| From: | Charles Clavadetscher <clavadetscher(at)swisspug(dot)org> |
|---|---|
| To: | Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at> |
| Cc: | Ted Toth <txtoth(at)gmail(dot)com>, pgsql-general <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: FDW and RLS |
| Date: | 2020-05-25 17:02:49 |
| Message-ID: | 62c5b2b1bc707e036b278ca41829aefa@swisspug.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello
On 2020-05-25 15:50, Laurenz Albe wrote:
> On Fri, 2020-05-22 at 08:02 -0500, Ted Toth wrote:
>> Will RLS be applied to data being retrieved via a FDW?
>
> ALTER FOREIGN TABLE rp_2019 ENABLE ROW LEVEL SECURITY;
> ERROR: "rp_2019" is not a table
>
> Doesn't look good.
>
> Yours,
> Laurenz Albe
Actually it does work if you set the policy on the source table and
access it using the user defined in the user mappings on the foreign
table on the remote server.
Server 1:
charles(at)kofdb(dot)archivedb(dot)5432=# \d public.test_fdw_rls
Table "public.test_fdw_rls"
Column | Type | Collation | Nullable | Default
----------+---------+-----------+----------+---------
id | integer | | |
content | text | | |
username | text | | |
Policies:
POLICY "kofadmin_select" FOR SELECT
TO kofadmin
USING ((username = ("current_user"())::text))
kofadmin(at)kofdb(dot)archivedb(dot)5432=> \dp public.test_fdw_rls
Access privileges
Schema | Name | Type | Access privileges | Column
privileges | Policies
--------+--------------+-------+-------------------------+-------------------+----------------------------------------------
public | test_fdw_rls | table | charles=arwdDxt/charles+|
| kofadmin_select (r): +
| | | kofadmin=arwd/charles |
| (u): (username = ("current_user"())::text)+
| | | |
| to: kofadmin
charles(at)kofdb(dot)archivedb(dot)5432=# SELECT CURRENT_USER; SELECT * FROM
public.test_fdw_rls;
charles(at)kofdb(dot)archivedb(dot)5432=# SELECT CURRENT_USER; SELECT * FROM
public.test_fdw_rls;
current_user
--------------
charles
(1 row)
id | content | username
----+----------------------------------+----------
1 | Text for charles | charles
1 | Access from fdw via user fdwsync | fdwsync
(2 rows)
charles(at)kofdb(dot)archivedb(dot)5432=# set role fdwsync ;
SET
charles(at)kofdb(dot)archivedb(dot)5432=> SELECT CURRENT_USER; SELECT * FROM
public.test_fdw_rls;
current_user
--------------
fdwsync
(1 row)
id | content | username
----+----------------------------------+----------
1 | Access from fdw via user fdwsync | fdwsync
(1 row)
On the server accessing the table via FDW:
kofadmin(at)kofdb(dot)t-archivedb(dot)5432=> \deu+
List of user mappings
Server | User name | FDW options
------------+-----------+---------------------------------------------
kofdb_prod | kofadmin | (password 'mysecret', "user" 'fdwsync')
kofadmin(at)kofdb(dot)t-archivedb(dot)5432=> SELECT CURRENT_USER; SELECT * FROM
public.test_fdw_rls ;
current_user
--------------
kofadmin
(1 row)
id | content | username
----+----------------------------------+----------
1 | Access from fdw via user fdwsync | fdwsync
(1 row)
Regards
Charles
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christopher Pereira | 2020-05-26 03:59:43 | Re: pg_basebackup + incremental base backups |
| Previous Message | Adrian Klaver | 2020-05-25 14:20:15 | Re: pg_dump crashes |