Row level security

From: Thomas Simpson <ts(at)talentstack(dot)to>
To: pgsql-performance(at)postgresql(dot)org
Subject: Row level security
Date: 2024-06-24 22:28:13
Message-ID: 52034f9b-0f2d-4467-bc96-2dc85b0f6f36@talentstack.to
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-performance

Hi,

I'm trying to implement a system which requires row level security on
some key data tables (most do not require RLS).  The data tables will
grow substantially (rows likely > +100M/year - the system is > 80% data
insert plus < 20% updates and by design, no deletes).

Some queries are likely to brush past many rows before being eliminated
by the RLS policy, so I'm trying to find the most efficient way that
does not compromise query times.  I also want to have a unified approach
across all the RLS data to make the policy implementation as
straightforward as possible too because I know there will be future
expansion of the RLS rules.

My thought currently is that table inheritance could possibly be one way
forward.  Specifically the base table holding just the RLS attributes,
such as site group, site ID, customer group, customer ID as some initial
examples (I expect company division, department may be future needs too).

With the RLS attributes on the base table, I can add future needs to
that table and they automatically propagate to the child tables holding
the RLS data.  Policies on the child tables can enforce row visibility
based on session tokens assigned at login (a future problem avoided just
now for simplicity).

I have a small prototype working, with the policy function comparing the
columns (from the base table) to the user tokens to permit/deny row
access.  This allows this to be as in-memory and hopefully as fast as
possible as it avoids needing to do any lookups to other tables or
anything more expensive than some 'permissionColumn IN
listOfTokensHeldByTheSession' checks.

My concern is the base table will grow substantially faster than the
child data tables as that receives a new row for every row inserted in
any of the child tables, so could easily be +300M rows/year and this
could become some performance fence.  Some of the child tables have a
clear partition key available so inherited & partitioned is also
appealing but could possibly amplify any performance issue further.

Does this approach sound viable or are there pitfalls or a different
more recommended approach?

Thanks

Jim

Responses

Browse pgsql-performance by date

  From Date Subject
Next Message Laura Hausmann 2024-06-27 00:50:31 Inconsistent query performance based on relation hit frequency
Previous Message Julius Tuskenis 2024-06-18 13:03:17 Re: performance of sql and plpgsql functions