Row-level security (RLS)
In addition to database access permissions available through the ROLE and GRANT privilege system, YugabyteDB provides a more granular level of security where tables can have row security policies that restrict rows users can access.
Row-level security (RLS) restricts rows that can be returned by normal queries or inserted, updated, or deleted by DML commands. RLS policies can be created specific to a DML command or with ALL commands. They can also be used to create policies on a particular role or multiple roles.
By default, tables do not have any row-level policies defined; if a user has access privileges to a table, all rows in the table are available to query and update.
This example uses the row-level security policies to restrict employees to view only rows that have their respective names.
Step 1. Create example table
Open the YSQL shell (ysqlsh
), specifying the yugabyte
user and prompting for the password.
$ ./ysqlsh -U yugabyte -W
When prompted for the password, enter the yugabyte password. You should be able to log in and see a response similar to the following:
ysqlsh (11.2-YB-2.23.1.0-b0)
Type "help" for help.
yugabyte=#
Create a employee table and insert few sample rows
create table employees ( empno int, ename text, address text, salary int,
account_number text );
insert into employees values (1, 'joe', '56 grove st', 20000, 'AC-22001' );
insert into employees values (2, 'mike', '129 81 st', 80000, 'AC-48901' );
insert into employees values (3, 'julia', '1 finite loop', 40000, 'AC-77051');
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
1 | Joe | 56 grove st | 20000 | AC-22001
2 | Mike | 129 81 st | 80000 | AC-48901
3 | Julia | 1 finite loop | 40000 | AC-77051
(3 rows)
Step 2. Grant access to users
Set up the database by creating users based on the entries in rows and provide table access to them.
create user joe;
grant select on employees to joe;
create user mike;
grant select on employees to mike;
create user julia;
grant select on employees to julia;
At this point, users can see all the data.
\c yugabyte joe;
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
1 | Joe | 56 grove st | 20000 | AC-22001
3 | Julia | 1 finite loop | 40000 | AC-77051
2 | Mike | 129 81 st | 80000 | AC-48901
(3 rows)
\c yugabyte mike;
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
1 | Joe | 56 grove st | 20000 | AC-22001
3 | Julia | 1 finite loop | 40000 | AC-77051
2 | Mike | 129 81 st | 80000 | AC-48901
(3 rows)
\c yugabyte julia;
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
1 | Joe | 56 grove st | 20000 | AC-22001
3 | Julia | 1 finite loop | 40000 | AC-77051
2 | Mike | 129 81 st | 80000 | AC-48901
(3 rows)
Step 3. Set up RLS for a user
Now create a row-level security policy for user joe
\c yugabyte yugabyte;
CREATE POLICY emp_rls_policy ON employees FOR ALL TO PUBLIC USING (
ename=current_user);
Syntax of the CREATE POLICY
command is as follows:
- Use the
CREATE POLICY
command to create the policy. Need to be a superuser to execute this command. emp_rls_policy
is the user defined name for the policy.employees
is the name of the table.ALL
here represents all DDL commands. Alternatively one can specify select, insert, update, delete, or other operations that need to be restricted.PUBLIC
here represents all roles. Alternatively one can provide specific role names to which the policy will apply.USING (ename=current_user)
is called the expression. It is a filter condition that returns a boolean value. This command compares theename
column of theemployees
tables to the logged in user, if they match then the user will be able to access the row for DDL operations.
Step 4. Enable RLS on table
Enable row-level security on the table
\c yugabyte yugabyte;
ALTER TABLE employees ENABLE ROW LEVEL SECURITY;
Step 5. Verify row-level security
Verify what each user can view from the employees table.
\c yugabyte yugabyte;
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
2 | mike | 129 81 st | 80000 | AC-48901
1 | joe | 56 grove st | 20000 | AC-22001
3 | julia | 1 finite loop | 40000 | AC-77051
(3 rows)
\c yugabyte joe;
select current_user;
current_user
--------------
joe
(1 row)
select * from employees;
empno | ename | address | salary | account_number
-------+-------+-------------+--------+----------------
1 | joe | 56 grove st | 20000 | AC-22001
(1 row)
\c yugabyte mike;
select current_user;
current_user
--------------
mike
(1 row)
select * from employees;
empno | ename | address | salary | account_number
-------+-------+-----------+--------+----------------
2 | mike | 129 81 st | 80000 | AC-48901
(1 row)
\c yugabyte julia
select current_user;
current_user
--------------
julia
(1 row)
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
3 | julia | 1 finite loop | 40000 | AC-77051
(1 row)
As defined in the policy, the current_user
can only access their own row.
Step 6. Bypass row-level security
YugabyteDB has BYPASSRLS and NOBYPASSRLS permissions, which can be assigned to a role. By default, table owner and superuser have BYPASSRLS
permissions assigned, so these users can skip the row-level security. The other roles in a database will have NOBYPASSRLS
assigned to them by default.
Assign BYPASSRLS
to user joe
so they can see all the rows in the employees table.
\c yugabyte yugabyte;
ALTER USER joe BYPASSRLS;
\c yugabyte joe;
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
2 | mike | 129 81 st | 80000 | AC-48901
1 | joe | 56 grove st | 20000 | AC-22001
3 | julia | 1 finite loop | 40000 | AC-77051
(3 rows)
Step 7. Remove row-level policy
DROP POLICY
command is used to drop a policy
\c yugabyte yugabyte;
DROP POLICY emp_rls_policy ON employees;
Logging in as user joe
or julia
won't return any data because the RLS policy was dropped and row-level security is still enabled on the table.
\c yugabyte mike;
select current_user;
current_user
--------------
mike
(1 row)
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------+--------+----------------
(0 rows)
To completely disable row-level security on the table, ALTER TABLE
to remove row-level security.
\c yugabyte yugabyte;
ALTER TABLE employees DISABLE ROW LEVEL SECURITY;
\c yugabyte mike;
select current_user;
current_user
--------------
mike
(1 row)
select * from employees;
empno | ename | address | salary | account_number
-------+-------+---------------+--------+----------------
2 | mike | 129 81 st | 80000 | AC-48901
1 | joe | 56 grove st | 20000 | AC-22001
3 | julia | 1 finite loop | 40000 | AC-77051
(3 rows)