Row Level Security
In this talk we examine the use cases of Row Level Security (RLS) which was introduced in PostgreSQL 9.5.
In traditional applications, it is very common to find a lot of access control code residing inside the application layer, where the application connects to the database with a single database user, but multiplexing multiple application users. The database user typically has more rights than the application user, and the application is responsible for restricting the rights of the application user. This approach requires developers to constantly add access control logic for new features, and even experienced developers make mistakes which could lead to security vulnerabilities.
Using RLS, the majority (if not all) of the access control logic can be moved from the application layer to the database layer, such that authentication and access control are both done in the database. This means that you could essentially grant users freeform SQL access, since the database takes care of access control. This is especially useful in multi-tenant databases. Developers are now free to focus on the business logic, without having to maintain large chunks of access control code.
We look at an example of how this RLS approach can be practically implemented, and compare it to a traditional implementation. We also consider the performance impact of RLS along with the security and development benefits.
- 2018 October 9 13:50
- 40 min
- South Africa 2018
- Operations and Administration