Implement row-level security in RisingWave
Introduces how to implement row-level security (RLS) in RisingWave by using logical views and access control.
Row Security Policies serve as a powerful PostgreSQL feature that controls row-level access based on specific policies. While RisingWave does not natively support Row Security Policies, you can achieve equivalent row-level security through a combination of logical views with access control. This approach ensures that users can only access data they are authorized to see.
Added in v2.4.
Scenario
This article will demonstrate how to enforce role-based access control on a table named employees, which stores employee information including department and salary. The goal is to implement the following access rules:
-
The HR manager can view all employees in the HR department.
-
The Engineering manager can view all employees in the Engineering department.
-
The CEO can view all employees.
To achieve this, logical views are created for each role to filter the data accordingly. Access to these views is then granted based on user permissions, while direct access to the base table is restricted.
Step-by-step guide
-
Create the
employees
table to store employee data: -
Insert some sample data into the
employees
table: -
Create user accounts. For example, create three users:
hr_manager
,engineering_manager
, andceo
. -
Define logical views and grant access.
HR manager can only view employees in the HR department:
View for HR managerEngineering manager can only view employees in the Engineering department:
View for engineering managerThe CEO can view all employees:
View for CEO -
Verify user access.
Now we can connect to the database as the user
hr_manager
to ensure that they can only query thehr_employee_view
and cannot access theemployees
table or other views.Connect as
hr_manager
and test access:Query the HR view:
Access to unauthorized data will be denied:
Related topics
- Learn how to define logical views, see CREATE VIEW.
- Learn more about security policies, see Access control.