>> I’d want friction on breaking this boundary
> Why do you want friction?
Probably because it makes accidental or malicious attempts to leak among tenants harder, therefore less likely.
Check this out and let me know what you think: https://pgdog.dev/blog/multi-tenant-pg-can-be-easy
I think there are a few good solutions for multi-tenant safety. We just need ergonomic wrappers at the DB layer to make them easy to use.
It’s an interesting idea, but how would such a system handle queries that should cross tenant boundaries? (E.g. system-level reporting)
1. Go around pgcat/pgdog?
2. I have had good luck using pragma comments for that kind of thing: a way to communicate to the infrastructure without the target system seeing it
3. From the "malicious compliance department," I would also accept "include it but in a tautological way" (tenant_id = :ten_id or tenant_id <> :ten_id)
Echoing the comment below (above), since we can fingerprint queries using the Postgres parser, we can create an allow list and a more fine-grained ruleset.