RethinkDB Proxy

Reverse proxy for RethinkDB

Make your RethinkDB publicly accessible through limiting what kind of queries can be executed on your RethinkDB database.

Currently, RethinkDB has no access control (although they're currently working on it). Anyone with access to a running instance has access to everything, including system tables. This is a simple solution to that problem that allows for limited access to RethinkDB.

• Introduction by Example
• Try it!
• Installation
• Running rethinkdb-proxy
• Options
• The Future
• License

Introduction by Example

First, start the proxy.

$ rethinkdb-proxy --port 8125

Using the proxy, getting all users in the users table is allowed.

r.connect({ port: 8125 }).then((conn) => {
  r.table('users').coerceTo('array').run(conn)
    .then((results) => {
      // We have some results!
      console.log(results); // [{ name: 'jorge' }, ... ]
    });
});

But deleting the users is not:

import rethinkDBProxy from 'rethinkdb-proxy';
rethinkDBProxy({ port: 8125 });

r.connect({ port: 8125 }).then((conn) => {
  r.table('users').delete('array').run(conn)
    .catch((err) => {
      // We get an error!
      console.log(err); // RqlClientError: Cannot execute query. "DELETE" query not allowed
    });
});

Try it!

You can try out rethinkdb-proxy by connecting to a publicly available proxy at rethinkdb-proxy.thejsj.com:8125. This database (named test) has two tables: countries and cities. You can run queries against it to see how rethindkb-proxy works.

JavasScript:

import r from 'rethinkdb';
r.connect({ host: 'rethinkdb-proxy.thejsj.com', port: 8125 })
 .then(function (conn) {
   r.table('countries').coerceTo('array').run(conn);
 });

Python:

import rethinkdb as r
conn = r.connect(host="rethinkdb-proxy.thejsj.com", port=8125)
r.table('countries').coerce_to('array').run(conn)

Installation

Install rethinkdb-proxy through npm.

npm install -g rehtinkdb-proxy

Running rethinkdb-proxy

CLI

rethinkdb-proxy comes with a CLI out-of-the box:

rethinkdb-proxy --port 8125 

Module

You can also import rethinkdb-proxy into Node.js:

import rethinkDBProxy from 'rethinkdb-proxy';
rethinkDBProxy({ port: 8125, allowInsert: true });

Options

• port
• rdbHost
• rdbPort
• dbs
• allowSysDbAccess
• tables
• allowWrites
• allowInsert
• allowUpdate
• allowDelete
• allowReplace
• allowDbCreate
• allowDbDrop
• allowTableCreate
• allowTableDrop
• allowIndexes
• allowIndexCreate
• allowIndexDrop
• allowIndexRename
• allowReconfigure
• allowRebalance
• allowHttp
• allowJavascript

Port

Module Parameter	CLI Parameter	Default	API Reference
port	--port	8125

Port in which to listen for driver connections. You should point your driver to this port.

RethinkDB Host

Module Parameter	CLI Parameter	Default	API Reference
rdbHost	--rdb-host	localhost	connect

Host in which RethinkDB is running.

RethinkDB Port

Module Parameter	CLI Parameter	Default	API Reference
rdbPort	--rdb-host	localhost	connect

Host in which RethinkDB is running.

Databases

Module Parameter	CLI Parameter	Default	API Reference
dbs	--dbs	[ ]

Database to allow access to. By default, all database are allowed except rethinkdb.

Allow System Database Access

Module Parameter	CLI Parameter	Default	API Reference
allowSysDbAccess	--allow-sys-db-access	false

Allow access to the rethinkdb database. This is not allowed by default because access to this database allows the user to delete all other data, cancel jobs, mess with the cluster, etc.

Tables

Module Parameter	CLI Parameter	Default	API Reference
tables	--tables	[ ]

Tables to allow access to. Tables must include their database db.table.

Allow Writes

Module Parameter	CLI Parameter	Default	API Reference
allowWrites	--allow-writes	false

Allow all operations that write to the database (insert, update, delete).

Allow insert

Module Parameter	CLI Parameter	Default	API Reference
allowInsert	--allow-insert	false	insert

Allow insert queries.

Allow update

Module Parameter	CLI Parameter	Default	API Reference
allowUpdate	--allow-update	false	update

Allow update queries.

Allow delete

Module Parameter	CLI Parameter	Default	API Reference
allowDelete	--allow-delete	false	delete

Allow delete queries.

Allow replace

Module Parameter	CLI Parameter	Default	API Reference
allowReplace	--allow-replace	false	replace

Allow replace queries.

Allow dbCreate

Module Parameter	CLI Parameter	Default	API Reference
allowDbCreate	--allow-db-create	false	dbCreate

Allow dbCreate queries

Allow dbDrop

Module Parameter	CLI Parameter	Default	API Reference
allowDbDrop	--allow-db-drop	false	dbDrop

Allow dbDrop queries

Allow tableCreate

Module Parameter	CLI Parameter	Default	API Reference
allowTableCreate	--allow-table-create	false	tableCreate

Allow tableCreate queries.

Allow tableDrop

Module Parameter	CLI Parameter	Default	API Reference
allowTableDrop	--allow-table-drop	false	tableDrop

Allow tableDrop queries.

Allow Indexes

Module Parameter	CLI Parameter	Default	API Reference
allowIndexes	--allow-indexes	false

Allow all operations on indexes (indexCreate, indexDrop, indexRename).

Allow indexCreate

Module Parameter	CLI Parameter	Default	API Reference
allowIndexCreate	--allow-index-create	false	indexCreate

Allow indexCreate queries.

Allow indexDrop

Module Parameter	CLI Parameter	Default	API Reference
allowIndexDrop	--allow-index-drop	false	indexDrop

Allow indexDrop queries.

Allow indexRename

Module Parameter	CLI Parameter	Default	API Reference
allowIndexRename	--allow-index-rename	false	indexRename

Allow indexRename queries.

Allow reconfigure

Module Parameter	CLI Parameter	Default	API Reference
allowReconfigure	--allow-reconfigure	false	reconfigure

Allow reconfigure queries.

Allow rebalance

Module Parameter	CLI Parameter	Default	API Reference
allowRebalance	--allow-rebalance	false	rebalance

Allow rebalance queries.

Allow http

Module Parameter	CLI Parameter	Default	API Reference
allowHttp	--allow-http	false	http

Allow queries with the http term.

Allow js

Module Parameter	CLI Parameter	Default	API Reference
allowJavascript	--allow-javascript	false	js

Allow queries with the js term.

The Future

As of right now, there are many features that could be added to rethinkdb-proxy. If you have any suggestions, please submit an issue. If enough people use this, I'd be happy to implement them. Features for the future might include:

• Access from the front-end, Firebase style (through http and/or websockets)
• Authentication/User accounts (perhaps integration with Github/OAuth)
• More robust access control (permissions per database, per table)
• Options stored in the database

License

Copyright (c) 2015, Jorge Silva.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.