengine TO quantengine_owner;
    ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT ALL ON TABLES TO quantengine_owner;
    

B. Read-Write Application Role (quantengine_app)

  • Purpose: Used by the live .NET application to insert daily data feeds, update portfolio states, and insert qualitative sell strategy results.
  • Permissions:
    CREATE ROLE quantengine_app WITH LOGIN PASSWORD 'AppPasswordSecure';
    GRANT CONNECT ON DATABASE quantenginedb TO quantengine_app;
    GRANT USAGE ON SCHEMA quantengine TO quantengine_app;
    
    -- Grant CRUD permissions on tables & sequences
    GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA quantengine TO quantengine_app;
    GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA quantengine TO quantengine_app;
    
    -- Restrict DDL operations
    ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO quantengine_app;
    

C. Read-Only Analytical Role (quantengine_readonly)

  • Purpose: Used by external reporting tools, dashboards, or manual audit scripts.
  • Permissions:
    CREATE ROLE quantengine_readonly WITH LOGIN PASSWORD 'ReadonlyPasswordSecure';
    GRANT CONNECT ON DATABASE quantenginedb TO quantengine_readonly;
    GRANT USAGE ON SCHEMA quantengine TO quantengine_readonly;
    
    GRANT SELECT ON ALL TABLES IN SCHEMA quantengine TO quantengine_readonly;
    ALTER DEFAULT PRIVILEGES IN SCHEMA quantengine GRANT SELECT ON TABLES TO quantengine_readonly;
    

3. Configuration Best Practices

  1. Connection String Hygiene:

    • Never store connection strings with plaintext passwords in version control.
    • appsettings.json must only contain placeholder configurations.
    • Inject the connection string at runtime using environment variables: ConnectionStrings__DefaultConnection="Host=127.0.0.1;Database=quantenginedb;Username=quantengine_app;Password=YourSecurePassword;Search Path=quantengine;"
  2. Network Security:

    • Bind PostgreSQL only to local interfaces (127.0.0.1) or secure private network interfaces.
    • Restrict access in pg_hba.conf to allow connections only from the Gitea runner or application host.