From: | Brice André <brice(at)famille-andre(dot)be> |
---|---|
To: | "pgsql-sql(at)postgresql(dot)org" <pgsql-sql(at)postgresql(dot)org> |
Subject: | Re: Handling mutliple clients access with views |
Date: | 2011-10-25 06:02:19 |
Message-ID: | CAOBG12m=83SqNo3L88Mi3AMT+JUwPm-uLo3ykaieqnAM+hcm_g@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
Thanks very much for those info.
From what I read, I think Veil will do the trick.
I already use ROLES, but there are a few probems with them :
- first, as I mix the data from different users in the same table, ROLES
do not solve the complete problem.
- second, this forces me to use a dedicated postgresql connection for
each user, which on a large accessed database, could be a big problem.
If what I read from Veil is exact, it allows determining access rules from
SELECT statements, which is what I am currently performing with the
"current_user()". A typical view in my system is declared like this :
CREATE VIEW "AgendaCurrentlyDisplayedReadableView" AS
SELECT "AgendaAccessRights"."AgendaID" FROM "AgendaAccessRights" WHERE
(("AgendaAccessRights"."ClientID" = (SELECT "Clients"."ID" FROM "Clients"
WHERE "Clients"."Login" = "current_user"())) AND
("AgendaAccessRights"."IsDisplayed" = true));
My understanding is that veil will allow me to perform stuff like that, but
without using the "current_user()" stuff. And, if I still understand
correctly, the Veil serialisation functions will allow me to quickly switch
from one user to the other with keeping the same database connection.
Am I right or is there something I did not understood ?
Second question : does Veil has a big impact on database performances ?
Regards,
Brice
2011/10/25 bricklen <bricklen(at)gmail(dot)com>
> On Mon, Oct 24, 2011 at 8:50 PM, Craig Ringer <ringerc(at)ringerc(dot)id(dot)au>
> wrote:
> >
> > Declarative row-level security (row ownership) would be really nice...
> > here's hoping the SELinux work can be extended to support a simpler,
> > OS-agnostic non-SELinux-based row-level RBAC mechanism.
> > --
> > Craig Ringer
>
> Veil might do what you mention above.
>
> http://veil.projects.postgresql.org/curdocs/index.html
>
> --
> Sent via pgsql-sql mailing list (pgsql-sql(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-sql
>
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2011-10-25 07:59:52 | Re: How to write sql to access another odbc source. |
Previous Message | bricklen | 2011-10-25 03:52:56 | Re: Handling mutliple clients access with views |