我试图在我的PostgreSQL 14上应用RLS。但它似乎不起作用。这是我的SQL(我在PgAdmin4上运行它(:
CREATE TABLE IF NOT EXISTS public.employee
(
tenant_id character varying(255) NOT NULL,
username character varying(255) NOT NULL,
CONSTRAINT employee_pkey PRIMARY KEY (username)
)
ALTER TABLE IF EXISTS employee
OWNER to postgres;
ALTER TABLE IF EXISTS employee
ENABLE ROW LEVEL SECURITY;
CREATE POLICY employee_tenant_isolation_policy
ON employee
AS PERMISSIVE
FOR ALL
TO public
USING (((tenant_id)::text = ((current_setting('app.tenant_id'::text))::character varying)::text));
我还必须插入数据:
INSERT INTO public.employee(
tenant_id, username)
VALUES ('tenant1', 'tenant1');
INSERT INTO public.employee(
tenant_id, username)
VALUES ('tenant2', 'tenant2');
正如您所看到的,我已经启用了RLS并创建了策略。但是,当我尝试这个查询时:
SET app.tenant_id to 'tenant1';
SELECT * FROM employee;
我得到了两个值(tenant1和tenant2(。我希望它只返回值为"tenant1"的行。
有什么想法吗?
谢谢。
根据文档,超级用户绕过RLS:
具有BYPASSRLS属性的超级用户和角色在访问表时总是绕过行安全系统。表所有者通常也会绕过行安全性,尽管表所有者可以选择使用ALTER Table。。。强制行级安全。
如果你创建了一个非超级用户,你应该能够看到过滤:
edb=# create user foobar with login;
CREATE ROLE
edb=# grant select on employee to foobar;
GRANT
edb=# c edb foobar;
You are now connected to database "edb" as user "foobar".
edb=> SET app.tenant_id to 'tenant1';
SET
edb=> select * from employee ;
tenant_id | username
-----------+----------
tenant1 | tenant1
(1 row)