| From: | Karsten Hilbert <Karsten(dot)Hilbert(at)gmx(dot)net> |
|---|---|
| To: | pgsql-sql(at)postgresql(dot)org |
| Subject: | Re: question on row level security |
| Date: | 2015-12-30 17:37:15 |
| Message-ID: | 20151230173715.GA27891@hermes.hilbert.loc |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Wed, Dec 30, 2015 at 05:28:13PM +0000, Tim Dudgeon wrote:
> > The new row level security feature in 9.5 looks great.
> > I guess its designed around the need to restrict access based on
> > the current database user (current_user) where this maps to a
> > database user.
> > But most applications now access the database using an application
> > user and manages data for the applications multiple users
> > (probably with each user being a row in a USERS table somewhere).
> > Is there any way to "inject" the application user so that this can
> > be used in a RLS check?
> > e.g. conceptually:
> >
> > set app_user 'john';
> > select * from foo;
> >
> > where the select * is restricted by a RLS check that includes
> > 'john' as the app_user.
> > Of course custom SQL could be generated for this, but it would be
> > safer if it could be handled using RLS.
> >
> > Any ways to do this
You could store a session cookie (say, the app_user) into a
table and have the RLS policy refer to that, no ?
Karsten
--
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tim Dudgeon | 2015-12-30 17:37:54 | Re: question on row level security |
| Previous Message | Joe Conway | 2015-12-30 17:32:49 | Re: question on row level security |