组的行级安全性或使行可访问组
Row level security for groups or Making rows accebile to groups
我希望 table 中的行仅供组成员访问。我通过以下方法创建用户并将他们添加到组中,
CREATE USER abc LOGIN PASSWORD 'securedpassword1';
CREATE USER xyz LOGIN PASSWORD 'securedpassword2';
ALTER GROUP permanent ADD USER abc;
然后我写的策略只允许当前用户访问。但我需要整个组才能访问它。
CREATE TABLE table_Workers
(
worID INT
,worName CHARACTER VARYING
,pgUser CHARACTER VARYING
);
INSERT INTO table_Workers VALUES
(1,'Jason','abc'),(2,'Roy','abc'),(3,'Johny','abc')
,(4,'Jane','xyz'),(5,'Kane','xyz'),(6,'Stuart','xyz');
CREATE POLICY policy_employee_user ON table_Workers FOR ALL
TO PUBLIC USING (pgUser = current_user);
ALTER TABLE table_Workers ENABLE ROW LEVEL SECURITY;
pgUser 命名可以访问该行的用户。我希望用 pgRole 替换 pgUser 列,其中提到了组的名称,其成员可以访问该特定行。感谢任何提示或方法使整个组都可以访问行。
db=# create table rls(i int);
CREATE TABLE
Time: 189.439 ms
db=# alter table rls enable row level security ;
ALTER TABLE
Time: 12.725 ms
db=# insert into rls values(1);
INSERT 0 1
Time: 13.241 ms
db=# create user member;
CREATE ROLE
Time: 11.882 ms
db=# create role rls_r;
CREATE ROLE
Time: 9.378 ms
db=# grant rls_r to member ;
GRANT ROLE
Time: 5.704 ms
db=# CREATE POLICY p ON rls FOR ALL TO PUBLIC USING ((select count(*)=1 from pg_auth_members where member = current_user::regrole));
CREATE POLICY
Time: 32.471 ms
正在检查:
db=# set role ro ;
SET
Time: 0.350 ms
db=> select * from rls;
i
---
(0 rows)
Time: 9.801 ms
db=> set role member;
SET
Time: 0.494 ms
db=> select * from rls;
i
---
1
(1 row)
Time: 0.694 ms
似乎有效...
为什么这样规定?
还记得 Member of 当你 du role 时在 psql 中使用数组吗?.. 所以只是:
MacBook-Air:~ vao$ psql db -E
Timing is on.
Pager usage is off.
psql (9.6.1)
Type "help" for help.
db=# \du ro
********* QUERY **********
SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
WHERE r.rolname ~ '^(ro)$'
ORDER BY 1;
**************************
List of roles
Role name | Attributes | Member of
-----------+--------------+-----------
ro | Cannot login | {}
您会看到所需的查询
这似乎有效:
CREATE TABLE workers
(
worid int,
worname text,
pgrole text[]
);
INSERT INTO workers
VALUES
(1,'Jason','{group1}'),
(2,'Roy','{group1,group2}'),
(3,'Johny','{group1}');
CREATE POLICY policy_employee_user ON workers FOR ALL
TO PUBLIC
USING ( (select count(*)
from unnest(pgrole) r
where pg_has_role(current_user, r, 'MEMBER')) > 0 );
ALTER TABLE workers ENABLE ROW LEVEL SECURITY;
我希望 table 中的行仅供组成员访问。我通过以下方法创建用户并将他们添加到组中,
CREATE USER abc LOGIN PASSWORD 'securedpassword1';
CREATE USER xyz LOGIN PASSWORD 'securedpassword2';
ALTER GROUP permanent ADD USER abc;
然后我写的策略只允许当前用户访问。但我需要整个组才能访问它。
CREATE TABLE table_Workers
(
worID INT
,worName CHARACTER VARYING
,pgUser CHARACTER VARYING
);
INSERT INTO table_Workers VALUES
(1,'Jason','abc'),(2,'Roy','abc'),(3,'Johny','abc')
,(4,'Jane','xyz'),(5,'Kane','xyz'),(6,'Stuart','xyz');
CREATE POLICY policy_employee_user ON table_Workers FOR ALL
TO PUBLIC USING (pgUser = current_user);
ALTER TABLE table_Workers ENABLE ROW LEVEL SECURITY;
pgUser 命名可以访问该行的用户。我希望用 pgRole 替换 pgUser 列,其中提到了组的名称,其成员可以访问该特定行。感谢任何提示或方法使整个组都可以访问行。
db=# create table rls(i int);
CREATE TABLE
Time: 189.439 ms
db=# alter table rls enable row level security ;
ALTER TABLE
Time: 12.725 ms
db=# insert into rls values(1);
INSERT 0 1
Time: 13.241 ms
db=# create user member;
CREATE ROLE
Time: 11.882 ms
db=# create role rls_r;
CREATE ROLE
Time: 9.378 ms
db=# grant rls_r to member ;
GRANT ROLE
Time: 5.704 ms
db=# CREATE POLICY p ON rls FOR ALL TO PUBLIC USING ((select count(*)=1 from pg_auth_members where member = current_user::regrole));
CREATE POLICY
Time: 32.471 ms
正在检查:
db=# set role ro ;
SET
Time: 0.350 ms
db=> select * from rls;
i
---
(0 rows)
Time: 9.801 ms
db=> set role member;
SET
Time: 0.494 ms
db=> select * from rls;
i
---
1
(1 row)
Time: 0.694 ms
似乎有效...
为什么这样规定?
还记得 Member of 当你 du role 时在 psql 中使用数组吗?.. 所以只是:
MacBook-Air:~ vao$ psql db -E
Timing is on.
Pager usage is off.
psql (9.6.1)
Type "help" for help.
db=# \du ro
********* QUERY **********
SELECT r.rolname, r.rolsuper, r.rolinherit,
r.rolcreaterole, r.rolcreatedb, r.rolcanlogin,
r.rolconnlimit, r.rolvaliduntil,
ARRAY(SELECT b.rolname
FROM pg_catalog.pg_auth_members m
JOIN pg_catalog.pg_roles b ON (m.roleid = b.oid)
WHERE m.member = r.oid) as memberof
, r.rolreplication
, r.rolbypassrls
FROM pg_catalog.pg_roles r
WHERE r.rolname ~ '^(ro)$'
ORDER BY 1;
**************************
List of roles
Role name | Attributes | Member of
-----------+--------------+-----------
ro | Cannot login | {}
您会看到所需的查询
这似乎有效:
CREATE TABLE workers
(
worid int,
worname text,
pgrole text[]
);
INSERT INTO workers
VALUES
(1,'Jason','{group1}'),
(2,'Roy','{group1,group2}'),
(3,'Johny','{group1}');
CREATE POLICY policy_employee_user ON workers FOR ALL
TO PUBLIC
USING ( (select count(*)
from unnest(pgrole) r
where pg_has_role(current_user, r, 'MEMBER')) > 0 );
ALTER TABLE workers ENABLE ROW LEVEL SECURITY;