Row Level Security using Go and PostgreSQL

What is Row Level Security (RLS)?

Row level security (RLS for short) is a PostgreSQL security feature provided by the PostgreSQL database. It allows database administrators to define policies to control how specific rows of data display and operate for one or more user roles.

You can create row level security policies for specific commands like SELECT, INSERT, UPDATE, and DELETE or you can specify it for ALL commands.

What to consider when implementing RLS

Enable RLS on a table using ALTER TABLE ... ENABLE ROW LEVEL SECURITY. Without this, policies won’t be applied.
Define RLS policies with the CREATE POLICY command for each table.
Policies control specific operations like SELECT, UPDATE, and DELETE.
They apply only to rows that meet a specified SQL condition.
USING clauses filter existing rows based on the policy condition.
WITH CHECK clauses validate new rows before insertion or modification.
Policies can share the same name across multiple tables, allowing reuse.
Superusers and roles with the BYPASSRLS attribute always bypass the row security system when accessing a table.

Important to note

Enabling and disabling row security, as well as adding policies to a table, is always the privilege of the table owner only.
Each policy has a name and multiple policies can be defined for a table.
When multiple policies apply to a given query, they are combined using either OR (for permissive policies, which are the default) or using AND (for restrictive policies).
A given role has the privileges of all roles that they are a member of.

RLS Example (using Go and GORM)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
package main

import (
    "fmt"
    "gorm.io/gorm"
    "gorm.io/driver/postgres"
)

// Tenant represents a customer organization
type Tenant struct {
    gorm.Model
    Name string
}

// User represents an application user associated with a tenant
type User struct {
    gorm.Model
    Email     string
    TenantID  uint
    Tenant    Tenant
}

// Data represents any tenant-specific data
type Data struct {
    gorm.Model
    Content   string
    TenantID  uint
    Tenant    Tenant
}

// TenantMiddleware wraps the database connection with tenant context
type TenantMiddleware struct {
    DB *gorm.DB
    CurrentTenantID uint
}

// Initialize RLS policies and create necessary functions
func InitializeRLS(db *gorm.DB) error {
    // Create the security policy function
    _, err := db.Raw(`
        CREATE OR REPLACE FUNCTION tenant_security_policy(tenant_id bigint)
        RETURNS boolean AS $$
        BEGIN
            RETURN (current_setting('app.current_tenant_id')::bigint = tenant_id);
        END;
        $$ LANGUAGE plpgsql;
    `).Exec()
    if err != nil {
        return fmt.Errorf("failed to create security policy function: %v", err)
    }

    // Enable RLS on the data table
    _, err = db.Raw(`
        ALTER TABLE data ENABLE ROW LEVEL SECURITY;
    `).Exec()
    if err != nil {
        return fmt.Errorf("failed to enable RLS: %v", err)
    }

    // Create the RLS policy
    _, err = db.Raw(`
        CREATE POLICY tenant_isolation_policy ON data
        FOR ALL
        USING (tenant_security_policy(tenant_id));
    `).Exec()
    if err != nil {
        return fmt.Errorf("failed to create RLS policy: %v", err)
    }

    return nil
}

// NewTenantMiddleware creates a new middleware instance
func NewTenantMiddleware(db *gorm.DB) *TenantMiddleware {
    return &TenantMiddleware{
        DB: db,
    }
}

// SetTenant sets the current tenant context
func (tm *TenantMiddleware) SetTenant(tenantID uint) error {
    // Set the tenant ID in the PostgreSQL session
    _, err := tm.DB.Raw(
        "SET app.current_tenant_id = ?",
        tenantID,
    ).Exec()

    if err != nil {
        return fmt.Errorf("failed to set tenant context: %v", err)
    }

    tm.CurrentTenantID = tenantID
    return nil
}

// GetDB returns a database connection scoped to the current tenant
func (tm *TenantMiddleware) GetDB() *gorm.DB {
    return tm.DB.Where("tenant_id = ?", tm.CurrentTenantID)
}

// Example usage
func main() {
    // Connect to database
    dsn := "host=localhost user=postgres password=postgres dbname=multitenantdb port=5432 sslmode=disable"
    db, err := gorm.Open(postgres.Open(dsn), &gorm.Config{})
    if err != nil {
        panic("failed to connect to database")
    }

    // Auto-migrate the schemas
    db.AutoMigrate(&Tenant{}, &User{}, &Data{})

    // Initialize RLS
    if err := InitializeRLS(db); err != nil {
        panic(fmt.Sprintf("failed to initialize RLS: %v", err))
    }

    // Create tenant middleware
    tm := NewTenantMiddleware(db)

    // Example of using the tenant-scoped database
    if err := tm.SetTenant(1); err != nil {
        panic(fmt.Sprintf("failed to set tenant: %v", err))
    }

    // All operations will now be scoped to tenant 1
    tenantDB := tm.GetDB()

    // Create data for tenant 1
    data := Data{
        Content: "Tenant 1's data",
        TenantID: 1,
    }
    tenantDB.Create(&data)

    // Query data (will only return tenant 1's data)
    var results []Data
    tenantDB.Find(&results)
}

Limitations and Considerations

RLS may not be suitable for cases requiring complex cross-tenant operations
Additional care is needed when performing bulk operations
Backup and restore operations need to account for RLS policies