DEV Community: Ronin_GO The latest articles on DEV Community by Ronin_GO (@__8fa66572). https://dev.to/__8fa66572 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3739554%2F9c507c9b-a6ca-441e-b514-e656457d15c0.png DEV Community: Ronin_GO https://dev.to/__8fa66572 en PostgreSQL RLS in Go: Architecting Secure Multi-tenancy Ronin_GO Thu, 29 Jan 2026 11:55:09 +0000 https://dev.to/__8fa66572/postgresql-rls-in-go-architecting-secure-multi-tenancy-4ifm https://dev.to/__8fa66572/postgresql-rls-in-go-architecting-secure-multi-tenancy-4ifm <p>Manual tenant isolation (adding WHERE tenant_id = ? to every query) is a ticking time bomb. It relies entirely on developer discipline. Eventually, someone will forget a filter during a hotfix or a late-night refactor, and data will leak.<br> In this article, I’ll share how we moved from manual checks to PostgreSQL Row Level Security (RLS) in a Go application. We’ll cover the implementation with pgx, performance benchmarks, and a zero-downtime migration strategy.</p> <h2> The Problem: Why Standard Solutions Failed </h2> <p>We evaluated three common isolation patterns before settling on RLS:<br> <strong>Logical Isolation (Manual WHERE clauses):</strong><br> Pros: Simple to start.<br> Cons: Human error factor is critical. One missing clause = security breach.<br> <strong>Schema-per-tenant:</strong><br> Pros: Strong isolation.<br> Cons: Doesn't scale past ~100 tenants. With 10,000 clients and 50 tables, you have 500,000 files in the database directory. Vacuuming becomes a nightmare, and inode usage explodes.<br> <strong>Database-per-tenant:</strong><br> Pros: Perfect physical isolation.<br> Cons: Prohibitively expensive on infrastructure (RDS instances) for a startup.<br> We chose Row Level Security (RLS). It allows us to declare access rules once in the database schema, making them automatically applicable to every query—even those generated by ORMs or raw SQL.</p> <h2> Implementation Details </h2> <p>The core concept is simple: The application never writes tenant filters. The database automatically filters rows based on the current transaction's context.</p> <ol> <li>The Database Schema (The "Paranoid" Mode) We define the policy once. Note the FORCE ROW LEVEL SECURITY command—this is crucial because, by default, table owners (the app user) bypass RLS. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- Business data table</span> <span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">documents</span> <span class="p">(</span> <span class="n">id</span> <span class="n">UUID</span> <span class="k">PRIMARY</span> <span class="k">KEY</span> <span class="k">DEFAULT</span> <span class="n">uuid_generate_v4</span><span class="p">(),</span> <span class="n">tenant_id</span> <span class="n">UUID</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">REFERENCES</span> <span class="n">tenants</span><span class="p">(</span><span class="n">id</span><span class="p">),</span> <span class="n">title</span> <span class="nb">TEXT</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">body</span> <span class="nb">TEXT</span> <span class="p">);</span> <span class="c1">-- Enable RLS</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">documents</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="c1">-- CRITICAL: Force RLS</span> <span class="c1">-- Without this, the table owner (usually the app user)</span> <span class="c1">-- will see EVERYTHING, ignoring policies.</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">documents</span> <span class="k">FORCE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="c1">-- The Policy: "Show only rows belonging to the current tenant"</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">tenant_isolation_policy</span> <span class="k">ON</span> <span class="n">documents</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="k">USING</span> <span class="p">(</span><span class="n">tenant_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_tenant'</span><span class="p">)::</span><span class="n">uuid</span><span class="p">);</span> </code></pre> </div> <ol> <li>Go Middleware: Setting the Context</li> </ol> <p>In the HTTP layer, we extract the tenant ID (e.g., from a JWT claim) and place it into the Go context.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TenantMiddleware</span><span class="p">(</span><span class="n">next</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span><span class="p">)</span> <span class="n">http</span><span class="o">.</span><span class="n">Handler</span> <span class="p">{</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="n">HandlerFunc</span><span class="p">(</span><span class="k">func</span><span class="p">(</span><span class="n">w</span> <span class="n">http</span><span class="o">.</span><span class="n">ResponseWriter</span><span class="p">,</span> <span class="n">r</span> <span class="o">*</span><span class="n">http</span><span class="o">.</span><span class="n">Request</span><span class="p">)</span> <span class="p">{</span> <span class="c">// PRODUCTION NOTE:</span> <span class="c">// In a real app, extract tenant_id from validated JWT claims (sub/tenant_id).</span> <span class="c">// Do NOT trust "X-Tenant-ID" headers from the client (security hole).</span> <span class="c">// We use a header here only for demonstration simplicity.</span> <span class="n">tenantStr</span> <span class="o">:=</span> <span class="n">r</span><span class="o">.</span><span class="n">Header</span><span class="o">.</span><span class="n">Get</span><span class="p">(</span><span class="s">"X-Tenant-ID"</span><span class="p">)</span> <span class="c">// Validation...</span> <span class="k">if</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">uuid</span><span class="o">.</span><span class="n">Parse</span><span class="p">(</span><span class="n">tenantStr</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">http</span><span class="o">.</span><span class="n">Error</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="s">"invalid tenant id"</span><span class="p">,</span> <span class="n">http</span><span class="o">.</span><span class="n">StatusBadRequest</span><span class="p">)</span> <span class="k">return</span> <span class="p">}</span> <span class="c">// Put into context (use a custom type for keys in production)</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">r</span><span class="o">.</span><span class="n">Context</span><span class="p">(),</span> <span class="s">"tenant_id"</span><span class="p">,</span> <span class="n">tenantStr</span><span class="p">)</span> <span class="n">next</span><span class="o">.</span><span class="n">ServeHTTP</span><span class="p">(</span><span class="n">w</span><span class="p">,</span> <span class="n">r</span><span class="o">.</span><span class="n">WithContext</span><span class="p">(</span><span class="n">ctx</span><span class="p">))</span> <span class="p">})</span> <span class="p">}</span> </code></pre> </div> <ol> <li>The Database Wrapper (The "Glue")</li> </ol> <p>This is the trickiest part. We need to pass the tenant_id from Go context to the Postgres session.</p> <p>We use pgx. We cannot simply use SET app.current_tenant on a connection because connections are pooled. If a connection returns to the pool with the variable set, the next user might inherit those privileges.</p> <p>The Solution: Use set_config with the is_local=true parameter inside a transaction.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Postgres</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">Pool</span> <span class="o">*</span><span class="n">pgxpool</span><span class="o">.</span><span class="n">Pool</span> <span class="p">}</span> <span class="c">// Wrapper for all transactions</span> <span class="k">func</span> <span class="p">(</span><span class="n">p</span> <span class="o">*</span><span class="n">Postgres</span><span class="p">)</span> <span class="n">RunInTx</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">fn</span> <span class="k">func</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">tx</span> <span class="n">pgx</span><span class="o">.</span><span class="n">Tx</span><span class="p">)</span> <span class="kt">error</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// 1. Hard Check: Fail fast if tenant_id is missing.</span> <span class="c">// If we proceed without it, current_setting() returns NULL,</span> <span class="c">// and queries return 0 rows. This might mask a bug.</span> <span class="c">// Panic is justified here as a developer-time fail-fast mechanism.</span> <span class="n">tenantID</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">ctx</span><span class="o">.</span><span class="n">Value</span><span class="p">(</span><span class="s">"tenant_id"</span><span class="p">)</span><span class="o">.</span><span class="p">(</span><span class="kt">string</span><span class="p">)</span> <span class="k">if</span> <span class="o">!</span><span class="n">ok</span> <span class="o">||</span> <span class="n">tenantID</span> <span class="o">==</span> <span class="s">""</span> <span class="p">{</span> <span class="nb">panic</span><span class="p">(</span><span class="s">"CRITICAL: DB transaction without tenant_id!"</span><span class="p">)</span> <span class="p">}</span> <span class="c">// Note: Production code should handle nested transactions (savepoints).</span> <span class="n">tx</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">p</span><span class="o">.</span><span class="n">Pool</span><span class="o">.</span><span class="n">Begin</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">defer</span> <span class="n">tx</span><span class="o">.</span><span class="n">Rollback</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="c">// Always rollback if not committed</span> <span class="c">// 2. Set Session Variable</span> <span class="c">// The third parameter 'true' (is_local) means this setting lives</span> <span class="c">// ONLY until the end of the transaction.</span> <span class="c">// Even if the connection returns to the pool "dirty", Postgres resets it.</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">=</span> <span class="n">tx</span><span class="o">.</span><span class="n">Exec</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"SELECT set_config('app.current_tenant', $1, true)"</span><span class="p">,</span> <span class="n">tenantID</span><span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="c">// 3. Execute Business Logic</span> <span class="k">if</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">fn</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">tx</span><span class="p">);</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="k">return</span> <span class="n">err</span> <span class="p">}</span> <span class="k">return</span> <span class="n">tx</span><span class="o">.</span><span class="n">Commit</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <ol> <li>Business Logic: Clean and Simple</li> </ol> <p>Now, our repository code is clean. No more WHERE clauses.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">ListDocuments</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">db</span> <span class="o">*</span><span class="n">Postgres</span><span class="p">)</span> <span class="p">([]</span><span class="n">Document</span><span class="p">,</span> <span class="kt">error</span><span class="p">)</span> <span class="p">{</span> <span class="k">var</span> <span class="n">docs</span> <span class="p">[]</span><span class="n">Document</span> <span class="c">// Just SELECT *</span> <span class="c">// Postgres automatically injects "WHERE tenant_id = ..."</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">RunInTx</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="k">func</span><span class="p">(</span><span class="n">ctx</span> <span class="n">context</span><span class="o">.</span><span class="n">Context</span><span class="p">,</span> <span class="n">tx</span> <span class="n">pgx</span><span class="o">.</span><span class="n">Tx</span><span class="p">)</span> <span class="kt">error</span> <span class="p">{</span> <span class="c">// Using a scanner library like pgxscan</span> <span class="k">return</span> <span class="n">pgxscan</span><span class="o">.</span><span class="n">Select</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="n">tx</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">docs</span><span class="p">,</span> <span class="s">"SELECT * FROM documents ORDER BY created_at DESC"</span><span class="p">)</span> <span class="p">})</span> <span class="k">return</span> <span class="n">docs</span><span class="p">,</span> <span class="n">err</span> <span class="p">}</span> </code></pre> </div> <h2> Testing the Un-testable </h2> <p>Standard unit tests with mocks (like go.mock) are useless for RLS. You can mock the current_setting call, but you won't verify if the policy actually restricts data access.</p> <p>We use Testcontainers to spin up a real, disposable Postgres instance for every test suite.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="c">// internal/infra/db/container_test.go</span> <span class="k">func</span> <span class="n">SetupTestDB</span><span class="p">(</span><span class="n">t</span> <span class="n">testing</span><span class="o">.</span><span class="n">TB</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">ctx</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">()</span> <span class="c">// 1. Start a container (once per test suite)</span> <span class="c">// Use the exact same image as production!</span> <span class="n">pgContainer</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">postgres</span><span class="o">.</span><span class="n">Run</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"pgvector/pgvector:pg16"</span><span class="p">,</span> <span class="n">postgres</span><span class="o">.</span><span class="n">WithDatabase</span><span class="p">(</span><span class="s">"ronin_test"</span><span class="p">),</span> <span class="n">postgres</span><span class="o">.</span><span class="n">WithUsername</span><span class="p">(</span><span class="s">"ronin"</span><span class="p">),</span> <span class="n">postgres</span><span class="o">.</span><span class="n">WithPassword</span><span class="p">(</span><span class="s">"password"</span><span class="p">),</span> <span class="c">// Copy migrations into the container</span> <span class="n">postgres</span><span class="o">.</span><span class="n">WithCopyFileToContainer</span><span class="p">(</span> <span class="s">"./migrations/"</span><span class="p">,</span> <span class="s">"/docker-entrypoint-initdb.d/"</span><span class="p">,</span> <span class="m">0644</span><span class="p">,</span> <span class="p">),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">err</span> <span class="o">!=</span> <span class="no">nil</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">Fatalf</span><span class="p">(</span><span class="s">"failed to start postgres: %v"</span><span class="p">,</span> <span class="n">err</span><span class="p">)</span> <span class="p">}</span> <span class="c">// 2. Ensure cleanup</span> <span class="n">t</span><span class="o">.</span><span class="n">Cleanup</span><span class="p">(</span><span class="k">func</span><span class="p">()</span> <span class="p">{</span> <span class="n">pgContainer</span><span class="o">.</span><span class="n">Terminate</span><span class="p">(</span><span class="n">ctx</span><span class="p">)</span> <span class="p">})</span> <span class="n">connStr</span><span class="p">,</span> <span class="n">_</span> <span class="o">:=</span> <span class="n">pgContainer</span><span class="o">.</span><span class="n">ConnectionString</span><span class="p">(</span><span class="n">ctx</span><span class="p">,</span> <span class="s">"sslmode=disable"</span><span class="p">)</span> <span class="k">return</span> <span class="n">connStr</span> <span class="p">}</span> </code></pre> </div> <p>The test itself becomes a concise security proof:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">func</span> <span class="n">TestAlienAccess</span><span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">testing</span><span class="o">.</span><span class="n">T</span><span class="p">)</span> <span class="p">{</span> <span class="c">// 1. Get a clean DB</span> <span class="n">dsn</span> <span class="o">:=</span> <span class="n">SetupTestDB</span><span class="p">(</span><span class="n">t</span><span class="p">)</span> <span class="n">db</span> <span class="o">:=</span> <span class="n">connect</span><span class="p">(</span><span class="n">dsn</span><span class="p">)</span> <span class="c">// 2. Create document for Tenant A</span> <span class="n">docID</span> <span class="o">:=</span> <span class="n">createDoc</span><span class="p">(</span><span class="n">db</span><span class="p">,</span> <span class="s">"tenant-A"</span><span class="p">,</span> <span class="s">"Secret Plan"</span><span class="p">)</span> <span class="c">// 3. Attempt to read as Tenant B</span> <span class="n">ctxB</span> <span class="o">:=</span> <span class="n">context</span><span class="o">.</span><span class="n">WithValue</span><span class="p">(</span><span class="n">context</span><span class="o">.</span><span class="n">Background</span><span class="p">(),</span> <span class="s">"tenant_id"</span><span class="p">,</span> <span class="s">"tenant-B"</span><span class="p">)</span> <span class="n">_</span><span class="p">,</span> <span class="n">err</span> <span class="o">:=</span> <span class="n">db</span><span class="o">.</span><span class="n">GetDoc</span><span class="p">(</span><span class="n">ctxB</span><span class="p">,</span> <span class="n">docID</span><span class="p">)</span> <span class="c">// 4. Verify the row "does not exist" for us</span> <span class="c">// Ideally, we get ErrNoRows, not an Access Denied error.</span> <span class="n">assert</span><span class="o">.</span><span class="n">ErrorIs</span><span class="p">(</span><span class="n">t</span><span class="p">,</span> <span class="n">err</span><span class="p">,</span> <span class="n">sql</span><span class="o">.</span><span class="n">ErrNoRows</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h2> Benchmarks: The Cost of Security </h2> <p>We ran load tests (10k records, Docker) to measure the overhead.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Scenario</th> <th>Without RLS</th> <th>With RLS</th> <th>Overhead</th> <th>Notes</th> </tr> </thead> <tbody> <tr> <td>Simple Select (ID lookup)</td> <td>1.2 ms</td> <td>1.3 ms</td> <td>+0.1 ms</td> <td>Negligible. Ideal for CRUD.</td> </tr> <tr> <td>JOIN (Docs + Tenants)</td> <td>1.25 ms</td> <td>1.35 ms</td> <td>+0.1 ms</td> <td>Planner handles joins well.</td> </tr> <tr> <td>Vector Search (HNSW)</td> <td>3-5 ms</td> <td>5-6 ms</td> <td>~20%</td> <td>Acceptable vs. schema overhead.</td> </tr> <tr> <td>GROUP BY (Count)</td> <td>0.8 ms</td> <td>1.95 ms</td> <td>x2.4</td> <td>Painful. Requires full scan.</td> </tr> <tr> <td>ILIKE Search (GIN Index)</td> <td>0.2 ms</td> <td>1.3 ms</td> <td>x6</td> <td>High. RLS checks every row.</td> </tr> </tbody> </table></div> <h2> Key Takeaways: </h2> <p>Aggregations are slow: SELECT COUNT(*) checks visibility for every row. For admin dashboards, consider denormalized counters.</p> <p>Vector Search works: This is the only scalable way to do multi-tenant vector search (AI/RAG). You build one big HNSW index, and RLS filters the results. Note: Use pgvector 0.8.0+ for iterative index scans.</p> <h2> Production Pitfalls (Read Before Deploying) </h2> <ol> <li>Views are dangerous</li> </ol> <p>By default (before PG 15), views run with the permissions of the view owner, not the caller.</p> <p>Fix (PG 15+): Use security_invoker = true.</p> <p>Fix (Older): Always use FORCE ROW LEVEL SECURITY.</p> <ol> <li>Side-Channel Leaks (Leakproof)</li> </ol> <p>Postgres might execute a function before the RLS filter. If you have a query like WHERE secret_func(data), the function might run on rows the user shouldn't see.</p> <p>Fix: Mark your trusted functions as LEAKPROOF.</p> <p>Fix: For GIN indexes, rely on extensions that implement leakproof operators (like pg_trgm).</p> <ol> <li>PgBouncer Compatibility</li> </ol> <p>Never use Statement Pooling with RLS. The session variable app.current_tenant will be lost or mixed between statements.<br> Always use Transaction Pooling.</p> <p>Zero-Downtime Migration Strategy<br> How do you add this to a legacy monolith without breaking everything? We used a 3-phase rollout.</p> <p>Phase 1: Permissive (Preparation)</p> <p>Add the columns and enable RLS, but allow everything.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="n">ENABLE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> <span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">migration_phase_1</span> <span class="k">ON</span> <span class="n">orders</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="k">USING</span> <span class="p">(</span><span class="k">true</span><span class="p">)</span> <span class="k">WITH</span> <span class="k">CHECK</span> <span class="p">(</span><span class="k">true</span><span class="p">);</span> </code></pre> </div> <p>Phase 2: Hybrid (Transition)</p> <p>Update the app to send context. The policy enforces rules only if context is present.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">migration_phase_2</span> <span class="k">ON</span> <span class="n">orders</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="k">USING</span> <span class="p">(</span> <span class="c1">-- Path A: Context exists -&gt; Enforce isolation</span> <span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_tenant'</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="k">AND</span> <span class="n">tenant_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_tenant'</span><span class="p">)::</span><span class="n">uuid</span><span class="p">)</span> <span class="k">OR</span> <span class="c1">-- Path B: No context (Legacy code) -&gt; Allow access</span> <span class="p">(</span><span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_tenant'</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span> <span class="k">IS</span> <span class="k">NULL</span><span class="p">)</span> <span class="p">);</span> </code></pre> </div> <p>Phase 3: Strict (Enforcement)</p> <p>Once logs show 100% of requests have context, lock it down.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">tenant_isolation_policy</span> <span class="k">ON</span> <span class="n">orders</span> <span class="k">FOR</span> <span class="k">ALL</span> <span class="k">USING</span> <span class="p">(</span><span class="n">tenant_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.current_tenant'</span><span class="p">)::</span><span class="n">uuid</span><span class="p">);</span> <span class="k">ALTER</span> <span class="k">TABLE</span> <span class="n">orders</span> <span class="k">FORCE</span> <span class="k">ROW</span> <span class="k">LEVEL</span> <span class="k">SECURITY</span><span class="p">;</span> </code></pre> </div> <h2> Conclusion </h2> <p>RLS moved our security boundary from "every developer remembering WHERE clauses" to the infrastructure layer. The code is cleaner, and the "cold sweat" of potential data leaks is gone.</p> <p>If you are building a multi-tenant B2B app, RLS is a robust engineering choice that is often overlooked. Give it a try.</p> go sql rls programming