【转】：PostgreSQL 9.5新功能 RLS行级安全策略详解__PostgreSQL 9.5新功能 RLS行级安全策略详解_

PG中文社区 /

mdi-home

首页

社区新闻

中文文档

加入ACE

mdi-home

首页

mdi-chat-processing

社区新闻

mdi-book-open-variant

中文文档

mdi-account-multiple-check

加入ACE

mdi-file-multiple-outline

相关资料

mdi-blank

mdi-exit-to-app

退出账号

【转】：PostgreSQL 9.5新功能 RLS行级安全策略详解

原作者：谭峰　　创作时间：2016-01-10 17:57:25+08　　

doudou586 发布于2016-01-12 17:57:25　　

评论: 2　　

顶: 3213　

踩: 3072　

本文转自社区谭峰(francs)的博客，原文地址：

"Row-Level Security (RLS) support" 是9.5版本的主要特性之一，提供了基于行的安全策略，限制数据库用户的查看表数据权限，先来看以下例子。

创建测试表，插入测试数据

fdb=> create table test_row(id serial primary key, username text, log_event text, create_time timestamp(0) without time zone default clock_timestamp());
CREATE TABLE

fdb=> insert into test_row(username,log_event) values('user1','user1:aaa');
INSERT 0 1
fdb=> insert into test_row(username,log_event) values('user1','user1:aadsfdfa');
INSERT 0 1
fdb=> insert into test_row(username,log_event) values('user2','user2:aadsfdfa');
INSERT 0 1
fdb=> insert into test_row(username,log_event) values('user2','user2:test');
INSERT 0 1
fdb=> insert into test_row(username,log_event) values('user3','user3:test3');
INSERT 0 1
fdb=> insert into test_row(username,log_event) values('user3','user3:test3333');
INSERT 0 1
fdb=> insert into test_row(username,log_event) values('user4','user4:test3333');
INSERT 0 1

创建 user1,user2,user3 测试用户

[pg95@db1 ~]$ psql fdb
psql (9.5alpha1)
Type "help" for help.

fdb=# create role user1 with login;
CREATE ROLE
fdb=# create role user2 with login;
CREATE ROLE
fdb=# create role user3 with login;
CREATE ROLE

fdb=> grant select on test_row to user1,user2,user3;
GRANT

fdb=> grant usage on schema fdb to user1,user2,user3;
GRANT

以 user1 登陆可以查询全部数据

fdb=> \c fdb user1
You are now connected to database "fdb" as user "user1".

fdb=> select * from fdb.test_row;
id | username | log_event | create_time
----+----------+----------------+---------------------
1 | user1 | user1:aaa | 2015-07-30 14:48:49
2 | user1 | user1:aadsfdfa | 2015-07-30 14:48:54
3 | user2 | user2:aadsfdfa | 2015-07-30 14:48:59
4 | user2 | user2:test | 2015-07-30 14:49:06
5 | user3 | user3:test3 | 2015-07-30 14:49:15
6 | user3 | user3:test3333 | 2015-07-30 14:49:24
7 | user4 | user4:test3333 | 2015-07-30 14:49:29
(7 rows)

备注：之前版本只要给数据库用户赋予 SELECT 权限，那么用户可以查看全表数据。

给表添加 policy

[pg95@db1 ~]$ psql fdb fdb
psql (9.5alpha1)
Type "help" for help.

fdb=> CREATE POLICY policy_test_row ON test_row
fdb-> FOR SELECT
fdb-> TO PUBLIC
fdb-> USING (username = current_user);
CREATE POLICY

fdb=> select relname,relrowsecurity from pg_class where relname='test_row';
relname | relrowsecurity
----------+----------------
test_row | f
(1 row)

fdb=> ALTER TABLE test_row ENABLE ROW LEVEL SECURITY;
ALTER TABLE

fdb=> select relname,relrowsecurity from pg_class where relname='test_row';
relname | relrowsecurity
----------+----------------
test_row | t
(1 row)

备注：给表 test_row 添加 policy ，限制数据库登陆用户仅允许查看当前用户的日志记录。

测试
user1 用户登陆

fdb=> \c fdb user1
You are now connected to database "fdb" as user "user1".

fdb=> select * from fdb.test_row;
id | username | log_event | create_time
----+----------+----------------+---------------------
1 | user1 | user1:aaa | 2015-07-30 14:48:49
2 | user1 | user1:aadsfdfa | 2015-07-30 14:48:54
(2 rows)

user2 用户登陆

fdb=> \c fdb user2
You are now connected to database "fdb" as user "user2".

fdb=> select * from fdb.test_row;
id | username | log_event | create_time
----+----------+----------------+---------------------
3 | user2 | user2:aadsfdfa | 2015-07-30 14:48:59
4 | user2 | user2:test | 2015-07-30 14:49:06
(2 rows)

备注：user1 用户仅能查看 username 值为 'user1' 的记录，user2 用户仅能查看 username 值为 'user2' 的记录。

参考:
Waiting for 9.5 – Row-Level Security Policies (RLS)
CREATE POLICY

评论:2　　

顶: 3213　

踩: 3072　

请在登录后发表评论，否则无法保存。

1# __ xiaowu 回答于 2024-04-21 07:35:15+08

感谢老师的话简短:https://www.nanss.com/yulu/601.html 夺冠观后感:https://www.nanss.com/xuexi/720.html 学生励志语录:https://www.nanss.com/xuexi/1060.html 安全文章:https://www.nanss.com/yuedu/762.html 最佳网名大全:https://www.nanss.com/mingcheng/608.html 简单干净的英文网名:https://www.nanss.com/mingcheng/912.html 超甜的情侣名一人一半:https://www.nanss.com/mingcheng/1464.html 网络好听的名字:https://www.nanss.com/mingcheng/1476.html 女人吉祥好运微信名字两个字:https://www.nanss.com/mingcheng/1452.html 男朋友的昵称:https://www.nanss.com/mingcheng/778.html 霸气微信名:https://www.nanss.com/mingcheng/802.html 回复别人夸赞自己的句子:https://www.nanss.com/yulu/579.html 炫舞名字:https://www.nanss.com/mingcheng/1026.html 2022最霸气的网名:https://www.nanss.com/mingcheng/1487.html 最美的qq网名:https://www.nanss.com/mingcheng/1417.html 科学小知识:https://www.nanss.com/shenghuo/625.html 男生吃鸡名字吸引妹子:https://www.nanss.com/mingcheng/622.html 比较甜美的网名:https://www.nanss.com/mingcheng/1202.html 每日分享励志的一句话:https://www.nanss.com/yulu/1072.html 经典人生励志格言:https://www.nanss.com/xuexi/1320.html 情侣q名:https://www.nanss.com/mingcheng/1428.html 伤感繁体字网名:https://www.nanss.com/mingcheng/1466.html 小确幸的美好句子:https://www.nanss.com/yulu/1056.html 失望的网名女:https://www.nanss.com/mingcheng/777.html 独特的微信名字英文:https://www.nanss.com/mingcheng/975.html 月亮配一句话朋友圈:https://www.nanss.com/wenan/1019.html 我已不是原来的我说说:https://www.nanss.com/wenan/1497.html 母亲鼓励孩子简短句子:https://www.nanss.com/yulu/1029.html 佛语禅心:https://www.nanss.com/yulu/790.html 好看的情侣名:https://www.nanss.com/mingcheng/1164.html

2# __ GUEST 回答于 2016-01-15 20:03:06+08