Row-Level Security (RLS) Deployment Guide
Warning
SingleStore 9.0 gives you the opportunity to preview, evaluate, and provide feedback on new and upcoming features prior to their general availability. In the interim, SingleStore 8.9 is recommended for production workloads, which can later be upgraded to SingleStore 9.0.
On this page
Row-Level Security (RLS) Configuration
Row-Level Security (RLS) allows only those users who have the required permissions to access data by rows in a database.
RLS restricts users' access to data at the database level instead of the application level.
Row-level security in SingleStore is achieved by creating a view on a table with a special roles column.
Setting up a table for row-level security
For a table to be used with row-level security, it must have a VARBINARY column where a row entry in the column contains a comma separated list of roles which have access to that row.
Consider the following table containing 4 rows:
ACCESS_ |
DATA_ |
DATA_ |
DATA_ |
---|---|---|---|
,ROLE_ |
xxxxxx |
xxxxxx |
xxxxxx |
,ROLE_ |
xxxxxx |
xxxxxx |
xxxxxx |
,ROLE_ |
xxxxxx |
xxxxxx |
xxxxxx |
, |
xxxxxx |
xxxxxx |
xxxxxx |
For a given role, the ACCESS_
field will be used to specify which roles have access to that row.DATA_
through DATA_
columns are data stored in a table.
It is important that each role name in ACCESS_
be surrounded by a preceding and trailing comma.
In addition to applying RLS using an access-control list field, you can also restrict access based on the data in the rows of a table.
Creating a new table with row-level security
To create a new table with a roles column use an appropriate version of the following command:
CREATE TABLE <table>(ACCESS_ROLES VARBINARY(<SIZE>) DEFAULT ",", …);
It is important that the default value for ACCESS_
be a comma: ","
for row-level security to work correctly.
The <SIZE>
of the ACCESS_
column should be set to match the expected number of roles.
ALTER TABLE <table> MODIFY COLUMN ACCESS_ROLES VARBINARY(<NEWSIZE>);
Updating an existing table with row-level security
To update an existing table to work with row-level security, use the following command:
ALTER TABLE <table> ADD COLUMN ACCESS_ROLES VARBINARY(<SIZE>) DEFAULT ",";
Once again it is important to set the default value of the ACCESS_
column to a comma (","
) for row-level security control to function correctly.
Granting row access to a role
To give a new role access to a column, append the role name followed by a comma to the column of a table containing role access information.ACCESS_
, then the following query gives the role ROLE
access to all rows whose ID column is 5.
UPDATE <table> SET ACCESS_ROLES=CONCAT(ACCESS_ROLES, "ROLE,") WHERE ID=5;
To give access to multiple roles R1, R2, R3 to rows whose ID column is 5:
UPDATE <table> SET ACCESS_ROLES=CONCAT(ACCESS_ROLES, "R1,R2,R3,") WHERE ID=5;
It is important that each new role added is suffixed with a comma.
Revoking row access from a role
To revoke access from a role, R, on rows whose ID column in a table is 5:
UPDATE <table> SET ACCESS_ROLES=REPLACE(ACCESS_ROLES, ',R,', ',') WHERE ID=5;
It is important for the role name being revoked be surrounded by commas in the REPLACE
function.
Updating and inserting rows in a row-level security table
When updating rows in a row-level security table, it is important to not update the roles access column.
When inserting into a row-level security table, it is important that new values in the roles access column have a default value of a comma.
INSERT INTO <table> (A, B, C) VALUES(…);
Creating Views on row-level security Tables
To restrict access on a row-level security table whose role access column is called ACCESS_
, the following view must be created on the table:
CREATE VIEW <view_name> AS SELECT COLUMNS FROM <table> WHERE SECURITY_LISTS_INTERSECT(CURRENT_SECURITY_ROLES(), ACCESS_ROLES);
Limitations
RLS restricts the results of a query returned for each user based on their permissions but does not guarantee security against side-channel attacks.
A carefully designed query can trigger exceptions on non-permitted data, timing dependence, EXPLAIN command options, etc.
There are mitigations that can be introduced with RLS, for example, turning on audit logging to check for suspicious queries.
Last modified: February 15, 2023