//
Busca en todas las páginas de la documentación
PostgreSQL security rules enforce least privilege, tenant isolation, and auditable human access. Applications must not inherit DBA powers by default.
-- Minimum production role model
CREATE ROLE app_owner NOLOGIN;
CREATE ROLE app_api LOGIN PASSWORD 'vault' CONNECTION LIMIT 100;
CREATE ROLE app_migrator LOGIN PASSWORD 'vault';
GRANT app_readers TO app_api; -- or app_writers per service
-- NO SUPERUSER, NO BYPASSRLS on app_api
ALTER TABLE app.orders ENABLE ROW LEVEL SECURITY;
ALTER TABLE app.orders FORCE ROW LEVEL SECURITY;When to reach for this: Security review, SOC2 control mapping, onboarding checklist for new services.
# pg_hba.conf excerpt
hostssl myapp app_api 10.10.1.0/24 scram-sha-256
hostssl myapp app_ro 10.10.2.0/24 scram-sha-256
host all all 0.0.0.0/0 rejectCREATE POLICY orders_tenant ON app.orders FOR ALL TO app_api
USING (tenant_id = current_setting('app.tenant_id')::bigint)
WITH CHECK (tenant_id = current_setting('app.tenant_id')::bigint);
REVOKE ALL
Security rule summary:
| # | Rule |
|---|---|
| 1 | No superuser in application connection strings |
| 2 | SCRAM-SHA-256 + TLS for remote roles |
| 3 | RLS FORCE on shared tenant tables |
| 4 | Migrator != runtime role |
| 5 | Break-glass roles audited and TTL |
app_api or narrower per microservicesearch_path fixed to known schemas - prevents object hijack in publicapp_ro on replica, statement_timeout setpostgres passwordBYPASSRLS count documented quarterly-- Column-level for PII
GRANT SELECT (id, email) ON app.users TO app_ro;
REVOKE SELECT (ssn_hash) ON app.users FROM app_ro;pg_dump as superuser bypasses RLS - classify dump filesCREATE EXTENSION from application role| Alternative | Use When | Don't Use When |
|---|---|---|
| mTLS client certs | Service mesh identity | Human analysts on laptops |
| Vault dynamic credentials | Short-lived DB passwords | Simple internal CRUD app |
| Database-per-tenant | Hard isolation requirement | Thousands of tenants |
Defense in depth - RLS catches app bugs; app still validates tenant for UX and audit.
Yes - insider threat and compliance frameworks expect TLS even east-west.
Local dev only with local socket peer auth - never production credentials on workstation.
Stack versions: This page was written for PostgreSQL 18.4 (stable 18, maintenance 17), pgvector 0.8+, PgBouncer 1.x, Patroni 3.x, and PostGIS 3.5+.