Thread: Re: Oracle Label Security/ Row Level Security on Postgresql
I am in the same boat, and I do not think SE-PG or the pending PG 9.1 will do what we want. I don't see where it provides per-user row filtering or column filtering as is possible with Oracle (well, certain Oracle editions and/or certain extra cost software). I think even in PG 9.1 you will need to use views or application layer logic to simulate Oracle's VPD and OLS. It's my understanding that if your business requires row level security, then in PG you actually need to install separate clusters.
Please correct me if I am mistaken, but I think SE-PG allows us to establish Mandatory Access Controls (MAC) for each operation for each object, such as creating an operating system group to explicitly names all users who can query table foo, and another group to define who can insert into foo. Of course it's more than just that, but no point giving too much detail here as people can read the docs. I think SE-PG is more like Trusted Oracle, which was abandoned by Oracle after version 7 because MAC simply didn't satisfy customer requirements. Trusted Oracle was replaced with a combination of OLS and Data Vault, both sold as add-ons to the Enterprise Edition. (According to the OLS and Data Vault presentations I have been to, neither product alone does all of what Trusted Oracle used to do, and Trusted Oracle didn't do all of the things OLS and DV do today, so we would be incorrect to think its one-for-one swap).
-Mark
-----Original Message-----
From: Jaime Casanova [mailto:jaime@2ndquadrant.com]
Sent: Thursday, March 10, 2011 12:52 AM
To: 'H S'
Cc: 'admin'
Subject: Re: [ADMIN] Oracle Label Security/ Row Level Security on Postgresql
On Mon, Mar 7, 2011 at 10:00 AM, H S wrote: > > We would like to implement Oracle Label Security or Row level security or associated concepts mechanism on PostgreSQL. for pg <= 9.0 you can try: http://wiki.postgresql.org/wiki/SEPostgreSQL part of this is now part of pg 9.1 (not yet released) as a contrib module -- Jaime Casanova www.2ndQuadrant.com Professional PostgreSQL: Soporte y capacitación de PostgreSQL -- Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
"Mark Johnson" <mark@remingtondatabasesolutions.com> wrote: > I don't see where it provides per-user row filtering or column > filtering Did you look at veil? http://veil.projects.postgresql.org/curdocs/index.html (This was mentioned earlier, but the OP didn't respond to that.) -Kevin
* Mark Johnson (mark@remingtondatabasesolutions.com) wrote: > I am in the same boat, and I do not think SE-PG or the pending PG 9.1 will do what we want. I don't see where it providesper-user row filtering or column filtering as is possible with Oracle (well, certain Oracle editions and/or certainextra cost software). SE-PG had row-level filtering based off label, so if you gave every user a label, that'd work (though that's not how it's typically done). > I think even in PG 9.1 you will need to use views or application layer logic to simulate Oracle's VPD and OLS. It's myunderstanding that if your business requires row level security, then in PG you actually need to install separate clusters. It's going to depend on exactly what you need/want to have segregated. You need separate clusters if you want the list of users to be different, since those are stored at the cluster level. PG 9.1 won't be including any kind of RLS beyond 'traditional' function/view-based custom implementations. It's good to hear more people asking about this, however, as RLS is definitely something I'd like to see get in to a release of PG in the future, and one of the definite push-backs is lack of user demand. > Please correct me if I am mistaken, but I think SE-PG allows us to establish Mandatory Access Controls (MAC) for each operationfor each object, such as creating an operating system group to explicitly names all users who can query table foo,and another group to define who can insert into foo. You don't need to define Unix groups.. It is label-based and is tied into the kernel's ideas about what labels exist though. Certainly, for PG, we would like to have both stand-alone RLS and RLS which is backed by MAC/SELinux. Thanks, Stephen
Attachment
Kevin, What did you mean by "OP"? Did you look at veil? http://veil.projects.postgresql.org/curdocs/index.html (This was mentioned earlier, but the OP didn't respond to that.) Thanks, Sara --- On Thu, 3/10/11, Kevin Grittner <Kevin.Grittner@wicourts.gov> wrote:
|
On Mon, 2011-03-14 at 20:04 -0700, H S wrote: > Kevin, > > What did you mean by "OP"? It means "Original Poster" -- PostgreSQL.org Major Contributor Command Prompt, Inc: http://www.commandprompt.com/ - 509.416.6579 Consulting, Training, Support, Custom Development, Engineering http://twitter.com/cmdpromptinc | http://identi.ca/commandprompt