i read through the web but can’t seem to find a real answer, so here is my question:
In a multi-tenant setup where all tenant’s would have their data in a single database (separated by a tenant-id column spread through all tables in the schema) - what are my options to isolate/enforce security so that one tenant will never be able to read/write data from other tenants?
One viable option in other/some RDBMS is to use the row-level-security feature and make it evaluate a session variable set to the tenant id, etc. but reading through the docs it seems CockroachDB does not (yet?) support this feature. Is this planned or already on the roadmap?
Reading through https://www.cockroachlabs.com/docs/privileges.html the first paragraph states:
“In CockroachDB, privileges are granted to users at the database and table levels. They are not yet supported for other granularities such as columns or rows.”
Is my assumption correct, there is currently no way to realize such behaviour on the database security level using grants/privileges (e.g.: having a user per tenant but use grants/privileges on row level)?
What would be the recommended “best-practice” do implement such a scenario? Would i have to put a layer on top of CockroachDB not using any of the database security model at all?
Can someone please shed some light on this topic or point me to some documentation?
Thanks & Cheers,