Hacker News new | ask | show | jobs
by throwaway115 752 days ago
What guarantees do you offer with query security if I turn this over to an end user? How do I keep them only accessing their own data?
2 comments
aazo11 752 days ago
We recommend users leverage row-level security features built into modern RDBMS so the query results only return data for a given user.

You can read more on how to do that on Postgres here https://www.2ndquadrant.com/en/blog/application-users-vs-row...

link
throwaway115 752 days ago
Where do you recommend this? It sounds dangerous for databases that do not implement RLS, like Mysql, MariaDb, Sqlite. I think you should highlight that very clearly somewhere.
link
freeone3000 752 days ago
Any number of database namespacing techniques already present in postgresql can prevent this. Link the user sign-on to a DB user and you’re gold.
link
throwaway115 752 days ago
What? How does that ensure user 123 only generates LLM queries that constrain on rows where user=123?
link
aazo11 752 days ago
As I wrote on the original thread, we recommend using the RDBMS row-level security features.

This blog discusses how to do that on Postgres

https://www.2ndquadrant.com/en/blog/application-users-vs-row...

link
altdataseller 752 days ago
Way way too complicated. I thought this tool was suppsed to make my life easier
link
saigal 751 days ago
is there an easier way?
link
altdataseller 751 days ago
Yes write SQL
link