Re: [HACKERS] RLS Design

Wed, 02 Jul 2014 22:15:29 -0700 

Robert, all,

* Robert Haas (robertmh...@gmail.com) wrote:
> I think we're converging, but it might be a good idea to summarize a
> specific proposal before you start implementing.

Alright, apologies for it being a bit later than intended, but here's
what I've come up with thus far.

-- policies defined at a table scope
-- allows using the same policy name for different tables 
-- with quals appropriate for each table
ALTER TABLE t1 ADD POLICY p1 USING p1_quals;
ALTER TABLE t1 ADD POLICY p2 USING p2_quals;

-- used to drop a policy definition from a table
ALTER TABLE t1 DROP POLICY p1;

-- cascade required when references exist for the policy
-- from roles
ALTER TABLE t1 DROP POLICY p1 CASCADE;

ALTER TABLE t1 ALTER POLICY p1 USING new_quals;

-- Controls if any RLS is applied to this table or not
-- If enabled, all users must access through some policy
ALTER TABLE table_name [ NO ] ROW LEVEL SECURITY;

-- Associates roles to policies
ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING p1;
ALTER TABLE table_name REVOKE ROW ACCESS FROM role_name USING p1;

-- "all" provides a policy which equates to full access (eg: 'true' or
-- 'direct' access).  Used to explicitly state when RLS can be bypassed 
-- and therefore a GUC can be set which says "bypass-RLS-or-error" and
-- not have an error if this policy is granted to the role.
ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING all;

-- Per-command-type control
ALTER TABLE table_name GRANT SELECT ROW ACCESS TO role_name USING all;
ALTER TABLE table_name GRANT UPDATE ROW ACCESS TO role_name USING all;

Policies for a table are checked against pg_has_role() and all which 
apply are OR'd together.

Added to pg_class:

relrlsenabled boolean

pg_rowsecurity
  oid          oid
  rlsrel       oid
  rlspol       name
  rlsquals     text
  rlsacls      aclitem[]..? cmdtype(s) + role 

If relrlsenabled then scan pg_rowsecurity for the policies associated
with the table, testing each to see if any apply for the current role
based on pg_has_role() against the aclitem array.  Any which apply are
added and OR'd together.

Thoughts?

        Thanks,

                Stephen

Attachment: signature.asc
Description: Digital signature

Reply via email to