{"id":15705303,"url":"https://github.com/brahmlower/pgzan","last_synced_at":"2025-05-12T15:36:24.162Z","repository":{"id":176397119,"uuid":"656970087","full_name":"brahmlower/pgzan","owner":"brahmlower","description":"A cursed Postgres extension enabling Zanzibar RBAC evaluation within Row Level Policies","archived":false,"fork":false,"pushed_at":"2023-06-22T03:59:22.000Z","size":4,"stargazers_count":15,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-06T17:12:41.466Z","etag":null,"topics":["cursed","oso","pgrx","postgresql","rbac","row-level-security","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brahmlower.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-06-22T03:15:08.000Z","updated_at":"2024-12-01T08:07:32.000Z","dependencies_parsed_at":null,"dependency_job_id":"fe0634c8-0fb6-4afd-ac02-f18a8112efcc","html_url":"https://github.com/brahmlower/pgzan","commit_stats":{"total_commits":1,"total_committers":1,"mean_commits":1.0,"dds":0.0,"last_synced_commit":"b2e45f17059639863dae8fdadff805fe51ca55ac"},"previous_names":["brahmlower/pgzan"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brahmlower%2Fpgzan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brahmlower%2Fpgzan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brahmlower%2Fpgzan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brahmlower%2Fpgzan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brahmlower","download_url":"https://codeload.github.com/brahmlower/pgzan/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233837044,"owners_count":18737906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cursed","oso","pgrx","postgresql","rbac","row-level-security","rust"],"created_at":"2024-10-03T20:15:22.584Z","updated_at":"2025-01-14T02:52:48.994Z","avatar_url":"https://github.com/brahmlower.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pgzan\n\nDo you use Postgres [row level security](https://www.postgresql.org/docs/current/ddl-rowsecurity.html), but find it difficult to enforce and maintain your applications access control needs? Well fret no more! `pgzan` is a work in progress extension for Postgres that aims to bring the flexibility and expressivness of Googles worldclass [Zanzibar](https://research.google/pubs/pub48190/) authorization system right down to your postgres row policies.\n\nThat's right! With `pgzan` you can leverage the benefits of a world class ACL on a row-by-row basis with minimal additional dev work!\n\n## ⚠️ Work in Progress ⚠️\n\nThis cursed project is a work in progress. Do not bring it remotely close to your production databases.\n\n## The Dream 🙌\n\nOkay so lets say you're running a multi-tenant product and have a table of important info, with references to an account that owns a particular record:\n\n```sql\nCREATE EXTENSION IF NOT EXISTS \"uuid-ossp\";\n\nCREATE TABLE accounts (\n    \"id\" UUID PRIMARY KEY DEFAULT uuid_generate_v4(),\n    \"name\" VARCHAR(256) NOT NULL,\n);\n\nCREATE TABLE failed_projects (\n    \"id\" UUID PRIMARY KEY DEFAULT uuid_generate_v4(),\n    \"account\" UUID REFERENCES accounts(id) NOT NULL,\n    \"name\" VARCHAR(256) NOT NULL,\n);\n```\n\nNow when listing the projects table, how do you control which projects are returned for a given query? If you said \"a filter\", then that's some old-age think'n bud. Postgres row level policies are the real solution here 💪 \"But my fortune 50 enterprise customer needs me to support a complex RBAC solution\" well shit we can't be turning down those fat oligarchy dollars now can we! So lets do this right and bring `pgzan` into the mix.\n\n**First:** Download `pgzan`! How? I dunno yet, this shit ain't hit the prime time yet so you'll just have to compile it from source like your grandpa. Gander at the [development](#Development) section for compilation instructions.\n\n**Second:** Now install it! How? Not sure- check back later? For now just run `cargo pgrx run` I guess, then quit out of the shell. Sheems like that puts the code up in the db 🤷\n\n**Third:** Enable the extension:\n\n```sql\nCREATE EXTENSION IF NOT EXISTS \"pgzan\";\n```\n\n**Fourth:** Time to rock and roll! Enable that sweet sweet RLS on your table and define the policy as something vaguely similar to the following.\n\n```sql\nBEGIN;\n\nALTER TABLE failed_projects ENABLE ROW LEVEL SECURITY;\nALTER TABLE failed_projects FORCE ROW LEVEL SECURITY;\n\nCREATE POLICY failed_projects_policy ON failed_projects\nUSING (\n    SELECT pgzan_check(\n        current_setting('authed_failed_projects.account_id')::UUID,\n        \"manager\"\n    )\n)\nWITH CHECK (\n    SELECT pgzan_check(\n        current_setting('authed_failed_projects.account_id')::UUID,\n        \"manager\"\n    )\n);\n\nCOMMIT;\n```\n\n**Fith:** Okay final step before locking down that sales contract- we need to set the context for the connection. Notice we're using the `authed_failed_projects.account_id` setting to tell pgzan who we're evaluating permissions for, but we haven't declared a value for that anywhere. When creating your db connection just make sure you set that value before making any queries and you'll be golden:\n\n```sql\nSET SESSION authed_failed_projects.account_id = \"a7f3da20-e862-48bc-b2cd-49b42894eef5\"\n```\n\n**Sixth:** Hell yeah, we've made the investors proud and fulfilled our capitalistic duties 🫡 Now let's go get blasted 🍻\n\n## Development\n\nThis project depends on [pgrx](https://github.com/tcdi/pgrx)- follow their [system requirements](https://github.com/tcdi/pgrx#system-requirements) section before installing `cargo-pgrx`.\n\nInitial dependency setup:\n\n```shell\n$ cargo install --locked cargo-pgrx\n```\n\nBuilding and running the extension (will drop you into a pgsql shell):\n\n```shell\n$ cargo pgrx run\n```\n\nYou can test the current functionality by running `pgzan_check` with a json blob with an `id` and `role` field. The role may be either \"manager\" or \"readonly\". The function is hardcoded to evaluate the role against an \"update\" operation which is only permitted by the \"manager\" role, so you can see how the function response would feasibly connect back to the row level policy:\n\n```sql\npgzan=# CREATE EXTENSION pgzan;\nCREATE EXTENSION\npgzan=# SELECT pgzan_check('{\"id\": \"07b30b3a-8da9-465e-96ef-4054f870cd8a\", \"role\": \"readonly\"}');\n pgzan_check\n-------------\n f\n(1 row)\n\npgzan=# SELECT pgzan_check('{\"id\": \"07b30b3a-8da9-465e-96ef-4054f870cd8a\", \"role\": \"manager\"}');\n pgzan_check\n-------------\n t\n(1 row)\n```\n\nSignificant development is needed to make the ACL customizable (it's hardcoded right now) and to properly connect the necessary session context values to the row level policy.\n\nThough lots of work is needed, the current state of the project demonstrates that this _is_ possible. Let's build something beautiful; let's build an abomination ✨\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrahmlower%2Fpgzan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrahmlower%2Fpgzan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrahmlower%2Fpgzan/lists"}