Darin, * Darin Gordon (darinc@xxxxxxxxx) wrote: > I'm trying to understand the extent that row level security in postgresql > 9.5 may replace, or augment, application-level access control. Neat! > I have a fully implemented application-level access control policy. It's > not clear to me how I will integrate or replace it with RLS. There's not very much information to go on here but there's a couple of different ways to either integrate or replace what you have at the application level with a combination of the PostgreSQL GRANT and POLICY systems. > Craig Ringer mentioned in a blog post: > "Most importantly, row-security is pluggable – in addition to looking > policies up from the system catalogs, it’s also possible to use a policy > hook to supply arbitrary policy from extensions. " > > It seems that my options will be to record authorization into the catalog > or write an extension? It's not entirely clear to me what else you'd do, but perhaps I can help clarify by explaining what is meant by "looking policies up from the system catalogs". Those are policies which are implemented using the new CREATE POLICY command available in 9.5. Those policies can be either specific (such as to a particular user or role) or generic (by looking up the current role using a table, or using the currently logged in user, and then looking up if the current record is allowed to be seen or operated on by the user in another table). More insight into what your current system looks like and what the requirements are would help move this discussion from high-level generalities to specific analysis of your use-case. Thanks! Stephen
Attachment:
signature.asc
Description: Digital signature
