Valery Popov
Valery Popov Postgres Professional
Николай Чадаев
Николай Чадаев Postgres Professional
12:15 04 February
45 мин

Building protected databases using mandatory access control in PostgreSQL

Role-based access control (RBAC) is one of the main mechanisms used for access control in many DBMS, including PostgreSQL. This model is a sub-type of traditional discretionary access control with its restrictions. In addition to DAC, many operating systems also use mandatory access control (MAC) based on security labels. This additional security mechanism is obligatory for protecting information that demands higher levels of security. Naturally, we would like to use MAC within DBMS when working in OS with mandatory access control switched on.
In this talk, we'll give an overview of existing MAC implementations in DBMS, as well as share our approach to using security mechanisms provided by SELinux, the sepgsql extension for PostgreSQL, and the standard mechanism of row-level security (RLS), which has been available in PostgreSQL starting from version 9.5.
In our presentation, we will use the "Airlines" demo database provided by the Postgres Professional company to show how to protect sensitive information and personal data, compare different ways of storing security labels, and assess performance of our solution.



Другие доклады

  • Sangwook (Shawn) Kim
    Sangwook (Shawn) Kim Apposha
    45 мин

    Make Your PostgreSQL 10x Faster on Cloud in Minutes

    Cloud storage has some unique characteristics compared to traditional storage mainly because it is virtualized and controlled by software. One example is that AWS EBS shows higher throughput with larger I/O size up to 256 KiB without hurting latency. Hence, a user can get only about 4 MiB/sec with 1,000 IOPS EBS volume if the I/O request size is 4 KiB, whereas a user can get about 250 MiB/sec if the I/O request size is 256 KiB. This is because EBS consumes one I/O in a given IOPS budget for every I/O request regardless of the I/O size (up to 256 KiB). Unfortunately, PostgreSQL cannot exploit the full potential of cloud storage because PostgreSQL has designed without considering the unique characteristics of cloud storage.

    In this talk, I will introduce the AppOS extension that improves the throughput of a write-intensive workload by 10x by transparently making PostgreSQL cloud storage-native. AppOS works like a storage driver that efficiently exploits the characteristics of cloud storage, such as I/O size dependency to storage throughput and latency, atomic write support in cloud block storage, and fast, but non-durable local SSDs. To do this, AppOS comprises a Linux-compatible file I/O stack including virtual file system, page cache, block I/O layer, cloud storage driver. On top of the file I/O stack, syscall module supports registering pre- and post-handler for file I/O-related system calls in order to transparently work without modifying PostgreSQL codes.

    I will focus on presenting key use cases and performance results of the AppOS extension after explaining the internals. Specifically, I will show the performance results of OLTP and some batch workloads using standard benchmarking tools like pgbench and sysbench. I will also present performance results and implications on multiple clouds including AWS, GCP, and Azure.

  • Oleg Bartunov
    Oleg Bartunov Postgres Professional
    45 мин

    Everything about full text seach

    PostgreSQL built-in full text search gives unique possibilities inaccessible for external search engines, such as virtual or generated document search and search with access restrictions. I will talk about these and other features, full text search configuration, indexes, and highlight the latest advances and future expectations

  • Дмитрий Гребенщиков
    Дмитрий Гребенщиков ООО "Диасофт"
    22 мин

    Features of migration of engineering software from Oracle to PostgreSQL

    Migrating engineering software from Oracle to PostgreSQL
    Dmitry will talk about using an automated migrator developed by "Diasoft" company for migrating Russian systems to PostgreSQL.
    Taking the LOOTSMAN engineering software (developed by the ASKON company), we will speak about the key aspects of migration, review possible issues and ways to resolve them, as well as discuss performance optimization methods for migrated stored procedures.

  • Vasiliy Puchkov
    Vasiliy Puchkov ООО
    45 мин

    PostgreSQL Database operational experience in enterprise-level network.

    · Enterprise network traits, known problems and workarounds.

    · Year-long background of maintaining 24x7 1C + PostgreSQL systems

    · Pros and cons in comparison with MS SQL from DBA point

    · Stories of 1C systems migration from MS SQL to PostgreSQL