In the actual business, there is another scenario. The same data table only allows users to view the row data that meets certain conditions. In this case, the access control needs to be accurate to the row level of the data table, so that different users can execute the same SQL query. , update or delete operations, the results read are different.
Users can create row-level access control (row level security) policies on data tables, which are expressions that take effect for specific database users and specific SQL operations. When a database user accesses a data table, the rows that meet the policy conditions are visible to the user, and the rows that do not meet the conditions are invisible to the user, thereby realizing row-level access control for the user.
openGauss provides the SQL statement CREATE/ALTER/DROP ROW LEVEL SECURITY to create/modify/delete row-level access rights policies:
Step 1: Create an information table pat_info to record the personal information of hospital patients:
openGauss=# select * from pat_info;
patience | doctor | age
-------------+--------+-----
peter | mary | 25
bob | mary | 56
julie | tom | 38
(3 rows)
Step 2: Create a row-level access control policy so that doctors can only view their own patient information:
openGauss=# CREATE ROW LEVEL SECURITY POLICY rls_select ON pat_info FOR select USING(doctor=current_user);
CREATE ROW LEVEL SECURITY POLICY
Step 3: Turn on the row-level access control switch on the information table pat_info
openGauss=# ALTER TABLE pat_info ENABLE ROW LEVEL SECURITY;
ALTER TABLE
Step 4: Grant the viewing permission of the information table pat_info to everyone
openGauss=# grant select on table pat_info to public;
GRANT
Step 5: Dr. Mary's review results:
openGauss=> select * from pat_info;
patience | doctor | age
----------+--------+-----
peter | mary | 25
bob | mary | 56
(2 rows)
Dr. Tom's findings:
openGauss=> select * from pat_info;
patience | doctor | age
----------+--------+-----
julie | tom | 38
(1 row)
Top comments (0)