Introduction: The Power of Direct Database-to-API Exposure

PostgREST stands as a lightweight API server with a core advantage: no backend interface coding required. It directly exposes PostgreSQL database tables as RESTful interfaces. However, its normal operation heavily depends on PostgreSQL role and permission configuration. This comprehensive guide focuses on PostgREST core configuration, PostgreSQL role creation and authorization, combining production environment practical scenarios to organize directly copyable configuration templates and operation instructions, helping backend developers quickly master PostgREST and database permission integration.

Part One: PostgREST Core Configuration (Production-Ready Templates)

PostgREST's configuration file is postgrest.conf. Among its settings, database connection and role permission-related configurations form the core. Below presents a complete production-grade configuration template, with permission-related items prominently highlighted:

# Database connection (must completely match backend service like Java yml configuration)
db-uri = "postgres://postgres:postgres2024@10.62.204.32:5432/gansueq"

# Database schema name (default public, modify if tables exist in other schemas)
db-schema = "public"

# 🔴 CORE: PostgREST anonymous access role (must be created in PostgreSQL in advance)
db-anon-role = "web_anon"

# Service port and address (default 3000, modify according to requirements)
server-port = 3000
server-host = "0.0.0.0"

# 🔴 KEY: Allow frontend custom token headers (configure if using custom token verification)
request-headers = "token"

# Cross-origin configuration (adjust according to frontend actual addresses to avoid cross-origin interception)
server-cors-allowed-origins = "http://10.62.210.66:8099,http://10.62.210.66:22516"
server-cors-allowed-credentials = true
server-cors-allowed-headers = "Content-Type, Authorization, Accept, token"
server-cors-allowed-methods = "GET, POST, PATCH, DELETE, OPTIONS"

# Production environment recommendation: disable auto-generated OpenAPI interface documentation for enhanced security
openapi-mode = "disabled"

Core Configuration Item Explanations (Permission-Related Highlights)

Configuration ItemFunctionImportant Notes
db-uriCore connection string for PostgREST connecting to PostgreSQL, containing username, password, IP, port, database nameMust completely match backend service (such as Java) database configuration, otherwise token verification failure and table access exceptions will occur
db-anon-roleRole PostgREST uses for anonymous database access, the core of permission controlThis role must be created in PostgreSQL in advance and possess corresponding table access permissions, otherwise 400/401 errors will be reported
request-headersAllows frontend to carry custom request headers (such as token) for identity verificationIf frontend uses custom tokens rather than standard Authorization headers, this item must be configured, otherwise PostgREST cannot recognize tokens
db-schemaSpecifies the database schema PostgREST accessesMust ensure anonymous role (web_anon) possesses access permissions for this schema

Part Two: PostgreSQL Role and Permission Configuration (Mandatory Operations)

PostgREST itself doesn't implement permission control, completely relying on PostgreSQL's role and permission mechanisms. Among these, the web_anon role serves as PostgREST anonymous access core. Below presents complete role creation and authorization steps, directly copyable SQL for execution.

Step 1: Core Role Creation (web_anon)

Create PostgREST's dedicated anonymous role for interface access, requiring no login permissions (NOLOGIN):

-- 1. Create anonymous role (NOLOGIN indicates this role cannot directly login, only for PostgREST access)
CREATE ROLE web_anon NOLOGIN;

Step 2: Core Permission Authorization (Ensuring PostgREST Can Access Tables)

Authorization divides into three steps: schema access permissions, table query permissions, ensuring the web_anon role can normally access all tables under the public schema, suitable for most production scenarios:

-- 2. Allow web_anon role to access public schema (mandatory, otherwise cannot see tables under schema)
GRANT USAGE ON SCHEMA public TO web_anon;

-- 3. Grant web_anon role query permissions for all tables under public schema (core, interfaces can normally query data)
GRANT SELECT ON ALL TABLES IN SCHEMA public TO web_anon;

-- Optional: Set default permissions, automatically grant web_anon query permissions for subsequently created tables, avoiding repeated authorization
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO web_anon;

Step 3: Permission Configuration Explanations (Key Pitfall Avoidance)

  • NOLOGIN keyword: The web_anon role is only used for PostgREST access, no need to allow direct database login, enhancing security.
  • USAGE permission: Only allows role to access the schema, doesn't include table operation permissions, serving as the prerequisite for table access.
  • SELECT permission: Allocate according to business requirements. If interfaces need to support insertion, modification, and deletion,追加 GRANT INSERT/UPDATE/DELETE permissions.
  • Default permission configuration: If tables will be created subsequently, executing the ALTER DEFAULT PRIVILEGES statement is recommended, avoiding manual authorization for each new table.

Part Three: Configuration and Permission Linkage Considerations (Production Pitfall Avoidance)

Configuration and Role Consistency

The db-anon-role = "web_anon" in PostgREST configuration must completely match the role name created in PostgreSQL, otherwise 400 errors will be reported (error=22023).

Permission Updates Require Restart

After modifying PostgreSQL role permissions, creating new tables, or modifying table structures, PostgREST must be restarted (PostgREST caches table structures and permissions at startup, not automatically refreshing during operation).

Multi-Environment Consistency

During multi-server deployment, ensure PostgREST configuration, PostgreSQL roles, and permissions are completely consistent across all servers, avoiding environment difference-caused interface errors.

Security Recommendations

In production environments, avoid granting excessive permissions to the web_anon role (granting ALL permissions is not recommended). Only allocate minimum permissions required by interfaces (such as SELECT permissions only).

Error Troubleshooting

If PostgREST interfaces report 400 Bad Request (error=22023), prioritize checking whether the web_anon role exists and whether permissions are complete (high probability is role missing or insufficient permissions).

Part Four: Windows Environment PostgREST Restart Method (Mandatory After Permission/Configuration Updates)

After permission or configuration modifications, PostgREST must be restarted for changes to take effect. The simplest restart method in Windows environment:

  1. Close the running PostgREST black window (directly click the window close button)
  2. Navigate to PostgREST installation directory, double-click postgrest.exe to restart
  3. Startup success verification: The black window outputs the following log, indicating cache has updated and permission configuration has taken effect:
Successfully connected to PostgreSQL
Schema cache loaded

Part Five: Common Problems and Solutions

Problem 1: "Role web_anon Does Not Exist" When Executing Authorization SQL?

Solution: First execute CREATE ROLE web_anon NOLOGIN; to create the role, then execute authorization statements.

Problem 2: PostgREST Starts Normally, But Interfaces Report 400 Errors (error=22023)?

Solution: Check whether the web_anon role possesses USAGE permissions for the public schema and SELECT permissions for tables. After confirmation, restart PostgREST.

Problem 3: After Permission Updates, Interfaces Still Report Permission-Related Errors?

Solution: Confirm permissions have been correctly granted and PostgREST has been restarted. If errors persist, check whether db-uri configuration is correct (whether connected to the correct database).

Part Six: Extended Considerations for Enterprise Deployments

Connection Pooling and Performance Optimization

For high-traffic production environments, consider implementing connection pooling between PostgREST and PostgreSQL. This reduces connection overhead and improves response times under load. Configure appropriate max-connections settings in your PostgREST configuration to balance resource utilization with performance requirements.

Monitoring and Logging Strategy

Implement comprehensive logging for PostgREST operations to track:

  • Request patterns and frequencies
  • Error rates and types
  • Response time distributions
  • Authentication failures

This data proves invaluable for performance tuning and security auditing.

Backup and Recovery Procedures

Document clear procedures for:

  • Backing up PostgREST configurations
  • Exporting PostgreSQL role definitions
  • Restoring permission configurations after system failures
  • Rolling back permission changes that cause issues

Part Seven: Advanced Security Configurations

Row-Level Security Integration

PostgreSQL's Row-Level Security (RLS) provides an additional security layer when used with PostgREST. Enable RLS policies to restrict which rows different roles can access:

-- Enable RLS on a table
ALTER TABLE users ENABLE ROW LEVEL SECURITY;

-- Create policy allowing users to see only their own data
CREATE POLICY user_isolation ON users
    FOR SELECT
    USING (current_setting('request.jwt.claims', true)::json->>'sub' = user_id::text);

JWT Authentication Integration

For production systems requiring user authentication, integrate JWT (JSON Web Token) validation:

# In postgrest.conf
db-anon-role = "web_anon"
db-role = "authenticated_role"
jwt-secret = "your-secret-key"

This configuration allows anonymous access through web_anon while authenticated users operate under authenticated_role with different permissions.

Part Eight: Summary and Best Practices

PostgREST and PostgreSQL role permission configuration centers on "consistency"—the anonymous role in PostgREST configuration must exist in the database and possess corresponding schema and table permissions. Simultaneously, note that permission and table structure changes require PostgREST restart to refresh caches.

The configuration templates and SQL instructions provided in this guide can be directly applied to production environments, especially for emergency response systems and data query systems. Simply adjust according to actual database addresses, usernames, and passwords to quickly complete PostgREST and database permission integration, avoiding interface errors caused by configuration or permission issues.

Key Takeaways for Production Success

  1. Always test in staging before deploying permission changes to production
  2. Document all role configurations for team reference and audit purposes
  3. Implement gradual permission grants—start with minimal permissions and expand as needed
  4. Monitor access patterns to identify potential security issues or performance bottlenecks
  5. Maintain configuration version control to track changes and enable rollback if needed

By following these practices and utilizing the provided templates, development teams can reliably deploy PostgREST as a production-ready API layer, leveraging PostgreSQL's robust permission system while maintaining security and performance standards.