NodeDB has a defense-in-depth security model covering authentication, authorization, encryption, and audit.
- Authentication — Users, passwords, API keys, service accounts, OIDC, mTLS
- OIDC Single Sign-On — JWT bearer authentication, claim mapping, provider setup
- Roles & Permissions (RBAC) — CREATE ROLE, GRANT, REVOKE, permission hierarchy, ClusterAdmin
- Session Management — SHOW SESSIONS, KILL SESSION, idle timeout, lockout, rate limiting
- Row-Level Security (RLS) — Per-row filtering based on auth context
- Audit Log — Hash-chained audit trail, database-scoped events, DML audit, SIEM export
- Multi-Tenancy — Database vs Tenant, tenant isolation, quotas, purge
- Encryption — At-rest cipher per storage tier, key management, TLS
Authentication and access control are now database-aware:
- API keys can be narrowed to specific databases
- Service accounts are created per database
- RLS policies can reference
$auth.database_id - Session management binds connections to one database
- Audit events include
database_idfor filtering - Admin DDL is gated by role (ClusterAdmin for cross-database ops)
See Authentication, RBAC, Audit Log, and Session Management.
- At rest — AES-256-GCM for WAL and columnar/timeseries segments (per-collection KEK + per-segment SEGP envelope). Filesystem-level encryption (LUKS / dm-crypt / FileVault) covers redb catalogs and HNSW / Vamana mmap segments. Full per-tier breakdown:
encryption.md. - In transit — TLS for all protocols (pgwire, HTTP, WebSocket, native)
- Lite devices — AES-256-GCM + Argon2id key derivation for on-device encryption
-- Create a user
CREATE USER alice WITH PASSWORD 'secret' ROLE readwrite;
-- Row-level security
CREATE RLS POLICY own_data ON orders FOR ALL
USING (customer_id = $auth.id);
-- View audit log
SHOW AUDIT LOG LIMIT 50;
-- Typeguard-based change tracking (schemaless)
CREATE TYPEGUARD ON users (
created_at TIMESTAMP DEFAULT now(),
updated_at TIMESTAMP VALUE now()
);