RLS support #1587
Replies: 4 comments
-
This definitely something we're interested in. Getting to a stable, scalable 1.0 is our immediate priority (we'll rely on APIs for auth until then) but we're keen to explore other options in the future including RLS. |
Beta Was this translation helpful? Give feedback.
-
Just for some addition context, this is something we've looked into in some depth. Your summary is exactly right:
There are two primary approaches for solving (2): a. find a way to use a replication stream per tenant / auth context; this can work for some data access patterns The second approach requires getting the rules and running them against the operations in the replication stream. This has a challenge, in that RLS rules are quite flexible/expressive and allow you to query the state of the database. For example, when authorising access to a row, you can query another table. This is challenging when processing the replication stream, because the replication stream is behind the current state of the database. Postgres has MVCC internally but does not (natively) allow you to query the database at a particular snapshot. This means that by the time you have received a transaction in the replication stream, you can't query the database within the same snapshot. This limits the complexity of RLS rules that can be supported. Possible solutions
|
Beta Was this translation helpful? Give feedback.
-
Especially as you're mentioning supabase, it would be cool if electric could just leverage RLS policies that are created in supabase already. This way an offline enabled app with electric + supabase could have quite a head start. |
Beta Was this translation helpful? Give feedback.
-
One of the observations about the https://supabase.com/docs/guides/realtime/authorization design is that we could potentially support something similar, where RLS rules set on an |
Beta Was this translation helpful? Give feedback.
-
I wonder if you have any plans to support Row Level Security (RLS)?
Most uses of RLS at scale use a single user (or a few users corresponding to roles), and use SET LOCAL variables to describe the current user ID. See https://www.graphile.org/postgraphile/security/#how-it-works
So it would be a matter of:
Beta Was this translation helpful? Give feedback.
All reactions