Re: Multi-tenancy with RLS - Mailing list pgsql-hackers

From Haribabu Kommi
Subject Re: Multi-tenancy with RLS
Date
Msg-id CAJrrPGdouhm22dtoPwbRfnKepEOUmrLdew1QQEbDvsK86nJhOA@mail.gmail.com
Whole thread Raw
In response to Multi-tenancy with RLS  (Haribabu Kommi <kommi.haribabu@gmail.com>)
Responses Re: Multi-tenancy with RLS
List pgsql-hackers
On Fri, Aug 14, 2015 at 12:00 PM, Haribabu Kommi
<kommi.haribabu@gmail.com> wrote:
>
> Here I attached the proof concept patch.

Here I attached an updated patch by adding policies to the most of the
system catalog tables, except the following.
AggregateRelationId

AccessMethodRelationId
AccessMethodOperatorRelationId
AccessMethodProcedureRelationId

AuthMemRelationId
CastRelationId
EnumRelationId
EventTriggerRelationId
ExtensionRelationId

LargeObjectRelationId
LargeObjectMetadataRelationId

PLTemplateRelationId
RangeRelationId
RewriteRelationId
TransformRelationId

TSConfigRelationId
TSConfigMapRelationId
TSDictionaryRelationId
TSParserRelationId
TSTemplateRelationId

Following catalog tables needs to create the policy based on the
class, so currently didn't added any policy for the same.

SecLabelRelationId
SharedDependRelationId
SharedDescriptionRelationId
SharedSecLabelRelationId


If any user is granted any permissions on that object then that user
can view it's meta data of that object from the catalog tables.
To check the permissions of the user on the object, instead of
checking each and every available option, I just added a new
privilege check option called "any". If user have any permissions on
the object, the corresponding permission check function returns
true. Patch attached for the same.

Any thoughts/comments?

Regards,
Hari Babu
Fujitsu Australia

Attachment

pgsql-hackers by date:

Previous
From: Amit Kapila
Date:
Subject: Re: Horizontal scalability/sharding
Next
From: Amit Langote
Date:
Subject: Re: Horizontal scalability/sharding