From: | Adrian Klaver <adrian(dot)klaver(at)aklaver(dot)com> |
---|---|
To: | Tim Dudgeon <tdudgeon(dot)ml(at)gmail(dot)com>, pgsql-sql(at)postgresql(dot)org |
Subject: | Re: question on row level security |
Date: | 2015-12-30 17:28:31 |
Message-ID: | 5684143F.1010205@aklaver.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
On 12/30/2015 08:58 AM, Tim Dudgeon wrote:
> The new row level security feature in 9.5 looks great.
> I guess its designed around the need to restrict access based on the
> current database user (current_user) where this maps to a database user.
> But most applications now access the database using an application user
> and manages data for the applications multiple users (probably with each
> user being a row in a USERS table somewhere).
> Is there any way to "inject" the application user so that this can be
> used in a RLS check?
> e.g. conceptually:
>
> set app_user 'john';
> select * from foo;
>
> where the select * is restricted by a RLS check that includes 'john' as
> the app_user.
> Of course custom SQL could be generated for this, but it would be safer
> if it could be handled using RLS.
>
> Any ways to do this?
User name maps?:
http://www.postgresql.org/docs/9.5/interactive/auth-username-maps.html
This still results in an external user becoming a database user. From
there you can set up users as members of larger roles, i.e accounting,
hr, etc to manage access, or not.
>
> Tim
>
>
>
--
Adrian Klaver
adrian(dot)klaver(at)aklaver(dot)com
From | Date | Subject | |
---|---|---|---|
Next Message | Joe Conway | 2015-12-30 17:32:49 | Re: question on row level security |
Previous Message | Tim Dudgeon | 2015-12-30 17:28:13 | Re: question on row level security |