How to provide read only access

[arunaruljothi]

Hello,

We need to provide read only access to our Edge DB for some other teams. Unfortunately I can't come up with a way to do with the current implementation.

My first thought was to use the new psql protocol support but because it is on the same port as the binary protocol I cannot only allow access for it in the security group (we are running everything on AWS and Aurora). Also because the roles only allow superuser roles, I can't lock it down based on role either.

Is it possible to change the port so that the binary protocol and the postgres protocol are on different ports, or is there a better way to do this?

[haikyuu]

You can use access policies for this use case.

global current_user: uuid;

type User {
  required email: str { constraint exclusive; };
  role: str;
}

type BlogPost {
  required title: str;
  required author: User;

  access policy author_has_full_access
    allow all
    using (global current_user ?= .author.id);
  access policy other_teams_can_read
    allow select
    using (global current_user.role = 'read-only');
}

And then the other part is to authenticate other team members so that they have the adequate user type that can only read.

[arunaruljothi]

Access Polices work, but require that all the other users need to be updated. I also found that placing pgbouncer in front of the psql endpoint works to limit the end users from accessing the binary protocol.