Schedule - PGConf APAC 2019

Securing PostgreSQL Database

Date: 2019-03-21
Time: 09:30–10:20
Room: Conference Room
Level: Intermediate
Feedback: Leave feedback

Advanced Authentication

PostgreSQL supports a number of different authentication mechanisms and while many of them are quite simple and easy to use, the enterprise-level authentication systems require setup beyond PostgreSQL and a deeper understanding of how authentication works.

This section will cover all of the authentication mechanisms supported by PostgreSQL from SCRAM to LDAP, and discuss implementing the two most prevelant enterprise authentication schemes- Kerberos/GSSAPI (used extensively by universities and businesses, and is the authentication system for Microsoft Windows) and Client-Side Certificates / SSL (used by many governments and high security systems).

Authorization in PostgreSQL - Deciphering GRANT

PostgreSQL has a ton of different objects, containers, and permissions that can be granted on them (either explicitly as individual grants, or implicitly as part of another action).

We'll review commonly used objects in PostgreSQL and what the various options are for controlling access to those objects, from schemas and tables, through views which enforce row-based controls, down to sequences and functions.

Row Level Security

PostgreSQL has long had a complex and interesting set of permissions available through the GRANT system. There is another system which exists in many other RDBMS's known as row-level security (RLS), where the rows returned are filtered based on a policy implemented on the table, and only rows passing a certain policy are allowed to be added to the table.

In this section, we'll review RLS as implemented in PostgreSQL, provide examples and use-cases, and go over how RLS can be used by applications either through the use of roles or through other means such as with server-side variables.


Stephen Frost