database/doris
2
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
4ccaa0dfc5a95c19f3e4618f4e2fa7df8b392ec9
doris/docs/zh-CN/sql-manual/sql-reference/Data-Definition-Statements/Create/CREATE-POLICY.md
Stalary f11d320213 [feature] support row policy filter (#9206)
2022-05-11 22:11:10 +08:00

2.1 KiB
Raw Blame History

title, language
title language
CREATE-POLICY zh-CN

CREATE-POLICY

Name

CREATE POLICY

Description

创建安全策略,explain 可以查看改写后的 SQL。

行安全策略

语法:

CREATE ROW POLICY test_row_policy_1 ON test.table1 
AS {RESTRICTIVE|PERMISSIVE} TO test USING (id in (1, 2));

参数说明:

  • filterType:RESTRICTIVE 将一组策略通过 AND 连接, PERMISSIVE 将一组策略通过 OR 连接
  • 配置多个策略首先合并 RESTRICTIVE 的策略,再添加 PERMISSIVE 的策略
  • RESTRICTIVE 和 PERMISSIVE 之间通过 AND 连接的
  • 不允许对 root 和 admin 用户创建

Example

  1. 创建一组行安全策略

    CREATE ROW POLICY test_row_policy_1 ON test.table1 
AS RESTRICTIVE TO test USING (c1 = 'a');

    CREATE ROW POLICY test_row_policy_2 ON test.table1 
AS RESTRICTIVE TO test USING (c2 = 'b');

    CREATE ROW POLICY test_row_policy_3 ON test.table1 
AS PERMISSIVE TO test USING (c3 = 'c');

    CREATE ROW POLICY test_row_policy_3 ON test.table1 
AS PERMISSIVE TO test USING (c4 = 'd');

    当我们执行对 table1 的查询时被改写后的 sql 为

    select * from (select * from table1 where c1 = 'a' and c2 = 'b' or c3 = 'c' or c4 = 'd')

Keywords

CREATE, POLICY

Best Practice