Re: Handling mutliple clients access with views - Mailing list pgsql-sql

From Brice André
Subject Re: Handling mutliple clients access with views
Date
Msg-id CAOBG12m=83SqNo3L88Mi3AMT+JUwPm-uLo3ykaieqnAM+hcm_g@mail.gmail.com
Whole thread Raw
In response to Re: Handling mutliple clients access with views  (bricklen <bricklen@gmail.com>)
List pgsql-sql
Thanks very much for those info.

From what I read, I think Veil will do the trick.

I already use ROLES, but there are a few probems with them :
   - first, as I mix the data from different users in the same table, ROLES do not solve the complete problem.
   - second, this forces me to use a dedicated postgresql connection for each user, which on a large accessed database, could be a big problem.

If what I read from Veil is exact, it allows determining access rules from SELECT statements, which is what I am currently performing with the "current_user()". A typical view in my system is declared like this :
CREATE VIEW "AgendaCurrentlyDisplayedReadableView" AS
    SELECT "AgendaAccessRights"."AgendaID" FROM "AgendaAccessRights" WHERE (("AgendaAccessRights"."ClientID" = (SELECT "Clients"."ID" FROM "Clients" WHERE "Clients"."Login" = "current_user"())) AND ("AgendaAccessRights"."IsDisplayed" = true));

My understanding is that veil will allow me to perform stuff like that, but without using the "current_user()" stuff. And, if I still understand correctly, the Veil serialisation functions will allow me to quickly switch from one user to the other with keeping the same database connection.

Am I right or is there something I did not understood ?

Second question : does Veil has a big impact on database performances ?

Regards,

Brice

2011/10/25 bricklen <bricklen@gmail.com>
On Mon, Oct 24, 2011 at 8:50 PM, Craig Ringer <ringerc@ringerc.id.au> wrote:
>
> Declarative row-level security (row ownership) would be really nice...
> here's hoping the SELinux work can be extended to support a simpler,
> OS-agnostic non-SELinux-based row-level RBAC mechanism.
> --
> Craig Ringer

Veil might do what you mention above.

http://veil.projects.postgresql.org/curdocs/index.html

--
Sent via pgsql-sql mailing list (pgsql-sql@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-sql

pgsql-sql by date:

Previous
From: bricklen
Date:
Subject: Re: Handling mutliple clients access with views
Next
From: Andreas Kretschmer
Date:
Subject: Re: Problem with DROP ROLE