Skip to content

Platform: Row-Level Security policies on module tables #21

Description

@I-am-nothing

Summary

Add RLS as defense-in-depth on all module tables. Even if credential isolation is bypassed, RLS prevents cross-app data access.

Scope

Platform runs after module install SQL:

-- Add app_id column (auto-populated from session variable)
ALTER TABLE media_items ADD COLUMN app_id TEXT NOT NULL DEFAULT current_setting('ms.app_id');

-- Enable RLS
ALTER TABLE media_items ENABLE ROW LEVEL SECURITY;
ALTER TABLE media_items FORCE ROW LEVEL SECURITY;

-- Default deny
CREATE POLICY deny_all ON media_items USING (false);

-- Allow current app only
CREATE POLICY app_isolation ON media_items
    USING (app_id = current_setting('ms.app_id'));

SDK sets ms.app_id per connection (already implemented in db.AcquireScoped).

Gotchas

  • Every table needs a policy — missing policy = no rows visible (safe default with FORCE)
  • Index app_id on every table for query performance
  • ms.app_id must be configured as a GUC in Aurora parameter group
  • 5-15% query planning overhead — monitor with EXPLAIN ANALYZE

Blocked by

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions