[4.x] Postgres RLS integration

[lukinovec]

Postgres RLS integration {#postgres-rls-integration}

To integrate Postgres RLS in your app with single-database tenancy:

• Enable PostgresRLSBootstrapper in the Tenancy config
• Uncomment the CreatePostgresUserForTenant and DeleteTenantsPostgresUser jobs in TenancyServiceProvider so that when you create a new tenant, a Postgres user gets created for it, and when you delete a tenant, its Postgres user gets deleted
• Make sure the DB is migrated and run php artisan tenants:create-rls-policies. This will create RLS policies for tables of all models that use BelongsToTenant or BelongsToPrimaryModel and are located in the directories specified in the customizable static Tenancy::$modelDirectories property (App/Models by default)
• To make existing tenants use RLS, you can use the tenants:create-postgres-user command to create Postgres users for the tenants.

To scope models using RLS, you can either:

• set config('tenancy.database.rls) to true – queries of all models that use the BelongsToTenant trait will be scoped using RLS
• or make models that belong to tenants directly (= models that use BelongsToTenant) implement the RlsModel interface – queries of all models that use the BelongsToTenant and implement the RlsModel interface will get scoped using RLS Note that tenants:create-rls-policies only creates policies for tables that belong to tenants (directly, or through a primary model).