基于读写访问视图的Postgresql 9.4中基于行的安全性
对于用户具有完全shell访问权限的系统,我们希望使用postgresql数据库,通过访问控制列表管理用户之间共享的文件夹。因此,每个用户都有一个个人数据库帐户,我们使用基于视图的基于行的安全性。这是我们目前的草案:基于读写访问视图的Postgresql 9.4中基于行的安全性,postgresql,views,postgresql-9.4,Postgresql,Views,Postgresql 9.4,对于用户具有完全shell访问权限的系统,我们希望使用postgresql数据库,通过访问控制列表管理用户之间共享的文件夹。因此,每个用户都有一个个人数据库帐户,我们使用基于视图的基于行的安全性。这是我们目前的草案: REVOKE ALL ON jobs_admin FROM public; REVOKE ALL ON share_admin FROM public; CREATE VIEW share WITH (security_barrier) AS SELECT * FROM shar
REVOKE ALL ON jobs_admin FROM public;
REVOKE ALL ON share_admin FROM public;
CREATE VIEW share
WITH (security_barrier)
AS
SELECT *
FROM share_admin
WHERE username = current_user
OR owner = current_user
WITH CHECK OPTION;
CREATE VIEW jobs_read
WITH (security_barrier)
AS
SELECT *
FROM jobs_admin j, share_admin s
WHERE s.username = current_user
AND j.project LIKE s.project || '%'
WITH CHECK OPTION;
CREATE VIEW jobs_write
WITH (security_barrier)
AS
SELECT *
FROM jobs_admin j, share_admin s
WHERE (s.username = current_user
AND s.permission = 'w'
AND j.project LIKE s.project || '%')
OR j.project LIKE current_user || '%'
WITH CHECK OPTION;
ALTER VIEW share OWNER TO admin;
ALTER VIEW jobs_read OWNER TO admin;
ALTER VIEW jobs_write OWNER TO admin;
GRANT ALL ON share TO public;
GRANT SELECT ON jobs_read TO public;
GRANT ALL ON jobs_write TO public;
RESET ROLE;
CREATE TRIGGER insert_trigger
INSTEAD OF INSERT ON jobs_read
FOR EACH ROW EXECUTE PROCEDURE insert_trigger_func();
CREATE FUNCTION insert_trigger_func() RETURNS TRIGGER AS $BODY$
BEGIN
INSERT INTO jobs_write VALUES (NEW.*);
RETURN NEW;
END; $BODY$ LANGUAGE plpgsql;
Jan不确定您想做什么,但是您在db中创建了配置文件,但是显示/写入限制是UI的一部分,而不是db的一部分。为什么不更新到9.5或9.6并使用内置RLS?