Difference between revisions of "Postgres Access Control"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
# Guide
 +
- https://satoricyber.com/postgres-security/postgres-row-level-security/
 +
```
 +
USING statements are used to check existing table rows for the policy expression. WITH CHECK statements are used to check new rows.
 +
```
 +
 
# Setup test database and tables
 
# Setup test database and tables
 
```
 
```
Line 41: Line 47:
 
ALTER USER postgres SET search_path = tester, public;
 
ALTER USER postgres SET search_path = tester, public;
 
SELECT * from information_schema.schemata;
 
SELECT * from information_schema.schemata;
 +
\dn
 
```
 
```
  

Latest revision as of 13:48, 30 April 2023

Guide

USING statements are used to check existing table rows for the policy expression. WITH CHECK statements are used to check new rows.

Setup test database and tables

CREATE DATABASE test_database;
\c test_database

CREATE TABLE contacts(
    name TEXT NOT NULL,
    rls_role text DEFAULT current_user
);
create role joe1;
create role joe2;
GRANT SELECT, INSERT, UPDATE, DELETE ON contacts to joe1,joe2;
ALTER TABLE contacts ENABLE ROW LEVEL SECURITY;
CREATE POLICY public_contacts_rls_policy ON public.contacts USING (rls_role=current_user);



set role joe1
insert into contacts (name) values ('joe1 1');
insert into contacts (name) values ('joe1 2');
select * from contacts;

set role joe2
insert into contacts (name) values ('joe2 1');
insert into contacts (name) values ('joe2 2');
select * from contacts;
update contacts set name = 'joe2 1 updated' where name ='joe2 1'
delete * from contacts;

Disable temporarily

ALTER TABLE contacts DISABLE ROW LEVEL SECURITY;
... do stuff
ALTER TABLE contacts ENABLE ROW LEVEL SECURITY;

Use different schema then default public

CREATE SCHEMA test_schema;
ALTER USER postgres SET search_path = tester, public;
SELECT * from information_schema.schemata;
\dn

PG Bouncer

https://www.pgbouncer.org/usage.html

Users

unode=# create role someuser;
CREATE ROLE
unode=# create role someadmin;
CREATE ROLE
unode=# ALTER ROLE someadmin WITH PASSWORD 'test';
ALTER ROLE
unode=# ALTER ROLE someuser WITH PASSWORD 'test';
ALTER ROLE
unode=# ALTER ROLE someuser WITH login;
ALTER ROLE
unode=# ALTER ROLE someadmin WITH login SUPERUSER;
ALTER ROLE

Refs