Examples are included to illustrate the capabilities of parameterized secure views. These examples are intended for demonstration purposes only.
Objectives
- Create secure parameterized views with named view parameters.
- Create the database role that is used by the application to connect to the database and access parameterized secure views.
- Grant the new role permissions to the secure views and revoke access to the base tables.
- Connect using the new role and verify that the restricted tables can't be accessed.
- Run queries on the parameterized secure view using the
execute_parameterized_queryfunction.
Install and connect to a database
Prepare your environment
To prepare for running queries on a parameterized secure view, you must first
set up parameterized views, the database and database roles, the parameterized_view
extension, and the application schema.
Before you use parameterized secure views, you must do the following once in
your Linux environment.
Each setting can be applied using ALTER SYSTEM
or
by editing the postgresql.conf
directly.:
- Add "parameterized_views" to
shared_preload_libraries. - Enable the feature by setting
parameterized_views.enabled=on. - Restart postgres for the changes to take effect.
Set up the database
- Create a database called
databasefor the application data and parameterized views.
Create database roles, the extension, and the application schema
-
Using psql, connect to the database as the
postgresuser or as a user with AlloyDB Omni superuser privileges./ usr / lib / postgresql / 18 / bin / psql - h localhost - U postgres -
Create the
parameterized_viewsextension in the database.-- Requires parameterized_views.enabled set to true CREATE EXTENSION parameterized_views ;When the extension is created, the system also creates a schema named
parameterized_viewsso that the APIs are contained in that schema's namespace and so that those APIs don't conflict with existing APIs. -
Create the AlloyDB Omni administrative role, which owns and manages the database.
CREATE ROLE admin_user WITH LOGIN PASSWORD '...' ; GRANT ALL PRIVILEGES ON DATABASE database TO admin_user ;For more information, see
CREATE USER. -
Create a new database role for executing queries against parameterized secure views. This is an AlloyDB Omni role that the application uses to connect and sign into the database to execute queries with limited access to public functions or objects to the minimal required set.
For more information, see
CREATE USER. -
Connect as the administrative user.
SET role TO admin_user ; -
Create the schema that contains the tables.
CREATE SCHEMA schema ; -
Create the tables and insert data.
CREATE TABLE schema . checked_items ( bag_id INT , timestamp TIMESTAMP , loc_code CHAR ( 3 ), scan_type CHAR ( 1 ), location TEXT , customer_id INT ); INSERT INTO schema . checked_items ( bag_id , timestamp , loc_code , scan_type , location , customer_id ) VALUES ( 101 , '2023-10-26 10:00:00' , 'ABC' , 'I' , 'Warehouse A' , 123 ), ( 102 , '2023-10-26 10:15:30' , 'DEF' , 'O' , 'Loading Dock B' , 456 ), ( 103 , '2023-10-26 10:30:45' , 'GHI' , 'I' , 'Conveyor Belt 1' , 789 ), ( 104 , '2023-10-26 11:00:00' , 'JKL' , 'O' , 'Shipping Area C' , 101 ), ( 105 , '2023-10-26 11:45:15' , 'MNO' , 'I' , 'Sorting Station D' , 202 ), ( 106 , '2023-10-26 12:00:00' , 'PQR' , 'O' , 'Truck Bay E' , 303 );
Create secure parameterized views and set up access privileges
To create secure parameterized views and to set up appropriate access privileges for the base table and views, follow these steps:
-
Using psql, connect to the database as
admin_user./ usr / lib / postgresql / 18 / bin / psql - h localhost - U admin_user -
To provide limited access to the view, create a parameterized secure view.
CREATE VIEW schema . secure_checked_items WITH ( security_barrier ) AS SELECT bag_id , timestamp , location FROM schema . checked_items t WHERE customer_id = $ @ app_end_userid ; -
Grant access to the view.
GRANT SELECT ON schema . secure_checked_items TO psv_user ; -
To access the view, grant access to the schema.
GRANT USAGE ON SCHEMA schema TO psv_user ; -
Revoke direct access to the base table.
REVOKE ALL PRIVILEGES ON schema . checked_items FROM psv_user ;
Verify data security
To verify that the parameterized secure views are restricting access to the
designated views, run the following commands as psv_user
. This is an
AlloyDB Omni database role that the application uses to connect
and sign into the database to execute queries.
-
Connect as a parameterized secure views user.
/ usr / lib / postgresql / 18 / bin / psql - h localhost - U psv_user -
Verify that the base table can't be accessed.
SELECT * FROM schema . checked_items ; ERROR : permission denied for table checked_items -
Access the parameterized secure view using the
execute_parameterized_queryfunction.SELECT * FROM parameterized_views . execute_parameterized_query ( query = > 'SELECT * from schema.secure_checked_items' , param_names = > ARRAY [ 'app_end_userid' ], param_values = > ARRAY [ '303' ] ); -
To improve security for natural language generated queries, integrate your parameterized secure views using natural language.
Clean up
To clean up, you can either uninstall the AlloyDB Omni instance or keep the instance and delete the individual objects.
What's next
- Learn about parameterized secure views .
- Learn how to manage application data security using parameterized secure views .
