Jul*_*ien 7 postgresql database-design user-management row-level-security grant
比方说,我有一个users表有三列,public_data,private_data,和system_data,和我有一个名为三个角色postgres,authenticated_user和visitor.
postgres是超级用户,可以访问所有数据(system_data当然包括)
authenticated_user应该能够访问每个用户public_data,他们自己private_data,但不是system_data
visitor 只能访问每个用户 public_data
如何设置表格,角色,授权和策略以完成上述操作?
这实际上并不是一个声明性的行安全问题,因为听起来您想要返回所有行,但根据当前用户显示不同的列值
根据您的评论,您可以接受每种用户类型的不同查询。case我没有找到使用声明的方法private_data
create table users (
id int primary key,
owner name not null,
public_data text,
private_data text,
system_data text
);
--these should probably be groups, not users:
create user visitor;
create user authenticated_user;
grant visitor to authenticated_user; -- will inherit visitors permissions
grant select(id, owner, public_data) on users to visitor;
grant select(private_data) on users to authenticated_user;
insert into users (id, owner, public_data, private_data, system_data) values (1, 'visitor', 'public', 'private to visitor', 'system');
insert into users (id, owner, public_data, private_data, system_data) values (2, 'authenticated_user', 'public', 'private to authenticated_user', 'system');
set role visitor;
select id, owner, public_data from users;
set role authenticated_user;
select id, owner, public_data, case when owner=current_user then private_data else null end as private_data from users;
set role postgres;
select * from users;