rilldata · begelundmuller · Jul 5, 2024 · Jun 27, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/admin/metrics.go b/admin/metrics.go
@@ -47,6 +47,7 @@ func (s *Service) OpenMetricsProject(ctx context.Context) (*metrics.Client, bool
 				auth.ReadObjects,
 			},
 		},
+		Attributes: map[string]any{"admin": true},
 	})
 	if err != nil {
 		return nil, false, fmt.Errorf("could not issue jwt: %w", err)

diff --git a/admin/server/deployment.go b/admin/server/deployment.go
@@ -179,14 +179,6 @@ func (s *Server) GetDeploymentCredentials(ctx context.Context, req *adminv1.GetD
 			return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
 		}
 	}
-	// if no attributes found, we add standard non-admin user attrs to ensure security policies are applied correctly
-	if len(attr) == 0 {
-		attr = map[string]any{
-			"email":  "",
-			"domain": "",
-			"admin":  false,
-		}
-	}
 
 	ttlDuration := runtimeAccessTokenEmbedTTL
 	if req.TtlSeconds > 0 {
@@ -284,14 +276,6 @@ func (s *Server) GetIFrame(ctx context.Context, req *adminv1.GetIFrameRequest) (
 			return nil, status.Error(codes.InvalidArgument, "invalid 'for' type")
 		}
 	}
-	// if no attributes found, we add standard non-admin user attrs to ensure security policies are applied correctly
-	if len(attr) == 0 {
-		attr = map[string]any{
-			"email":  "",
-			"domain": "",
-			"admin":  false,
-		}
-	}
 
 	ttlDuration := runtimeAccessTokenEmbedTTL
 	if req.TtlSeconds > 0 {

diff --git a/admin/server/projects.go b/admin/server/projects.go
@@ -15,6 +15,7 @@ import (
 	"github.com/rilldata/rill/admin/server/auth"
 	adminv1 "github.com/rilldata/rill/proto/gen/rill/admin/v1"
 	runtimev1 "github.com/rilldata/rill/proto/gen/rill/runtime/v1"
+	"github.com/rilldata/rill/runtime"
 	"github.com/rilldata/rill/runtime/pkg/duckdbsql"
 	"github.com/rilldata/rill/runtime/pkg/email"
 	"github.com/rilldata/rill/runtime/pkg/observability"
@@ -146,12 +147,14 @@ func (s *Server) GetProject(ctx context.Context, req *adminv1.GetProjectRequest)
 	}
 
 	var attr map[string]any
-	var security *runtimev1.MetricsViewSpec_SecurityV2
+	var rules []*runtimev1.SecurityRule
 	if claims.OwnerType() == auth.OwnerTypeUser {
 		attr, err = s.jwtAttributesForUser(ctx, claims.OwnerID(), proj.OrganizationID, permissions)
 		if err != nil {
 			return nil, status.Error(codes.Internal, err.Error())
 		}
+	} else if claims.OwnerType() == auth.OwnerTypeService {
+		attr = map[string]any{"admin": true}
 	} else if claims.OwnerType() == auth.OwnerTypeMagicAuthToken {
 		mdl, ok := claims.AuthTokenModel().(*database.MagicAuthToken)
 		if !ok {
@@ -160,21 +163,45 @@ func (s *Server) GetProject(ctx context.Context, req *adminv1.GetProjectRequest)
 
 		attr = mdl.Attributes
 
-		security = &runtimev1.MetricsViewSpec_SecurityV2{
-			Access: fmt.Sprintf("'{{ .self.name }}'=%s", duckdbsql.EscapeStringValue(mdl.MetricsView)),
-		}
+		// Deny access to all resources except themes and mdl.MetricsView
+		rules = append(rules, &runtimev1.SecurityRule{
+			Rule: &runtimev1.SecurityRule_Access{
+				Access: &runtimev1.SecurityRuleAccess{
+					Condition: fmt.Sprintf(
+						"NOT ('{{.self.kind}}'='%s' OR '{{.self.kind}}'='%s' AND '{{ .self.name }}'=%s)",
+						runtime.ResourceKindTheme,
+						runtime.ResourceKindMetricsView,
+						duckdbsql.EscapeStringValue(mdl.MetricsView),
+					),
+					Allow: false,
+				},
+			},
+		})
+
 		if mdl.MetricsViewFilterJSON != "" {
 			expr := &runtimev1.Expression{}
 			err := protojson.Unmarshal([]byte(mdl.MetricsViewFilterJSON), expr)
 			if err != nil {
 				return nil, status.Errorf(codes.Internal, "could not unmarshal metrics view filter: %s", err.Error())
 			}
-			security.QueryFilter = expr
+
+			rules = append(rules, &runtimev1.SecurityRule{
+				Rule: &runtimev1.SecurityRule_RowFilter{
+					RowFilter: &runtimev1.SecurityRuleRowFilter{
+						Expression: expr,
+					},
+				},
+			})
 		}
+
 		if len(mdl.MetricsViewFields) > 0 {
-			security.Include = append(security.Include, &runtimev1.MetricsViewSpec_SecurityV2_FieldConditionV2{
-				Condition: "true",
-				Names:     mdl.MetricsViewFields,
+			rules = append(rules, &runtimev1.SecurityRule{
+				Rule: &runtimev1.SecurityRule_FieldAccess{
+					FieldAccess: &runtimev1.SecurityRuleFieldAccess{
+						Fields: mdl.MetricsViewFields,
+						Allow:  true,
+					},
+				},
 			})
 		}
 	}
@@ -198,8 +225,8 @@ func (s *Server) GetProject(ctx context.Context, req *adminv1.GetProjectRequest)
 				runtimeauth.ReadAPI,
 			},
 		},
-		Attributes: attr,
-		Security:   security,
+		Attributes:    attr,
+		SecurityRules: rules,
 	})
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "could not issue jwt: %s", err.Error())

diff --git a/admin/server/runtime_proxy.go b/admin/server/runtime_proxy.go
@@ -64,6 +64,8 @@ func (s *Server) runtimeProxyForOrgAndProject(w http.ResponseWriter, r *http.Req
 			if err != nil {
 				return httputil.Error(http.StatusInternalServerError, err)
 			}
+		} else if claims.OwnerType() == auth.OwnerTypeService {
+			attr = map[string]any{"admin": true}
 		}
 
 		jwt, err = s.issuer.NewToken(runtimeauth.TokenOptions{