Darin,
* Darin Gordon (darinc@gmail.com) wrote:
> I'm trying to understand the extent that row level security in postgresql
> 9.5 may replace, or augment, application-level access control.
Neat!
> I have a fully implemented application-level access control policy. It's
> not clear to me how I will integrate or replace it with RLS.
There's not very much information to go on here but there's a couple of
different ways to either integrate or replace what you have at the
application level with a combination of the PostgreSQL GRANT and POLICY
systems.
> Craig Ringer mentioned in a blog post:
> "Most importantly, row-security is pluggable – in addition to looking
> policies up from the system catalogs, it’s also possible to use a policy
> hook to supply arbitrary policy from extensions. "
>
> It seems that my options will be to record authorization into the catalog
> or write an extension?
It's not entirely clear to me what else you'd do, but perhaps I can help
clarify by explaining what is meant by "looking policies up from the
system catalogs". Those are policies which are implemented using the
new CREATE POLICY command available in 9.5. Those policies can be
either specific (such as to a particular user or role) or generic (by
looking up the current role using a table, or using the currently logged
in user, and then looking up if the current record is allowed to be seen
or operated on by the user in another table).
More insight into what your current system looks like and what the
requirements are would help move this discussion from high-level
generalities to specific analysis of your use-case.
Thanks!
Stephen