Multi Tenant applications using PostgreSQL Row Level Security

 PostgreSQL supports Row Level Security (RLS) so that applications can restrict who can see which records in a table either based in DB user name or based on Connection session variable. This feature can be used to implement discriminator based multi tenant where records for multiple customers are present in single table. This blog explains steps for implementation https://www.crunchydata.com/blog/row-level-security-for-tenants-in-postgres

Advantage of this approach is that its easy to implement and day to day application development activities dont have to bother about breaking multi tenancy because code for applying discriminator is implemented at a framework that obtains connection from connection pool. Application developers dont have to modify individual SQL statement or even pass around tenant_id as a parameter in method calls.

Good thing about RLS is that RLS policy can be applied to specific Roles in Postgres and these roles should be used by application connections where multi tenancy needs to be applied. For application code where where multi tenancy should not be applied, use a role where RLS policy is not applied. eg. batch jobs that prunes history tables.

But RLS has a limitation and this comes from PostgreSQL inability to unset session variables. Since most applications uses connection pools to manage database connections, any session variables set on Postgres connection will remain and carry forward to next connection. So application framework code that releases connection should set RLS session variable to some invalid value.

Somehow I wasnt able to use JDBC PreparedStatement to set session variable. Only Statement worked.

Another peculiar feature is that by default RLS does not apply to owner of table. This behaviour can be changed by use of ENFORCE key word. 

Code to set session variable in Spring Boot 3.2 - https://gist.github.com/antopaul/d821816dee6f10a7dea91bb9c3e9b2e0

Comments

Post a Comment

Popular posts from this blog

Recovering Dell Laptop Windows OS using factory image from Linux bootable USB drive

I used Linux booted from a USB drive to restore Dell Windows 7 factory image on Inspiron 1545 when Windows 7 stopped booting and F8 key stopped working. This was done using Linux equivalent of Imagex command and used dell factory.wim file. Credits goes to - https://www.dell.com/community/Windows-General/Restore-from-dell-recovery-partition-with-Imagex-Solved/td-p/4083636 Software used 1, PuppyLinux BionicPup32 8.0 (Ubuntu Bionic 32 bit) Downloaded as ISO image from their website. It is good to use any other popular distros like Ubuntu. 2, When using PuppyLinux, download Devx package which has GCC compiler for the corresponding PuppyLinux distribution. ( http://wikka.puppylinux.com/devx ). When using a full fledged distribution, this step may not be necessary. 3, USB pen drive or any flash storage. I used SD memory card because my laptop will not boot from a pendrive. 3, unetbootin-windows-661.exe 4, Wimlib 1.13.1 - downloaded source because a binary distributio...
Read more

java.util.logging - Bad level value for property: org.openqa.level

Bad level value for property: some.package.name.level         The above error is produced by java.util.logging.LogManager when the log level is invalid. for eg. you might have specified a log level of DEBUG and DEBUG is not a valid log level in java.util.logging.         org.openqa.level=DEBUG         Valid log levels in java.util.logging are SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL, OFF     Correct usage is     org.openqa.level=FINE
Read more