Oracle Row Level Security in multi-tenant app / default values for new records
Task
Retrofit an existing application to use a multi-tenant approach. It shall be possible to create tenants and each user's session should reference exactly one active tenant. Each tenant should only be able to see and update his partition of the database schema.
Approach
- Create an Oracle application context that contains the tenant id
- Add a tenant id column to any table that should be scoped
- Create a predicate function that returns "tenant_id = sys_context('tenant_context', 'tenant_id')" for SELECT, INSERT, UPDATE and delete
- Add an appropiate policy via dbms_rls to register the predicate function
This works like a charm without touching the existing application for SELECT, UPDATE and DELETE
Question
When inserting the tenant_id column doesn't get set and a security exception comes up. Is there any way that is as sleek as the p开发者_运维百科redicate function to always set security related fields? I'd rather not add triggers to 300+ tables.
Sometimes asking a question provides the answer. I wasn't aware that you may use non-constant expressions in column's default values, so
alter table XXX
add column tenant_id default sys_context('tenant_context', 'tenant_id');
actually solves my problem.
精彩评论