Re: question on row level security - Mailing list pgsql-sql

From Karsten Hilbert
Subject Re: question on row level security
Date
Msg-id 20151230173715.GA27891@hermes.hilbert.loc
Whole thread Raw
In response to Re: question on row level security  (Tim Dudgeon <tdudgeon.ml@gmail.com>)
List pgsql-sql
On Wed, Dec 30, 2015 at 05:28:13PM +0000, Tim Dudgeon wrote:

> >    The new row level security feature in 9.5 looks great.
> >    I guess its designed around the need to restrict access based on
> >    the current database user (current_user) where this maps to a
> >    database user.
> >    But most applications now access the database using an application
> >    user and manages data for the applications multiple users
> >    (probably with each user being a row in a USERS table somewhere).
> >    Is there any way to "inject" the application user so that this can
> >    be used in a RLS check?
> >    e.g. conceptually:
> >
> >    set app_user 'john';
> >    select * from foo;
> >
> >    where the select * is restricted by a RLS check that includes
> >    'john' as the app_user.
> >    Of course custom SQL could be generated for this, but it would be
> >    safer if it could be handled using RLS.
> >
> >    Any ways to do this

You could store a session cookie (say, the app_user) into a
table and have the RLS policy refer to that, no ?

Karsten
-- 
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346



pgsql-sql by date:

Previous
From: Joe Conway
Date:
Subject: Re: question on row level security
Next
From: Tim Dudgeon
Date:
Subject: Re: question on row level security