Row-level security--is it possible? - Mailing list pgsql-general
| From | Michal Taborsky |
|---|---|
| Subject | Row-level security--is it possible? |
| Date | |
| Msg-id | 40E56D0A.8000700@taborsky.cz Whole thread Raw |
| Responses |
Re: Row-level security--is it possible?
(Doug McNaught <doug@mcnaught.org>)
|
| List | pgsql-general |
Hello.
We are currently facing a design issue, which I am a bit stuck with. We
are talking about row-level access regulation. I'll make it clear with
an example.
Let there be a table of products:
CREATE TABLE products
(
Product_ID serial,
Name text,
Producer_ID int4 NOT NULL,
PRIMARY KEY (Product_ID)
)
We have two users Joe and Pete. The thing is, that Pete is just an
intern and should have access only to products from a specific producer,
while Joe should have unlimited access. Of course we could resolve it on
application level (PHP/Apache), but that I don't want to do. My first
idea was to create specific views for every user, like this:
CREATE VIEW products_pete AS
SELECT * FROM products WHERE Producer_ID=1;
and
CREATE VIEW products_joe AS
SELECT * FROM products;
But this is not very usable.
My second thought was to create a rule for every user and attach these
rules to products table. But alas! I was not able to make Postgres to
apply only one of the rules, because SELECT rules do not accept
qualification predicates (WHERE clause). Following definition does not
work, though I believe it would solve my problem:
CREATE RULE "_RETURN_pete" AS
ON SELECT TO products WHERE current_user=pete DO INSTEAD
SELECT * FROM products WHERE Producer_ID=1;
Is there any chance it could be implemented like this?
The third option that crossed my mind was to create permission function
that would specifically say "yes, you have access to this row". We'd
change this function
CREATE OR REPLACE FUNCTION product_access(name, int4)
RETURNS bool AS '
DECLARE
product RECORD;
BEGIN
SELECT * FROM product WHERE Product_ID=$2;
IF $1=\'pete\' THEN -- pete has access to producer with ID 1
IF product.Producer_ID=1 THEN
RETURN true;
ELSE
RETURN false;
END IF;
ELSIF $1=\'joe\' THEN
RETURN true;
END IF;
-- fail if unknown user
RETURN false;
END;'
LANGUAGE 'plpgsql' IMMUTABLE;
Then I'd use this function in a rule like this:
CREATE RULE "_RETURN" AS
ON SELECT TO products DO INSTEAD
SELECT * FROM products WHERE product_access(current_user, id);
I haven'r run any tests, but something tells me, that this would be
incredibly slow. But it's the only solution that I can think of that
should work.
Has anyone solved similar issue? Can you point me to some info or
how-to? I know that Oracle has this functionality through so called
policies, which are similar to this, but they work fast.
Thanks for any ideas. If I'll be able to solve this I promise to write
some tutorial about it for techdocs (if it does not exist already).
--
Michal Taborsky
http://www.taborsky.cz
pgsql-general by date: