+
(policy1 <- rls_construct_policy(
name = "admin_all",
- on = "passwd",
- to = "admin",
+ table = "passwd",
+ role = "admin",
using = "(true)",
- with = "(true)"
+ check = "(true)"
))
#> <rls_policy>
#> policy name: admin_all
-#> on: passwd
-#> to: admin
+#> table: passwd
+#> role: admin
#> using: (true)
-#> with: (true)
+#> check: (true)
rls_create_policy(con, policy1)
rls_policies(con)
#> # A tibble: 1 × 8
@@ -158,17 +189,17 @@
all_view
= Normal users can view all rows
-
+
(policy2 <- rls_construct_policy(
name = "all_view",
- on = "passwd",
- for_ = "SELECT",
+ table = "passwd",
+ command = "SELECT",
using = "(true)"
))
#> <rls_policy>
#> policy name: all_view
-#> on: passwd
-#> for: SELECT
+#> table: passwd
+#> command: SELECT
#> using: (true)
rls_create_policy(con, policy2)
rls_policies(con)
@@ -179,23 +210,23 @@
user_mod
= Normal users can update their own records,
but limit which shells a normal user is allowed to set
-
+
(policy3 <- rls_construct_policy(
name = "user_mod",
- on = "passwd",
- for_ = "UPDATE",
+ table = "passwd",
+ command = "UPDATE",
using = "(current_user = user_name)",
- with = "(
+ check = "(
current_user = user_name AND
shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh')
)"
))
#> <rls_policy>
#> policy name: user_mod
-#> on: passwd
-#> for: UPDATE
+#> table: passwd
+#> command: UPDATE
#> using: (current_user = user_name)
-#> with: (
+#> check: (
#> current_user = user_name AND
#> shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh')
#> )
@@ -212,64 +243,86 @@
Allow admin all normal rights
-
+
dbExecute(con, "GRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin")
Users only get select access on public columns
-
+
dbExecute(con, "GRANT SELECT
- (user_name, uid, gid, real_name, home_phone, extra_info, home_dir, shell)
+ (user_name, uid, gid, real_name, home_phone, home_dir, shell)
ON passwd TO public"
)
Allow users to update certain columns
-
+
dbExecute(con, "GRANT UPDATE
- (pwhash, real_name, home_phone, extra_info, shell)
+ (pwhash, real_name, home_phone, shell)
ON passwd TO public"
)
Ensure the system behaves as expected
-
+Admin can access all columns
+
dbExecute(con, "SET SESSION AUTHORIZATION admin")
#> [1] 0
-dbGetQuery(con, "SELECT * from passwd")
-#> user_name pwhash uid gid real_name home_phone extra_info home_dir
-#> 1 admin xxx 0 0 Admin 111-222-3333 <NA> /root
-#> 2 bob xxx 1 1 Bob 123-456-7890 <NA> /home/bob
-#> 3 alice xxx 2 1 Alice 098-765-4321 <NA> /home/alice
-#> shell
-#> 1 /bin/dash
-#> 2 /bin/zsh
-#> 3 /bin/zsh
-
+tbl(con, "passwd")
+#> # Source: table<"passwd"> [3 x 8]
+#> # Database: postgres [schambe3@/tmp:5432/schambe3]
+#> user_name pwhash uid gid real_name home_phone home_dir shell
+#> <chr> <chr> <int> <int> <chr> <chr> <chr> <chr>
+#> 1 admin xxx 0 0 Admin 111-222-3333 /root /bin/dash
+#> 2 bob xxx 1 1 Bob 123-456-7890 /home/bob /bin/zsh
+#> 3 alice xxx 2 1 Alice 098-765-4321 /home/alice /bin/zsh
+Alice can NOT access all columns
+
dbExecute(con, "SET SESSION AUTHORIZATION alice")
#> [1] 0
-dbGetQuery(con, "SELECT * from passwd")
-#> Error: Failed to fetch row : ERROR: permission denied for table passwd
-
-dbGetQuery(con, "SELECT user_name,real_name,home_phone,extra_info,home_dir,shell FROM passwd")
-#> user_name real_name home_phone extra_info home_dir shell
-#> 1 admin Admin 111-222-3333 <NA> /root /bin/dash
-#> 2 bob Bob 123-456-7890 <NA> /home/bob /bin/zsh
-#> 3 alice Alice 098-765-4321 <NA> /home/alice /bin/zsh
-
+tbl(con, "passwd") # "passwd" here means "SELECT * from passwd"
+#> Error in `db_query_fields.DBIConnection()`:
+#> ! Can't query fields.
+#> ℹ Using SQL: SELECT * FROM "passwd" AS "q01" WHERE (0 = 1)
+#> Caused by error:
+#> ! Failed to fetch row : ERROR: permission denied for table passwd
+Alice can access all columns except for pwhash
+
+sql1 <- sql("SELECT user_name,real_name,home_phone,home_dir,shell FROM passwd")
+tbl(con, sql1)
+#> # Source: SQL [3 x 5]
+#> # Database: postgres [schambe3@/tmp:5432/schambe3]
+#> user_name real_name home_phone home_dir shell
+#> <chr> <chr> <chr> <chr> <chr>
+#> 1 admin Admin 111-222-3333 /root /bin/dash
+#> 2 bob Bob 123-456-7890 /home/bob /bin/zsh
+#> 3 alice Alice 098-765-4321 /home/alice /bin/zsh
+Alice can not do UPDATE operations on certain columns (in this case
+user_name
)
+
dbExecute(con, "UPDATE passwd SET user_name = 'joe'")
#> Error: Failed to fetch row : ERROR: permission denied for table passwd
-
+Alice can however update real_name
+
dbExecute(con, "UPDATE passwd SET real_name = 'Alice Doe'")
-#> [1] 1
-dbExecute(con, "UPDATE passwd SET real_name = 'John Doe' WHERE user_name = 'admin'")
-#> [1] 0
-dbExecute(con, "UPDATE passwd SET shell = '/bin/xx'")
-#> Error: Failed to fetch row : ERROR: new row violates row-level security policy for table "passwd"
-dbExecute(con, "DELETE from passwd")
+#> [1] 1
+She can update real_name
, but the update doesn’t alter
+any rows when it has a WHERE clause on user_name
+
+dbExecute(con, "UPDATE passwd SET real_name = 'John Doe' WHERE user_name = 'admin'")
+#> [1] 0
+Alice can not update the shell
column to an invalid
+value as defined by our row-level security policy above
+
+dbExecute(con, "UPDATE passwd SET shell = '/bin/xx'")
+#> Error: Failed to fetch row : ERROR: new row violates row-level security policy for table "passwd"
+Alice can not delete the passwd
table and can not do any
+insert operations
+
+dbExecute(con, "DELETE from passwd")
#> Error: Failed to fetch row : ERROR: permission denied for table passwd
dbExecute(con, "INSERT INTO passwd (user_name) VALUES ('xxx')")
#> Error: Failed to fetch row : ERROR: permission denied for table passwd
Alice can change her own password; RLS silently prevents updating
other rows
-
+
dbExecute(con, "UPDATE passwd SET pwhash = 'abc'")
#> [1] 1
diff --git a/authors.html b/authors.html
index 5e020cb..d400396 100644
--- a/authors.html
+++ b/authors.html
@@ -7,7 +7,7 @@
rls
- 0.0.1.91
+ 0.0.1.94
diff --git a/index.html b/index.html
index d740053..c2ab197 100644
--- a/index.html
+++ b/index.html
@@ -22,7 +22,7 @@
rls
- 0.0.1.91
+ 0.0.1.94
@@ -56,10 +56,11 @@
Value
s3 object of class rls_policy
+
+
Details
+
We've chosen more intuitive names for policy parameters, so here's
+a mapping of function parameters to the PostgreSQL parameters:
References
https://www.postgresql.org/docs/current/sql-createpolicy.html
@@ -99,16 +118,16 @@
ReferencesExamples
x <- rls_construct_policy(
name = "hide_confidential",
- on = "sometable",
- with = "confidential BOOLEAN",
+ table = "sometable",
+ check = "confidential BOOLEAN",
using = "confidential = false"
)
x
#> <rls_policy>
#> policy name: hide_confidential
-#> on: sometable
+#> table: sometable
#> using: confidential = false
-#> with: confidential BOOLEAN
+#> check: confidential BOOLEAN
diff --git a/reference/rls_drop_policy.html b/reference/rls_drop_policy.html
index c0ed8d2..35587cd 100644
--- a/reference/rls_drop_policy.html
+++ b/reference/rls_drop_policy.html
@@ -7,7 +7,7 @@
rls
- 0.0.1.91
+ 0.0.1.94
diff --git a/reference/rls_enable.html b/reference/rls_enable.html
index 0ae6cfc..bcffb9b 100644
--- a/reference/rls_enable.html
+++ b/reference/rls_enable.html
@@ -7,7 +7,7 @@
rls
- 0.0.1.91
+ 0.0.1.94
diff --git a/reference/rls_policies.html b/reference/rls_policies.html
index 31207b8..5feabff 100644
--- a/reference/rls_policies.html
+++ b/reference/rls_policies.html
@@ -7,7 +7,7 @@
rls
- 0.0.1.91
+ 0.0.1.94
@@ -72,8 +72,8 @@ ExamplesdbWriteTable(con, "attitude", attitude, temporary = TRUE)
my_policy <- rls_construct_policy(
name = "all_view",
- on = "attitude",
- for_ = "SELECT",
+ table = "attitude",
+ command = "SELECT",
using = "(true)"
)
rls_create_policy(con, my_policy)
diff --git a/search.json b/search.json
index 1083a54..18fbdcb 100644
--- a/search.json
+++ b/search.json
@@ -1 +1 @@
-[{"path":[]},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"our-pledge","dir":"","previous_headings":"","what":"Our Pledge","title":"Contributor Covenant Code of Conduct","text":"members, contributors, leaders pledge make participation community harassment-free experience everyone, regardless age, body size, visible invisible disability, ethnicity, sex characteristics, gender identity expression, level experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, sexual identity orientation. pledge act interact ways contribute open, welcoming, diverse, inclusive, healthy community.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"our-standards","dir":"","previous_headings":"","what":"Our Standards","title":"Contributor Covenant Code of Conduct","text":"Examples behavior contributes positive environment community include: Demonstrating empathy kindness toward people respectful differing opinions, viewpoints, experiences Giving gracefully accepting constructive feedback Accepting responsibility apologizing affected mistakes, learning experience Focusing best just us individuals, overall community Examples unacceptable behavior include: use sexualized language imagery, sexual attention advances kind Trolling, insulting derogatory comments, personal political attacks Public private harassment Publishing others’ private information, physical email address, without explicit permission conduct reasonably considered inappropriate professional setting","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"enforcement-responsibilities","dir":"","previous_headings":"","what":"Enforcement Responsibilities","title":"Contributor Covenant Code of Conduct","text":"Community leaders responsible clarifying enforcing standards acceptable behavior take appropriate fair corrective action response behavior deem inappropriate, threatening, offensive, harmful. Community leaders right responsibility remove, edit, reject comments, commits, code, wiki edits, issues, contributions aligned Code Conduct, communicate reasons moderation decisions appropriate.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"scope","dir":"","previous_headings":"","what":"Scope","title":"Contributor Covenant Code of Conduct","text":"Code Conduct applies within community spaces, also applies individual officially representing community public spaces. Examples representing community include using official e-mail address, posting via official social media account, acting appointed representative online offline event.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"enforcement","dir":"","previous_headings":"","what":"Enforcement","title":"Contributor Covenant Code of Conduct","text":"Instances abusive, harassing, otherwise unacceptable behavior may reported community leaders responsible enforcement sachamber@fredhutch.org. complaints reviewed investigated promptly fairly. community leaders obligated respect privacy security reporter incident.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"enforcement-guidelines","dir":"","previous_headings":"","what":"Enforcement Guidelines","title":"Contributor Covenant Code of Conduct","text":"Community leaders follow Community Impact Guidelines determining consequences action deem violation Code Conduct:","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_1-correction","dir":"","previous_headings":"Enforcement Guidelines","what":"1. Correction","title":"Contributor Covenant Code of Conduct","text":"Community Impact: Use inappropriate language behavior deemed unprofessional unwelcome community. Consequence: private, written warning community leaders, providing clarity around nature violation explanation behavior inappropriate. public apology may requested.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_2-warning","dir":"","previous_headings":"Enforcement Guidelines","what":"2. Warning","title":"Contributor Covenant Code of Conduct","text":"Community Impact: violation single incident series actions. Consequence: warning consequences continued behavior. interaction people involved, including unsolicited interaction enforcing Code Conduct, specified period time. includes avoiding interactions community spaces well external channels like social media. Violating terms may lead temporary permanent ban.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_3-temporary-ban","dir":"","previous_headings":"Enforcement Guidelines","what":"3. Temporary Ban","title":"Contributor Covenant Code of Conduct","text":"Community Impact: serious violation community standards, including sustained inappropriate behavior. Consequence: temporary ban sort interaction public communication community specified period time. public private interaction people involved, including unsolicited interaction enforcing Code Conduct, allowed period. Violating terms may lead permanent ban.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_4-permanent-ban","dir":"","previous_headings":"Enforcement Guidelines","what":"4. Permanent Ban","title":"Contributor Covenant Code of Conduct","text":"Community Impact: Demonstrating pattern violation community standards, including sustained inappropriate behavior, harassment individual, aggression toward disparagement classes individuals. Consequence: permanent ban sort public interaction within community.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"attribution","dir":"","previous_headings":"","what":"Attribution","title":"Contributor Covenant Code of Conduct","text":"Code Conduct adapted Contributor Covenant, version 2.1, available https://www.contributor-covenant.org/version/2/1/code_of_conduct.html. Community Impact Guidelines inspired [Mozilla’s code conduct enforcement ladder][https://github.com/mozilla/inclusion]. answers common questions code conduct, see FAQ https://www.contributor-covenant.org/faq. Translations available https://www.contributor-covenant.org/translations.","code":""},{"path":"http://getwilds.org/rls/LICENSE.html","id":null,"dir":"","previous_headings":"","what":"MIT License","title":"MIT License","text":"Copyright (c) 2024 rls authors Permission hereby granted, free charge, person obtaining copy software associated documentation files (“Software”), deal Software without restriction, including without limitation rights use, copy, modify, merge, publish, distribute, sublicense, /sell copies Software, permit persons Software furnished , subject following conditions: copyright notice permission notice shall included copies substantial portions Software. SOFTWARE PROVIDED “”, WITHOUT WARRANTY KIND, EXPRESS IMPLIED, INCLUDING LIMITED WARRANTIES MERCHANTABILITY, FITNESS PARTICULAR PURPOSE NONINFRINGEMENT. EVENT SHALL AUTHORS COPYRIGHT HOLDERS LIABLE CLAIM, DAMAGES LIABILITY, WHETHER ACTION CONTRACT, TORT OTHERWISE, ARISING , CONNECTION SOFTWARE USE DEALINGS SOFTWARE.","code":""},{"path":"http://getwilds.org/rls/articles/rls.html","id":"start-postgresql-locally","dir":"Articles","previous_headings":"","what":"Start PostgreSQL locally","title":"Getting Started","text":"Start Postgres however .","code":""},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-a-connection","dir":"Articles","previous_headings":"","what":"Create a connection","title":"Getting Started","text":"","code":"con <- dbConnect(Postgres())"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-a-table","dir":"Articles","previous_headings":"","what":"Create a table","title":"Getting Started","text":"","code":"invisible(dbExecute(con, \" CREATE TABLE passwd ( user_name text UNIQUE NOT NULL, pwhash text, uid int PRIMARY KEY, gid int NOT NULL, real_name text NOT NULL, home_phone text, extra_info text, home_dir text NOT NULL, shell text NOT NULL ); \")) sample_data <- tribble( ~user_name, ~pwhash, ~uid, ~gid, ~real_name, ~home_phone, ~extra_info, ~home_dir, ~shell, 'admin','xxx',0,0,'Admin','111-222-3333',NULL,'/root','/bin/dash', 'bob','xxx',1,1,'Bob','123-456-7890',NULL,'/home/bob','/bin/zsh', 'alice','xxx',2,1,'Alice','098-765-4321',NULL,'/home/alice','/bin/zsh' ) dbAppendTable(con, \"passwd\", sample_data) #> [1] 3"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-roles","dir":"Articles","previous_headings":"","what":"Create roles","title":"Getting Started","text":"","code":"# Administrator dbExecute(con, \"CREATE ROLE admin\") # Normal user dbExecute(con, \"CREATE ROLE bob\") # Another normal user dbExecute(con, \"CREATE ROLE alice\")"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"enable-row-level-security","dir":"Articles","previous_headings":"","what":"Enable row level security","title":"Getting Started","text":"Enable row level security rls_enable check worked rls_check_status","code":"rls_enable(con, \"passwd\") rls_check_status(con, \"passwd\") #> # A tibble: 1 × 3 #> relname relrowsecurity relforcerowsecurity #> #> 1 passwd TRUE FALSE"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-row-level-security-policies","dir":"Articles","previous_headings":"","what":"Create row level security policies","title":"Getting Started","text":"admin_all = Administrator can see rows add rows all_view = Normal users can view rows user_mod = Normal users can update records, limit shells normal user allowed set","code":"(policy1 <- rls_construct_policy( name = \"admin_all\", on = \"passwd\", to = \"admin\", using = \"(true)\", with = \"(true)\" )) #> #> policy name: admin_all #> on: passwd #> to: admin #> using: (true) #> with: (true) rls_create_policy(con, policy1) rls_policies(con) #> # A tibble: 1 × 8 #> schemaname tablename policyname permissive roles cmd qual with_check #> #> 1 public passwd admin_all PERMISSIVE {admin} ALL true true (policy2 <- rls_construct_policy( name = \"all_view\", on = \"passwd\", for_ = \"SELECT\", using = \"(true)\" )) #> #> policy name: all_view #> on: passwd #> for: SELECT #> using: (true) rls_create_policy(con, policy2) rls_policies(con) #> # A tibble: 2 × 8 #> schemaname tablename policyname permissive roles cmd qual with_check #> #> 1 public passwd admin_all PERMISSIVE {admin} ALL true true #> 2 public passwd all_view PERMISSIVE {public} SELECT true (policy3 <- rls_construct_policy( name = \"user_mod\", on = \"passwd\", for_ = \"UPDATE\", using = \"(current_user = user_name)\", with = \"( current_user = user_name AND shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh') )\" )) #> #> policy name: user_mod #> on: passwd #> for: UPDATE #> using: (current_user = user_name) #> with: ( #> current_user = user_name AND #> shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh') #> ) rls_create_policy(con, policy3) rls_policies(con) #> # A tibble: 3 × 8 #> schemaname tablename policyname permissive roles cmd qual with_check #> #> 1 public passwd admin_all PERMISSIVE {admin} ALL true true #> 2 public passwd all_view PERMISSIVE {public} SELECT true #> 3 public passwd user_mod PERMISSIVE {public} UPDATE (CURR… ((CURRENT…"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"grant-permissions","dir":"Articles","previous_headings":"","what":"Grant permissions","title":"Getting Started","text":"Allow admin normal rights Users get select access public columns Allow users update certain columns","code":"dbExecute(con, \"GRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin\") dbExecute(con, \"GRANT SELECT (user_name, uid, gid, real_name, home_phone, extra_info, home_dir, shell) ON passwd TO public\" ) dbExecute(con, \"GRANT UPDATE (pwhash, real_name, home_phone, extra_info, shell) ON passwd TO public\" )"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"ensure-the-system-behaves-as-expected","dir":"Articles","previous_headings":"","what":"Ensure the system behaves as expected","title":"Getting Started","text":"Alice can change password; RLS silently prevents updating rows","code":"dbExecute(con, \"SET SESSION AUTHORIZATION admin\") #> [1] 0 dbGetQuery(con, \"SELECT * from passwd\") #> user_name pwhash uid gid real_name home_phone extra_info home_dir #> 1 admin xxx 0 0 Admin 111-222-3333 /root #> 2 bob xxx 1 1 Bob 123-456-7890 /home/bob #> 3 alice xxx 2 1 Alice 098-765-4321 /home/alice #> shell #> 1 /bin/dash #> 2 /bin/zsh #> 3 /bin/zsh dbExecute(con, \"SET SESSION AUTHORIZATION alice\") #> [1] 0 dbGetQuery(con, \"SELECT * from passwd\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbGetQuery(con, \"SELECT user_name,real_name,home_phone,extra_info,home_dir,shell FROM passwd\") #> user_name real_name home_phone extra_info home_dir shell #> 1 admin Admin 111-222-3333 /root /bin/dash #> 2 bob Bob 123-456-7890 /home/bob /bin/zsh #> 3 alice Alice 098-765-4321 /home/alice /bin/zsh dbExecute(con, \"UPDATE passwd SET user_name = 'joe'\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbExecute(con, \"UPDATE passwd SET real_name = 'Alice Doe'\") #> [1] 1 dbExecute(con, \"UPDATE passwd SET real_name = 'John Doe' WHERE user_name = 'admin'\") #> [1] 0 dbExecute(con, \"UPDATE passwd SET shell = '/bin/xx'\") #> Error: Failed to fetch row : ERROR: new row violates row-level security policy for table \"passwd\" dbExecute(con, \"DELETE from passwd\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbExecute(con, \"INSERT INTO passwd (user_name) VALUES ('xxx')\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbExecute(con, \"UPDATE passwd SET pwhash = 'abc'\") #> [1] 1"},{"path":"http://getwilds.org/rls/authors.html","id":null,"dir":"","previous_headings":"","what":"Authors","title":"Authors and Citation","text":"Scott Chamberlain. Author, maintainer.","code":""},{"path":"http://getwilds.org/rls/authors.html","id":"citation","dir":"","previous_headings":"","what":"Citation","title":"Authors and Citation","text":"Chamberlain S (2024). rls: Row Level Security. R package version 0.0.1.91, http://getwilds.org/rls, https://github.com/getwilds/rls.","code":"@Manual{, title = {rls: Row Level Security}, author = {Scott Chamberlain}, year = {2024}, note = {R package version 0.0.1.91, http://getwilds.org/rls}, url = {https://github.com/getwilds/rls}, }"},{"path":"http://getwilds.org/rls/index.html","id":"rls","dir":"","previous_headings":"","what":"Row Level Security","title":"Row Level Security","text":"Row Level Security stuff","code":""},{"path":"http://getwilds.org/rls/index.html","id":"installation","dir":"","previous_headings":"","what":"Installation","title":"Row Level Security","text":"Development version","code":"# install.packages(\"pak\") pak::pak(\"getwilds/rls\")"},{"path":"http://getwilds.org/rls/index.html","id":"get-started","dir":"","previous_headings":"","what":"Get started","title":"Row Level Security","text":"Go Getting Stared vignette walk-using row level security PostgreSQL.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"bugs-features","dir":"","previous_headings":"","what":"Bugs? Features?","title":"Row Level Security","text":"Open issue issue tracker.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"contributors","dir":"","previous_headings":"","what":"Contributors","title":"Row Level Security","text":"package follows Git Flow.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"code-of-conduct","dir":"","previous_headings":"","what":"Code of Conduct","title":"Row Level Security","text":"Please note rls project released Contributor Code Conduct. contributing project, agree abide terms.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"license","dir":"","previous_headings":"","what":"License","title":"Row Level Security","text":"MIT","code":""},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":null,"dir":"Reference","previous_headings":"","what":"has postgres? — has_postgres","title":"has postgres? — has_postgres","text":"postgres?","code":""},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"has postgres? — has_postgres","text":"","code":"has_postgres(...)"},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"has postgres? — has_postgres","text":"... args passed DBI::dbConnect()","code":""},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"has postgres? — has_postgres","text":"boolean, TRUE Postgres app can can connected , FALSE ","code":""},{"path":"http://getwilds.org/rls/reference/rls-package.html","id":null,"dir":"Reference","previous_headings":"","what":"rls: Row Level Security — rls-package","title":"rls: Row Level Security — rls-package","text":"Row level security helpers. Currenlty supports PostgreSQL Redshift flavored PostgreSQL.","code":""},{"path":[]},{"path":"http://getwilds.org/rls/reference/rls-package.html","id":"author","dir":"Reference","previous_headings":"","what":"Author","title":"rls: Row Level Security — rls-package","text":"Maintainer: Scott Chamberlain sachamber@fredhutch.org (ORCID)","code":""},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":null,"dir":"Reference","previous_headings":"","what":"Check row level security status of a table — rls_check_status","title":"Check row level security status of a table — rls_check_status","text":"Check row level security status table","code":""},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Check row level security status of a table — rls_check_status","text":"","code":"rls_check_status(con, table)"},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Check row level security status of a table — rls_check_status","text":"con DBI database connection object. required. supports postgres redshift connections table (character) table name. required","code":""},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Check row level security status of a table — rls_check_status","text":"tibble columns: relname relrowsecurity relforcerowsecurity","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":null,"dir":"Reference","previous_headings":"","what":"Construct a row level security policy — rls_construct_policy","title":"Construct a row level security policy — rls_construct_policy","text":"Construct row level security policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Construct a row level security policy — rls_construct_policy","text":"","code":"rls_construct_policy( name, on, as = NULL, for_ = NULL, to = NULL, using = NULL, with = NULL )"},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Construct a row level security policy — rls_construct_policy","text":"name (character) policy name. required (character) table apply policy . required (character) permissive (default) restrictive. permissive combines \"\" restrictive combines \"\" for_ (character) permissive (default) restrictive. (character) role(s) policy applied. default PUBLIC, apply policy roles. using (character) Specifies filter applied clause query (character) check condition","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Construct a row level security policy — rls_construct_policy","text":"s3 object class rls_policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"references","dir":"Reference","previous_headings":"","what":"References","title":"Construct a row level security policy — rls_construct_policy","text":"https://www.postgresql.org/docs/current/sql-createpolicy.html","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Construct a row level security policy — rls_construct_policy","text":"","code":"x <- rls_construct_policy( name = \"hide_confidential\", on = \"sometable\", with = \"confidential BOOLEAN\", using = \"confidential = false\" ) x #> #> policy name: hide_confidential #> on: sometable #> using: confidential = false #> with: confidential BOOLEAN"},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":null,"dir":"Reference","previous_headings":"","what":"Create a row level security policy — rls_create_policy","title":"Create a row level security policy — rls_create_policy","text":"Create row level security policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Create a row level security policy — rls_create_policy","text":"","code":"rls_create_policy(con, policy)"},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Create a row level security policy — rls_create_policy","text":"con DBI database connection object policy (list) policy derived rls_construct_policy()","code":""},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Create a row level security policy — rls_create_policy","text":"scalar numeric specifies number rows affected statement, invisibly","code":""},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Create a row level security policy — rls_create_policy","text":"","code":"if (FALSE) { # interactive() && has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbCreateTable(con, \"sometable\", mtcars) policy1 <- rls_construct_policy( name = \"hide_confidential\", on = \"sometable\", using = \"(true)\" ) policy1 rls_create_policy(con, policy1) rls_policies(con) policy2 <- rls_construct_policy( name = \"policy_concerts\", on = \"sometable\", for_ = \"SELECT\", using = \"(true)\" ) policy2 rls_create_policy(con, policy2) rls_policies(con) # cleanup rls_drop_policy(con, policy1) rls_drop_policy(con, policy2) dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":null,"dir":"Reference","previous_headings":"","what":"Drop a row level security policy — rls_drop_policy","title":"Drop a row level security policy — rls_drop_policy","text":"Drop row level security policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Drop a row level security policy — rls_drop_policy","text":"","code":"rls_drop_policy(con, policy = NULL, name = NULL, table = NULL)"},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Drop a row level security policy — rls_drop_policy","text":"con DBI database connection object policy (list) policy derived rls_construct_policy() name (character) policy name. optional table (character) table name. optional","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Drop a row level security policy — rls_drop_policy","text":"scalar numeric specifies number rows affected statement, invisibly","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"details","dir":"Reference","previous_headings":"","what":"Details","title":"Drop a row level security policy — rls_drop_policy","text":"policy supplied, name table required. policy supplied, name table need supplied.","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"references","dir":"Reference","previous_headings":"","what":"References","title":"Drop a row level security policy — rls_drop_policy","text":"https://www.postgresql.org/docs/current/sql-droppolicy.html","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Drop a row level security policy — rls_drop_policy","text":"","code":"if (FALSE) { # interactive() && has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbCreateTable(con, \"atable\", mtcars) policy1 <- rls_construct_policy( name = \"hide_confidential\", on = \"atable\", using = \"(true)\" ) policy1 rls_create_policy(con, policy1) rls_policies(con) rls_drop_policy(con, policy1) rls_policies(con) dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":null,"dir":"Reference","previous_headings":"","what":"Enable row level security on a table — rls_enable","title":"Enable row level security on a table — rls_enable","text":"Enable row level security table","code":""},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Enable row level security on a table — rls_enable","text":"","code":"rls_enable(con, table) rls_disable(con, table)"},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Enable row level security on a table — rls_enable","text":"con DBI database connection object. required. supports postgres redshift connections table (character) table name. required","code":""},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Enable row level security on a table — rls_enable","text":"scalar numeric specifies number rows affected statement, invisibly","code":""},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Enable row level security on a table — rls_enable","text":"","code":"if (FALSE) { # has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbListTables(con) dbWriteTable(con, \"mtcars\", mtcars, temporary = TRUE) rls_enable(con, table = \"mtcars\") rls_check_status(con, \"mtcars\") rls_disable(con, table = \"mtcars\") rls_check_status(con, \"mtcars\") dbRemoveTable(con, \"mtcars\") dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":null,"dir":"Reference","previous_headings":"","what":"List row level security policies — rls_policies","title":"List row level security policies — rls_policies","text":"List row level security policies","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"List row level security policies — rls_policies","text":"","code":"rls_policies(con)"},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"List row level security policies — rls_policies","text":"con DBI database connection object. required. supports postgres redshift connections","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"List row level security policies — rls_policies","text":"tibble RLS policies","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"details","dir":"Reference","previous_headings":"","what":"Details","title":"List row level security policies — rls_policies","text":"difference postgres redshift use different table names RLS policies: Postgres: pg_policies Redshift: svv_rls_policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"List row level security policies — rls_policies","text":"","code":"if (FALSE) { # has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbWriteTable(con, \"attitude\", attitude, temporary = TRUE) my_policy <- rls_construct_policy( name = \"all_view\", on = \"attitude\", for_ = \"SELECT\", using = \"(true)\" ) rls_create_policy(con, my_policy) rls_policies(con) dbRemoveTable(con, \"attitude\") dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/news/index.html","id":"rls-00191","dir":"Changelog","previous_headings":"","what":"rls 0.0.1.91","title":"rls 0.0.1.91","text":"ready yet","code":""}]
+[{"path":[]},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"our-pledge","dir":"","previous_headings":"","what":"Our Pledge","title":"Contributor Covenant Code of Conduct","text":"members, contributors, leaders pledge make participation community harassment-free experience everyone, regardless age, body size, visible invisible disability, ethnicity, sex characteristics, gender identity expression, level experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, sexual identity orientation. pledge act interact ways contribute open, welcoming, diverse, inclusive, healthy community.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"our-standards","dir":"","previous_headings":"","what":"Our Standards","title":"Contributor Covenant Code of Conduct","text":"Examples behavior contributes positive environment community include: Demonstrating empathy kindness toward people respectful differing opinions, viewpoints, experiences Giving gracefully accepting constructive feedback Accepting responsibility apologizing affected mistakes, learning experience Focusing best just us individuals, overall community Examples unacceptable behavior include: use sexualized language imagery, sexual attention advances kind Trolling, insulting derogatory comments, personal political attacks Public private harassment Publishing others’ private information, physical email address, without explicit permission conduct reasonably considered inappropriate professional setting","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"enforcement-responsibilities","dir":"","previous_headings":"","what":"Enforcement Responsibilities","title":"Contributor Covenant Code of Conduct","text":"Community leaders responsible clarifying enforcing standards acceptable behavior take appropriate fair corrective action response behavior deem inappropriate, threatening, offensive, harmful. Community leaders right responsibility remove, edit, reject comments, commits, code, wiki edits, issues, contributions aligned Code Conduct, communicate reasons moderation decisions appropriate.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"scope","dir":"","previous_headings":"","what":"Scope","title":"Contributor Covenant Code of Conduct","text":"Code Conduct applies within community spaces, also applies individual officially representing community public spaces. Examples representing community include using official e-mail address, posting via official social media account, acting appointed representative online offline event.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"enforcement","dir":"","previous_headings":"","what":"Enforcement","title":"Contributor Covenant Code of Conduct","text":"Instances abusive, harassing, otherwise unacceptable behavior may reported community leaders responsible enforcement sachamber@fredhutch.org. complaints reviewed investigated promptly fairly. community leaders obligated respect privacy security reporter incident.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"enforcement-guidelines","dir":"","previous_headings":"","what":"Enforcement Guidelines","title":"Contributor Covenant Code of Conduct","text":"Community leaders follow Community Impact Guidelines determining consequences action deem violation Code Conduct:","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_1-correction","dir":"","previous_headings":"Enforcement Guidelines","what":"1. Correction","title":"Contributor Covenant Code of Conduct","text":"Community Impact: Use inappropriate language behavior deemed unprofessional unwelcome community. Consequence: private, written warning community leaders, providing clarity around nature violation explanation behavior inappropriate. public apology may requested.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_2-warning","dir":"","previous_headings":"Enforcement Guidelines","what":"2. Warning","title":"Contributor Covenant Code of Conduct","text":"Community Impact: violation single incident series actions. Consequence: warning consequences continued behavior. interaction people involved, including unsolicited interaction enforcing Code Conduct, specified period time. includes avoiding interactions community spaces well external channels like social media. Violating terms may lead temporary permanent ban.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_3-temporary-ban","dir":"","previous_headings":"Enforcement Guidelines","what":"3. Temporary Ban","title":"Contributor Covenant Code of Conduct","text":"Community Impact: serious violation community standards, including sustained inappropriate behavior. Consequence: temporary ban sort interaction public communication community specified period time. public private interaction people involved, including unsolicited interaction enforcing Code Conduct, allowed period. Violating terms may lead permanent ban.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"id_4-permanent-ban","dir":"","previous_headings":"Enforcement Guidelines","what":"4. Permanent Ban","title":"Contributor Covenant Code of Conduct","text":"Community Impact: Demonstrating pattern violation community standards, including sustained inappropriate behavior, harassment individual, aggression toward disparagement classes individuals. Consequence: permanent ban sort public interaction within community.","code":""},{"path":"http://getwilds.org/rls/CODE_OF_CONDUCT.html","id":"attribution","dir":"","previous_headings":"","what":"Attribution","title":"Contributor Covenant Code of Conduct","text":"Code Conduct adapted Contributor Covenant, version 2.1, available https://www.contributor-covenant.org/version/2/1/code_of_conduct.html. Community Impact Guidelines inspired [Mozilla’s code conduct enforcement ladder][https://github.com/mozilla/inclusion]. answers common questions code conduct, see FAQ https://www.contributor-covenant.org/faq. Translations available https://www.contributor-covenant.org/translations.","code":""},{"path":"http://getwilds.org/rls/LICENSE.html","id":null,"dir":"","previous_headings":"","what":"MIT License","title":"MIT License","text":"Copyright (c) 2024 rls authors Permission hereby granted, free charge, person obtaining copy software associated documentation files (“Software”), deal Software without restriction, including without limitation rights use, copy, modify, merge, publish, distribute, sublicense, /sell copies Software, permit persons Software furnished , subject following conditions: copyright notice permission notice shall included copies substantial portions Software. SOFTWARE PROVIDED “”, WITHOUT WARRANTY KIND, EXPRESS IMPLIED, INCLUDING LIMITED WARRANTIES MERCHANTABILITY, FITNESS PARTICULAR PURPOSE NONINFRINGEMENT. EVENT SHALL AUTHORS COPYRIGHT HOLDERS LIABLE CLAIM, DAMAGES LIABILITY, WHETHER ACTION CONTRACT, TORT OTHERWISE, ARISING , CONNECTION SOFTWARE USE DEALINGS SOFTWARE.","code":""},{"path":"http://getwilds.org/rls/articles/rls.html","id":"start-postgresql-locally","dir":"Articles","previous_headings":"","what":"Start PostgreSQL locally","title":"Getting Started","text":"Start Postgres however .","code":""},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-a-connection","dir":"Articles","previous_headings":"","what":"Create a connection","title":"Getting Started","text":"","code":"con <- dbConnect(Postgres())"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-a-table","dir":"Articles","previous_headings":"","what":"Create a table","title":"Getting Started","text":"Create table (data) sample data Append rows passwd table Check data table","code":"invisible(dbExecute(con, \" CREATE TABLE passwd ( user_name text UNIQUE NOT NULL, pwhash text, uid int PRIMARY KEY, gid int NOT NULL, real_name text NOT NULL, home_phone text, home_dir text NOT NULL, shell text NOT NULL ); \")) sample_data <- tribble( ~user_name, ~pwhash, ~uid, ~gid, ~real_name, ~home_phone, ~home_dir, ~shell, 'admin','xxx',0,0,'Admin','111-222-3333','/root','/bin/dash', 'bob','xxx',1,1,'Bob','123-456-7890','/home/bob','/bin/zsh', 'alice','xxx',2,1,'Alice','098-765-4321','/home/alice','/bin/zsh' ) rows_append( tbl(con, \"passwd\"), copy_inline(con, sample_data), in_place = TRUE ) tbl(con, \"passwd\") #> # Source: table<\"passwd\"> [3 x 8] #> # Database: postgres [schambe3@/tmp:5432/schambe3] #> user_name pwhash uid gid real_name home_phone home_dir shell #> #> 1 admin xxx 0 0 Admin 111-222-3333 /root /bin/dash #> 2 bob xxx 1 1 Bob 123-456-7890 /home/bob /bin/zsh #> 3 alice xxx 2 1 Alice 098-765-4321 /home/alice /bin/zsh"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-roles","dir":"Articles","previous_headings":"","what":"Create roles","title":"Getting Started","text":"","code":"# Administrator dbExecute(con, \"CREATE ROLE admin\") # Normal user dbExecute(con, \"CREATE ROLE bob\") # Another normal user dbExecute(con, \"CREATE ROLE alice\")"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"enable-row-level-security","dir":"Articles","previous_headings":"","what":"Enable row level security","title":"Getting Started","text":"Enable row level security rls_enable check worked rls_check_status","code":"rls_enable(con, \"passwd\") rls_check_status(con, \"passwd\") #> # A tibble: 1 × 3 #> relname relrowsecurity relforcerowsecurity #> #> 1 passwd TRUE FALSE"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"create-row-level-security-policies","dir":"Articles","previous_headings":"","what":"Create row level security policies","title":"Getting Started","text":"admin_all = Administrator can see rows add rows all_view = Normal users can view rows user_mod = Normal users can update records, limit shells normal user allowed set","code":"(policy1 <- rls_construct_policy( name = \"admin_all\", table = \"passwd\", role = \"admin\", using = \"(true)\", check = \"(true)\" )) #> #> policy name: admin_all #> table: passwd #> role: admin #> using: (true) #> check: (true) rls_create_policy(con, policy1) rls_policies(con) #> # A tibble: 1 × 8 #> schemaname tablename policyname permissive roles cmd qual with_check #> #> 1 public passwd admin_all PERMISSIVE {admin} ALL true true (policy2 <- rls_construct_policy( name = \"all_view\", table = \"passwd\", command = \"SELECT\", using = \"(true)\" )) #> #> policy name: all_view #> table: passwd #> command: SELECT #> using: (true) rls_create_policy(con, policy2) rls_policies(con) #> # A tibble: 2 × 8 #> schemaname tablename policyname permissive roles cmd qual with_check #> #> 1 public passwd admin_all PERMISSIVE {admin} ALL true true #> 2 public passwd all_view PERMISSIVE {public} SELECT true (policy3 <- rls_construct_policy( name = \"user_mod\", table = \"passwd\", command = \"UPDATE\", using = \"(current_user = user_name)\", check = \"( current_user = user_name AND shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh') )\" )) #> #> policy name: user_mod #> table: passwd #> command: UPDATE #> using: (current_user = user_name) #> check: ( #> current_user = user_name AND #> shell IN ('/bin/bash','/bin/sh','/bin/dash','/bin/zsh','/bin/tcsh') #> ) rls_create_policy(con, policy3) rls_policies(con) #> # A tibble: 3 × 8 #> schemaname tablename policyname permissive roles cmd qual with_check #> #> 1 public passwd admin_all PERMISSIVE {admin} ALL true true #> 2 public passwd all_view PERMISSIVE {public} SELECT true #> 3 public passwd user_mod PERMISSIVE {public} UPDATE (CURR… ((CURRENT…"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"grant-permissions","dir":"Articles","previous_headings":"","what":"Grant permissions","title":"Getting Started","text":"Allow admin normal rights Users get select access public columns Allow users update certain columns","code":"dbExecute(con, \"GRANT SELECT, INSERT, UPDATE, DELETE ON passwd TO admin\") dbExecute(con, \"GRANT SELECT (user_name, uid, gid, real_name, home_phone, home_dir, shell) ON passwd TO public\" ) dbExecute(con, \"GRANT UPDATE (pwhash, real_name, home_phone, shell) ON passwd TO public\" )"},{"path":"http://getwilds.org/rls/articles/rls.html","id":"ensure-the-system-behaves-as-expected","dir":"Articles","previous_headings":"","what":"Ensure the system behaves as expected","title":"Getting Started","text":"Admin can access columns Alice can access columns Alice can access columns except pwhash Alice can UPDATE operations certain columns (case user_name) Alice can however update real_name can update real_name, update doesn’t alter rows clause user_name Alice can update shell column invalid value defined row-level security policy Alice can delete passwd table can insert operations Alice can change password; RLS silently prevents updating rows","code":"dbExecute(con, \"SET SESSION AUTHORIZATION admin\") #> [1] 0 tbl(con, \"passwd\") #> # Source: table<\"passwd\"> [3 x 8] #> # Database: postgres [schambe3@/tmp:5432/schambe3] #> user_name pwhash uid gid real_name home_phone home_dir shell #> #> 1 admin xxx 0 0 Admin 111-222-3333 /root /bin/dash #> 2 bob xxx 1 1 Bob 123-456-7890 /home/bob /bin/zsh #> 3 alice xxx 2 1 Alice 098-765-4321 /home/alice /bin/zsh dbExecute(con, \"SET SESSION AUTHORIZATION alice\") #> [1] 0 tbl(con, \"passwd\") # \"passwd\" here means \"SELECT * from passwd\" #> Error in `db_query_fields.DBIConnection()`: #> ! Can't query fields. #> ℹ Using SQL: SELECT * FROM \"passwd\" AS \"q01\" WHERE (0 = 1) #> Caused by error: #> ! Failed to fetch row : ERROR: permission denied for table passwd sql1 <- sql(\"SELECT user_name,real_name,home_phone,home_dir,shell FROM passwd\") tbl(con, sql1) #> # Source: SQL [3 x 5] #> # Database: postgres [schambe3@/tmp:5432/schambe3] #> user_name real_name home_phone home_dir shell #> #> 1 admin Admin 111-222-3333 /root /bin/dash #> 2 bob Bob 123-456-7890 /home/bob /bin/zsh #> 3 alice Alice 098-765-4321 /home/alice /bin/zsh dbExecute(con, \"UPDATE passwd SET user_name = 'joe'\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbExecute(con, \"UPDATE passwd SET real_name = 'Alice Doe'\") #> [1] 1 dbExecute(con, \"UPDATE passwd SET real_name = 'John Doe' WHERE user_name = 'admin'\") #> [1] 0 dbExecute(con, \"UPDATE passwd SET shell = '/bin/xx'\") #> Error: Failed to fetch row : ERROR: new row violates row-level security policy for table \"passwd\" dbExecute(con, \"DELETE from passwd\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbExecute(con, \"INSERT INTO passwd (user_name) VALUES ('xxx')\") #> Error: Failed to fetch row : ERROR: permission denied for table passwd dbExecute(con, \"UPDATE passwd SET pwhash = 'abc'\") #> [1] 1"},{"path":"http://getwilds.org/rls/authors.html","id":null,"dir":"","previous_headings":"","what":"Authors","title":"Authors and Citation","text":"Scott Chamberlain. Author, maintainer.","code":""},{"path":"http://getwilds.org/rls/authors.html","id":"citation","dir":"","previous_headings":"","what":"Citation","title":"Authors and Citation","text":"Chamberlain S (2024). rls: Row Level Security. R package version 0.0.1.94, http://getwilds.org/rls, https://github.com/getwilds/rls.","code":"@Manual{, title = {rls: Row Level Security}, author = {Scott Chamberlain}, year = {2024}, note = {R package version 0.0.1.94, http://getwilds.org/rls}, url = {https://github.com/getwilds/rls}, }"},{"path":"http://getwilds.org/rls/index.html","id":"rls","dir":"","previous_headings":"","what":"Row Level Security","title":"Row Level Security","text":"Row Level Security stuff","code":""},{"path":"http://getwilds.org/rls/index.html","id":"installation","dir":"","previous_headings":"","what":"Installation","title":"Row Level Security","text":"Development version","code":"# install.packages(\"pak\") pak::pak(\"getwilds/rls\")"},{"path":"http://getwilds.org/rls/index.html","id":"get-started","dir":"","previous_headings":"","what":"Get started","title":"Row Level Security","text":"Go Getting Stared vignette walk-using row level security PostgreSQL.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"bugs-features","dir":"","previous_headings":"","what":"Bugs? Features?","title":"Row Level Security","text":"Open issue issue tracker.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"contributors","dir":"","previous_headings":"","what":"Contributors","title":"Row Level Security","text":"package follows Git Flow.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"code-of-conduct","dir":"","previous_headings":"","what":"Code of Conduct","title":"Row Level Security","text":"Please note rls project released Contributor Code Conduct. contributing project, agree abide terms.","code":""},{"path":"http://getwilds.org/rls/index.html","id":"license","dir":"","previous_headings":"","what":"License","title":"Row Level Security","text":"MIT","code":""},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":null,"dir":"Reference","previous_headings":"","what":"has postgres? — has_postgres","title":"has postgres? — has_postgres","text":"postgres?","code":""},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"has postgres? — has_postgres","text":"","code":"has_postgres(...)"},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"has postgres? — has_postgres","text":"... args passed DBI::dbConnect()","code":""},{"path":"http://getwilds.org/rls/reference/has_postgres.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"has postgres? — has_postgres","text":"boolean, TRUE Postgres app can can connected , FALSE ","code":""},{"path":"http://getwilds.org/rls/reference/rls-package.html","id":null,"dir":"Reference","previous_headings":"","what":"rls: Row Level Security — rls-package","title":"rls: Row Level Security — rls-package","text":"Row level security helpers. Currenlty supports PostgreSQL Redshift flavored PostgreSQL.","code":""},{"path":[]},{"path":"http://getwilds.org/rls/reference/rls-package.html","id":"author","dir":"Reference","previous_headings":"","what":"Author","title":"rls: Row Level Security — rls-package","text":"Maintainer: Scott Chamberlain sachamber@fredhutch.org (ORCID)","code":""},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":null,"dir":"Reference","previous_headings":"","what":"Check row level security status of a table — rls_check_status","title":"Check row level security status of a table — rls_check_status","text":"Check row level security status table","code":""},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Check row level security status of a table — rls_check_status","text":"","code":"rls_check_status(con, table)"},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Check row level security status of a table — rls_check_status","text":"con DBI database connection object. required. supports postgres redshift connections table (character) table name. required","code":""},{"path":"http://getwilds.org/rls/reference/rls_check_status.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Check row level security status of a table — rls_check_status","text":"tibble columns: relname relrowsecurity relforcerowsecurity","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":null,"dir":"Reference","previous_headings":"","what":"Construct a row level security policy — rls_construct_policy","title":"Construct a row level security policy — rls_construct_policy","text":"Construct row level security policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Construct a row level security policy — rls_construct_policy","text":"","code":"rls_construct_policy( name, table, as = NULL, command = NULL, role = NULL, using = NULL, check = NULL )"},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Construct a row level security policy — rls_construct_policy","text":"name (character) name policy created. must distinct name policy table. required table (character) table apply policy . required (character) permissive (default) restrictive. permissive combines \"\" restrictive combines \"\" command (character) command policy applies. Valid options (default), SELECT, INSERT, UPDATE, DELETE role (character) role(s) policy applied. default PUBLIC, apply policy roles. using (character) Specifies filter applied clause query. Rows expression returns true visible. rows expression returns false null visible user (SELECT), available modification (UPDATE DELETE). rows silently suppressed; error reported. check (character) check condition; SQL conditional expression returns boolean. expression used INSERT UPDATE queries table row-level security enabled. rows expression evaluates true allowed. evaluated proposed new contents row, original contents","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Construct a row level security policy — rls_construct_policy","text":"s3 object class rls_policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"details","dir":"Reference","previous_headings":"","what":"Details","title":"Construct a row level security policy — rls_construct_policy","text":"chosen intuitive names policy parameters, mapping function parameters PostgreSQL parameters: (function: PostgreSQL) table: command: role: check: ","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"references","dir":"Reference","previous_headings":"","what":"References","title":"Construct a row level security policy — rls_construct_policy","text":"https://www.postgresql.org/docs/current/sql-createpolicy.html","code":""},{"path":"http://getwilds.org/rls/reference/rls_construct_policy.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Construct a row level security policy — rls_construct_policy","text":"","code":"x <- rls_construct_policy( name = \"hide_confidential\", table = \"sometable\", check = \"confidential BOOLEAN\", using = \"confidential = false\" ) x #> #> policy name: hide_confidential #> table: sometable #> using: confidential = false #> check: confidential BOOLEAN"},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":null,"dir":"Reference","previous_headings":"","what":"Create a row level security policy — rls_create_policy","title":"Create a row level security policy — rls_create_policy","text":"Create row level security policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Create a row level security policy — rls_create_policy","text":"","code":"rls_create_policy(con, policy)"},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Create a row level security policy — rls_create_policy","text":"con DBI database connection object policy (list) policy derived rls_construct_policy()","code":""},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Create a row level security policy — rls_create_policy","text":"scalar numeric specifies number rows affected statement, invisibly","code":""},{"path":"http://getwilds.org/rls/reference/rls_create_policy.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Create a row level security policy — rls_create_policy","text":"","code":"if (FALSE) { # interactive() && has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbCreateTable(con, \"sometable\", mtcars) policy1 <- rls_construct_policy( name = \"hide_confidential\", table = \"sometable\", using = \"(true)\" ) policy1 rls_create_policy(con, policy1) rls_policies(con) policy2 <- rls_construct_policy( name = \"policy_concerts\", table = \"sometable\", command = \"SELECT\", using = \"(true)\" ) policy2 rls_create_policy(con, policy2) rls_policies(con) # cleanup rls_drop_policy(con, policy1) rls_drop_policy(con, policy2) dbExecute(con, \"DROP table sometable\") dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":null,"dir":"Reference","previous_headings":"","what":"Drop a row level security policy — rls_drop_policy","title":"Drop a row level security policy — rls_drop_policy","text":"Drop row level security policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Drop a row level security policy — rls_drop_policy","text":"","code":"rls_drop_policy(con, policy = NULL, name = NULL, table = NULL)"},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Drop a row level security policy — rls_drop_policy","text":"con DBI database connection object policy (list) policy derived rls_construct_policy() name (character) policy name. optional table (character) table name. optional","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Drop a row level security policy — rls_drop_policy","text":"scalar numeric specifies number rows affected statement, invisibly","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"details","dir":"Reference","previous_headings":"","what":"Details","title":"Drop a row level security policy — rls_drop_policy","text":"policy supplied, name table required. policy supplied, name table need supplied.","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"references","dir":"Reference","previous_headings":"","what":"References","title":"Drop a row level security policy — rls_drop_policy","text":"https://www.postgresql.org/docs/current/sql-droppolicy.html","code":""},{"path":"http://getwilds.org/rls/reference/rls_drop_policy.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Drop a row level security policy — rls_drop_policy","text":"","code":"if (FALSE) { # interactive() && has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbCreateTable(con, \"atable\", mtcars) policy1 <- rls_construct_policy( name = \"hide_confidential\", on = \"atable\", using = \"(true)\" ) policy1 rls_create_policy(con, policy1) rls_policies(con) rls_drop_policy(con, policy1) rls_policies(con) dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":null,"dir":"Reference","previous_headings":"","what":"Enable row level security on a table — rls_enable","title":"Enable row level security on a table — rls_enable","text":"Enable row level security table","code":""},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"Enable row level security on a table — rls_enable","text":"","code":"rls_enable(con, table) rls_disable(con, table)"},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"Enable row level security on a table — rls_enable","text":"con DBI database connection object. required. supports postgres redshift connections table (character) table name. required","code":""},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"Enable row level security on a table — rls_enable","text":"scalar numeric specifies number rows affected statement, invisibly","code":""},{"path":"http://getwilds.org/rls/reference/rls_enable.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"Enable row level security on a table — rls_enable","text":"","code":"if (FALSE) { # has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbListTables(con) dbWriteTable(con, \"mtcars\", mtcars, temporary = TRUE) rls_enable(con, table = \"mtcars\") rls_check_status(con, \"mtcars\") rls_disable(con, table = \"mtcars\") rls_check_status(con, \"mtcars\") dbRemoveTable(con, \"mtcars\") dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":null,"dir":"Reference","previous_headings":"","what":"List row level security policies — rls_policies","title":"List row level security policies — rls_policies","text":"List row level security policies","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"ref-usage","dir":"Reference","previous_headings":"","what":"Usage","title":"List row level security policies — rls_policies","text":"","code":"rls_policies(con)"},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"arguments","dir":"Reference","previous_headings":"","what":"Arguments","title":"List row level security policies — rls_policies","text":"con DBI database connection object. required. supports postgres redshift connections","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"value","dir":"Reference","previous_headings":"","what":"Value","title":"List row level security policies — rls_policies","text":"tibble RLS policies","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"details","dir":"Reference","previous_headings":"","what":"Details","title":"List row level security policies — rls_policies","text":"difference postgres redshift use different table names RLS policies: Postgres: pg_policies Redshift: svv_rls_policy","code":""},{"path":"http://getwilds.org/rls/reference/rls_policies.html","id":"ref-examples","dir":"Reference","previous_headings":"","what":"Examples","title":"List row level security policies — rls_policies","text":"","code":"if (FALSE) { # has_postgres() library(DBI) library(RPostgres) con <- dbConnect(Postgres()) dbWriteTable(con, \"attitude\", attitude, temporary = TRUE) my_policy <- rls_construct_policy( name = \"all_view\", table = \"attitude\", command = \"SELECT\", using = \"(true)\" ) rls_create_policy(con, my_policy) rls_policies(con) dbRemoveTable(con, \"attitude\") dbDisconnect(con) }"},{"path":"http://getwilds.org/rls/news/index.html","id":"rls-00191","dir":"Changelog","previous_headings":"","what":"rls 0.0.1.91","title":"rls 0.0.1.91","text":"ready yet","code":""}]