On 12/30/2015 08:58 AM, Tim Dudgeon wrote:
> The new row level security feature in 9.5 looks great.
> I guess its designed around the need to restrict access based on the
> current database user (current_user) where this maps to a database user.
> But most applications now access the database using an application user
> and manages data for the applications multiple users (probably with each
> user being a row in a USERS table somewhere).
> Is there any way to "inject" the application user so that this can be
> used in a RLS check?
> e.g. conceptually:
>
> set app_user 'john';
> select * from foo;
>
> where the select * is restricted by a RLS check that includes 'john' as
> the app_user.
> Of course custom SQL could be generated for this, but it would be safer
> if it could be handled using RLS.
>
> Any ways to do this?
User name maps?:
http://www.postgresql.org/docs/9.5/interactive/auth-username-maps.html
This still results in an external user becoming a database user. From
there you can set up users as members of larger roles, i.e accounting,
hr, etc to manage access, or not.
>
> Tim
>
>
>
--
Adrian Klaver
adrian.klaver@aklaver.com
