• postgresql-行级安全-RLS


    行级安全-RLS

    行级安全策略

    9.5版本新增的特性,该特性是在数据库授权体系下提供的更细粒度的控制。通俗的说就是不同用户可以看到表中不同的数据,这种控制是行级别的

    9.5以前的数据库安全技术是通过grant/revoke来实现的,这两个指令提供了对象级的安全限制,针对表还有列级别的安全限制。

    所有对数据的操作,暴扣数据查询和更新,都受策略的限制,如果没有配置安全策略,所有的查询和更新都会禁止,但是对全表进行操作的命令,truncate和refrences不受影响

    行级安全策略可以加在命令上,也可以加在角色上,也可以两者都加。命令可以是 ALL, SELECT, INSERT, UPDATE 和
    DELETE, 同一个策略也可以赋予多个角色。但是表的所有者,超级用户 (postgres) 以及加上了 BYPASSRLS
    属性的角色不受安全性的限制。如果应用想忽略行级安全性机制的限制,也可以将 row_security 设置为 off。

    CREATE POLICY ALTER POLICY DROP POLICY 命令分别用于策略的创建、修改和删除, ALTER TABLE 可以用于行级安全性的启用 / 禁用。

    每个策略都有一个名字,每个表可以定义多个策略,因为策略是针对表的,所以表内的多个策略名字必须唯一,但是不同的表可以有同名的策略,当表有多个策略时,多个策略之间是 OR 的关系。

    语法

    CREATE POLICY name ON table_name
        [ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]
        [ TO { role_name | PUBLIC | CURRENT_USER | SESSION_USER } [, ...] ]
        [ USING ( using_expression ) ]
        [ WITH CHECK ( check_expression ) ]
    using:针对已经存在的记录的校验,可实施在select,update,delete,all上
    with check:针对将要新增的记录的校验,可实施在insert,update,all上
    update因为涉及旧的数据和新的记录,如果只写了using,但是没有提供with check的话,using同时会当成with check来进行检查
    
    如果针对同样的命令创建了多个策略, 所有策略中任意一个为TRUE都通过.
    
    例如ALL, SELECT各创建了一个策略for role r1, 执行select时任意一个为TRUE都通过.
    
    
    • 开启了安全策略后,普通用户能否正常访问数据?

    • 更新策略(更新是标记为删除后插入,也可以看出先查询后插入)需要注意什么?

    --创建三个用户
    postgres=# create role r1 login;
    CREATE ROLE
    postgres=# create role r2 login;
    CREATE ROLE
    postgres=# create role r3 login;
    CREATE ROLE
    
    --创建表
    postgres=# create table test(id int, r name);  
    CREATE TABLE
    postgres=#  insert into test values(1, 'r1');  
    INSERT 0 1
    postgres=# insert into test values(2, 'r2');  
    INSERT 0 1
    postgres=# insert into test values(3, 'r3');  
    INSERT 0 1
    postgres=#  grant all on table test to public;  
    GRANT
    
    --创建一个新增数据的策略,with check
    postgres=# create policy p on test for insert to r1 with check( r = current_user);
    CREATE POLICY
    postgres=# 
    
    --默认情况下状态是disable状态
    postgres=# d+ test
                             Table "public.test"
     Column |  Type   | Modifiers | Storage | Stats target | Description 
    --------+---------+-----------+---------+--------------+-------------
     id     | integer |           | plain   |              | 
     r      | name    |           | plain   |              | 
    Policies (row security disabled):
        POLICY "p" FOR INSERT
          TO r1
          WITH CHECK ((r = "current_user"()))
    
    --pg_policies可以查看已经创建的策略
    postgres=# select * from pg_policies;
     schemaname | tablename | policyname | roles |  cmd   | qual |       with_check       
    ------------+-----------+------------+-------+--------+------+------------------------
     public     | test      | p          | {r1}  | INSERT |      | (r = "current_user"())
    (1 row)
    
    postgres=# c postgres r1
    FATAL:  permission denied for database "postgres"
    DETAIL:  User does not have CONNECT privilege.
    Previous connection kept
    --赋予连接权限
    postgres=# grant connect on database postgres to r1;
    GRANT
    postgres=# grant connect on database postgres to r2;
    GRANT
    postgres=# grant connect on database postgres to r3;
    GRANT
    
    --在策略是disable状态的时候,策略视为无效状态
    postgres=# c postgres r1
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r1".
    postgres=> 
    postgres=> insert into test values(4,'r1');
    INSERT 0 1
    postgres=> insert into test values(4,'r2');
    INSERT 0 1
    postgres=> 
    
    --使策略生效
    postgres=> c postgres sa
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "sa".
    postgres=# alter table test enable row level security;
    ALTER TABLE
    
    --再次插入数据就只能插入和r1角色同名的r值,r1用户插入了r2值会报错
    postgres=# c postgres r1
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r1".
    postgres=> insert into test values(4,'r2');
    ERROR:  new row violates row-level security policy for table "test"
    postgres=> insert into test values(4,'r1');
    INSERT 0 1
    
    • 新增策略
    --新增一个策略,r1角色插入test表时,允许r字段的值为‘r1’和’r2‘
    postgres=> c postgres sa
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "sa".
    postgres=# create policy p1 on test for insert to r1 with check( r = 'r2');  
    CREATE POLICY
    postgres=# 
    postgres=# c postgres r1
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r1".
    postgres=> insert into test values(4,'r2');  
    INSERT 0 1
    postgres=> insert into test values(4,'r1');  
    INSERT 0 1
    postgres=> insert into test values(4,'r3');  
    ERROR:  new row violates row-level security policy for table "test"
    
    postgres=> d+ test
                             Table "public.test"
     Column |  Type   | Modifiers | Storage | Stats target | Description 
    --------+---------+-----------+---------+--------------+-------------
     id     | integer |           | plain   |              | 
     r      | name    |           | plain   |              | 
    Policies:
        POLICY "p" FOR INSERT
          TO r1
          WITH CHECK ((r = "current_user"()))
        POLICY "p1" FOR INSERT
          TO r1
          WITH CHECK ((r = 'r2'::name))
    
    
    
    • 开启策略后,普通用户无法在访问数据
    postgres=> c postgres r2
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r2".
    postgres=> select  * from test;
     id | r 
    ----+---
    (0 rows)
    
    postgres=> c postgres r1
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r1".
    postgres=> select * from test;
     id | r 
    ----+---
    (0 rows)
    
    • 查询策略
    --r1只能查看到r='r1'的数据
    postgres=> c postgres sa
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "sa".
    postgres=# create policy p2 on test for select to r1 using ( r = current_user);  
    CREATE POLICY
    postgres=# 
    postgres=# c postgres r1
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r1".
    postgres=> select * from test;
     id | r  
    ----+----
      1 | r1
      4 | r1
      4 | r1
      4 | r1
    (4 rows)
    
    
    --创建所有用户只能看到r= current_user,to public
    postgres=> c postgres sa
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "sa".
    postgres=# create policy p3 on test for select to public using ( r = current_user);  
    CREATE POLICY
    postgres=# c postgres r2
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r2".
    postgres=> select * from test;
     id | r  
    ----+----
      2 | r2
      4 | r2
      4 | r2
    (3 rows)
    
    • 更新策略
    --创建更新策略
    postgres=# create policy p4 on test for update to r3 using(r=current_user);
    CREATE POLICY
    
    --删除开始的策略
    postgres=# drop policy p on test;
    DROP POLICY
    postgres=# drop policy p1 on test;
    DROP POLICY
    postgres=# drop policy p2 on test;
    DROP POLICY
    postgres=# drop policy p3 on test;
    DROP POLICY
    postgres=# d+ test
                             Table "public.test"
     Column |  Type   | Modifiers | Storage | Stats target | Description 
    --------+---------+-----------+---------+--------------+-------------
     id     | integer |           | plain   |              | 
     r      | name    |           | plain   |              | 
    Policies:
        POLICY "p4" FOR UPDATE
          TO r3
          USING ((r = "current_user"()))
    
    postgres=# c postgres r3
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r3".
    --更新数据为0,是没有创建查询策略?
    postgres=> update test set id=4 where r = 'r3';
    UPDATE 0
    postgres=> select * from test;
     id | r 
    ----+---
    (0 rows)
    
    --创建了查询策略后,数据可以正常更新
    postgres=> c postgres sa
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "sa".
    postgres=# create policy p1 on test for select to r3 using ( r = current_user);  
    CREATE POLICY
    postgres=# c postgres r3
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r3".
    postgres=> select * from test;
     id | r  
    ----+----
      3 | r3
    (1 row)
    --常见查询策略后,更新了数据
    postgres=> update test set id=4 where r = 'r3';
    UPDATE 1
    
    
    • 策略只针对非超级用户和非owner
    --超级用户可以看到所有数据
    postgres=> c postgres sa
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "sa".
    postgres=# select * from test;
     id | r  
    ----+----
      1 | r1
      2 | r2
      3 | r3
      4 | r1
      4 | r2
      4 | r1
      4 | r2
      4 | r1
    (8 rows)
    
    postgres=# alter role r1 superuser;
    ALTER ROLE
    postgres=# c postgres r1
    psql (9.6.4, server 9.5.3)
    You are now connected to database "postgres" as user "r1".
    postgres=# select * from test;
     id | r  
    ----+----
      1 | r1
      2 | r2
      3 | r3
      4 | r1
      4 | r2
      4 | r1
      4 | r2
      4 | r1
    (8 rows)
    
    • 普通用户对添加了行级安全策略的表pg_dump或者pg_restore时会报错
     pg_dump -U r1 -d postgres -p 5432 -t public.test
    pg_dump: [archiver (db)] query failed: ERROR:  query would be affected by row-level security policy for table "test"
    pg_dump: [archiver (db)] query was: COPY public.test (id, r) TO stdout;
    
    

    CREATE POLICY ALTER POLICY DROP POLICY 命令分别用于策略的创建、修改和删除, ALTER TABLE 可以用于行级安全性的启用 / 禁用。

    每个策略都有一个名字,每个表可以定义多个策略,因为策略是针对表的,所以表内的多个策略名字必须唯一,但是不同的表可以有同名的策略,当表有多个策略时,多个策略之间是 OR 的关系。

    RLS参考资料
    RLS参考资料

  • 相关阅读:
    WRF rsl.out文件研究
    ERA-Interim 的变量TCW和VIWV可降水量
    sudo apt update 没有 Release 文件
    线性斜压模式LBM学习&安装实录
    PGI 用户手册之 Site-Specific Customization of the Compilers
    ERA5气压层数据驱动WRF的一些问题
    OpenMP fortran 学习
    crontab计划运行shell脚本,调用ncl执行失败
    CDO学习2 CDO 入门教程Tutorial
    guide, manual, tutorial之间的区别
  • 原文地址:https://www.cnblogs.com/zhangfx01/p/14367567.html
Copyright © 2020-2023  润新知