Multi-Region Row Level Security in CockroachDB

https://www.cockroachlabs.com/blog/fine-grained-access-control-row-level-security/

46•rusticwizard•14h ago

Comments

jayzalowitz•11h ago

well done!

DSingularity•10h ago

The first example demonstrating row level security contains results from the wrong tenant.

sebmellen•9h ago

Is that true? I can’t quite follow it on mobile.

rsclarke•8h ago

Yes, the example shows setting the current tenant id to all ones and then performing a select revealing a tenant id of all twos.

The same result is displayed in another example when correctly using a tenant id of all twos. A mistake perhaps of wrong output with the wording in the article is all.

rusticwizard•8h ago

Ah nice catch! This is an unfortunate copy paste error on the content on our part and we will fix it first thing tomorrow.

journal•9h ago

Doesn't same database multi-tenancy defeats the one-tenant one-database advantage of being able to easily disaster recover a single tenant or allow for easily moving a tenant and all their stuff to a dedicated box?

esseph•9h ago

At a certain scale they'd be sharded and not on a single instance anyway, right?

journal•9h ago

somewhere only in one place there will be main index with at least references to locations where to find others. at the top somewhere there is always just a flat list. this is a multi-dimensional problem. i really want to know real life scenario someone arguing for or against this. really interested to see what side people pick and where they draw the line of what it means to be multi-tenant. personally, i will never again write multi-tenant code ever again in my life. the implementation i've modeled for myself because i understood that immediate backup and restore is more important than fancy multi-tenancy.

jandrewrogers•8h ago

Even then, you do want to provide some degree of hardware-adjacent isolation to limit not just the blast radius but also computational cost of some DDL operations in a multi-tenant setup.

For example, you generally only want to have one tenant’s data per storage page. There are many famous ways that interleaving different tenants’ data at a fine-grained level can go very wrong.

sqlitor•5h ago

What happens if an attacker executes `SET app.current_tenant` a second time on the existing connection (e.g. through SQL injection)?

Computer Scientists Figure Out How to Prove Lies

Optimizing a Math Expression Parser in Rust

Show HN: Typeform was too expensive so I built my own forms

Thunderbird 140 “Eclipse”

MCP-B: A Protocol for AI Browser Automation

Kite – News App by Kagi

Tree Borrows

A Typology of Canadianisms

At last, a use case for AI agents with sky-high ROI: Stealing crypto

Show HN: MCP server for searching and downloading documents from Anna's Archive

Show HN: FlopperZiro – A DIY open-source Flipper Zero clone

The Origin of the Research University

Biomni: A General-Purpose Biomedical AI Agent

The jank programming language

Radiocarbon dating reveals Rapa Nui not as isolated as previously thought

Solar power has begun to transform the world’s energy system

A fast 3D collision detection algorithm

Show HN: BreakerMachines – Modern Circuit Breaker for Rails with Async Support

Show HN: Petrichor – a free, open-source, offline music player for macOS

Author of William the Conqueror's 'Medieval Big Data' Project Revealed

Bootstrapping a side project into a profitable seven-figure business

Grok 4 Launch [video]

Code and Trust: Vibrators to Pacemakers

Archaeologists unveil 3,500-year-old city in Peru

Configuring Split Horizon DNS with Pi-Hole and Tailscale

Evaluating the Effectiveness of Memory Safety Sanitizers

Xenharmlib: A music theory library that supports non-western harmonic systems

Linda Yaccarino is leaving X

Ruby 3.4 frozen string literals: What Rails developers need to know

The most otherworldly, mysterious forms of lightning on Earth