wip

notes/rls.sql

@@ -0,0 +1,39 @@
+create role users;
+create user johnny;
+grant users to johnny;
+
+create table secret_stuff(id serial primary key, data text not null, authz_expr text not null);
+alter table secret_stuff enable row level security;
+insert into secret_stuff(data, authz_expr) values('pretty secret', 'label1');
+insert into secret_stuff(data, authz_expr) values('moar secret', 'label1|label2');
+insert into secret_stuff(data, authz_expr) values('wat', 'label2');
+insert into secret_stuff(data, authz_expr) values('win', 'label2 & (label3 | label4)');
+
+grant select on secret_stuff to users;
+
+create policy evaluate_policies on secret_stuff using ( accumulo_check_authorization(authz_expr, string_to_array(current_setting('session.authorizations'), ',')));
+
+-- ...
+set session authorization johnny;
+select current_user,session_user;
+-- current_user | session_user 
+----------------+--------------
+-- johnny       | johnny
+
+set session.authorizations = 'label1';
+
+select * from secret_stuff;
+-- id |     data      |  authz_expr   
+------+---------------+---------------
+--  1 | pretty secret | label1
+--  2 | moar secret   | label1|label2
+-- (2 rows)
+
+set session.authorizations = 'label2,label3';
+select * from secret_stuff;
+-- id |    data     |         authz_expr         
+------+-------------+----------------------------
+--  2 | moar secret | label1|label2
+--  3 | wat         | label2
+--  4 | win         | label2 & (label3 | label4)
+-- (3 rows)