Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[YSQL] Support row level security (RLS) as per Postgres #1870

Closed
shrumm opened this issue Jul 22, 2019 · 1 comment
Closed

[YSQL] Support row level security (RLS) as per Postgres #1870

shrumm opened this issue Jul 22, 2019 · 1 comment
Assignees
@d-uspenskiy
Labels
area/ysql Yugabyte SQL (YSQL) community/request Issues created by external users kind/enhancement This is an enhancement of an existing feature
Projects
YSQL
Milestone
v2.0

Comments

@shrumm
Copy link

shrumm commented Jul 22, 2019
edited

About the feature

Row level security in PostreSQL allows the DBA to set 'row security policies that restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands. '

Use case

Many use cases come to mind, but for multi-tenant SaaS apps this is a critical feature. It allows the app to store data of multiple clients in the same table and greatly minimizes/eliminates the chance of interference.

The feature is described very well in the PostgreSQL docs -> https://www.postgresql.org/docs/11/ddl-rowsecurity.html. Other RDBMs like SQL Server, Oracle etc also support it and most likely in more advanced forms.

The order is pretty simple:

A policy is created for a table using syntax like

CREATE POLICY user_sel_policy ON users
    FOR SELECT
    USING (true);
CREATE POLICY user_mod_policy ON users
    USING (user_name = current_user);

then the table must be altered to enable RLS like so

ALTER TABLE ... ENABLE ROW LEVEL SECURITY

now the user / session MUST match the policy of the table to be permitted to see rows / modify data.
@yugabyte-ci yugabyte-ci added the community/request Issues created by external users label Jul 22, 2019
@ndeodhar ndeodhar self-assigned this Jul 22, 2019
@ndeodhar ndeodhar added this to To do in YSQL via automation Jul 22, 2019
@ndeodhar ndeodhar added this to the v2.0 milestone Jul 22, 2019
@rkarthik007 rkarthik007 added the area/ysql Yugabyte SQL (YSQL) label Jul 23, 2019
@ttyusupov ttyusupov added the kind/enhancement This is an enhancement of an existing feature label Jul 30, 2019
@ndeodhar ndeodhar assigned OlegLoginov and unassigned ndeodhar Sep 19, 2019
@ndeodhar ndeodhar assigned d-uspenskiy and unassigned OlegLoginov Oct 23, 2019
@d-uspenskiy d-uspenskiy moved this from To do to In progress in YSQL Nov 6, 2019
d-uspenskiy added a commit that referenced this issue Nov 18, 2019
@d-uspenskiy
#1870 [YSQL] Support row level security (RLS) as per Postgres
d87ecbc 
Summary:
1. Commands related to RLS feature were enabled (as beta feature):
- CREATE/ALTER/DROP POLICY
- ALTER TABLE ... ENABLE/DISABLE ROW LEVEL SECURITY

2. RLS check was added in case of row update (in `ExecUpdate` function)
3. postgres regress unit test `rowsecurity.sql` was adopted as `yb_pg_rowsecurity.sql`

Test Plan:
New set of postgres regress tests was abopted to YB
```
ybb --java-test org.yb.pgsql.TestPgRegressAuthorization
```

Reviewers: mihnea, neil, neha

Reviewed By: neil, neha

Subscribers: kannan, yql

Differential Revision: https://phabricator.dev.yugabyte.com/D7522
@kmuthukk
Copy link
Collaborator

Implemented as part of d87ecbc and available in 2.0.6.

YSQL automation moved this from In progress to Done Nov 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d-uspenskiy d-uspenskiy

Labels
area/ysql Yugabyte SQL (YSQL) community/request Issues created by external users kind/enhancement This is an enhancement of an existing feature
Projects
YSQL
  
Done
Milestone
v2.0
Development

No branches or pull requests
8 participants
@ttyusupov @rkarthik007 @kmuthukk @ndeodhar @shrumm @yugabyte-ci @OlegLoginov @d-uspenskiy