On Mon, 2009-01-26 at 22:55 -0500, Tom Lane wrote:
> Silently filtering out rows according to an arbitrary security policy
> can break a bunch of fundamental SQL semantics, the most obvious being
> foreign key constraints
That was exactly my reaction when I read the way it worked and I was
ready to reject the patch as a result. Bruce and KaiGai provided
documents that discuss the problem and it's a clearly a known issue in
the security community. Specifically, it hasn't prevented Oracle from
gaining security Certification and it shouldn't prevent us either. In
the end it's the certification that matters here, rather than a general
review of what database security is, or could be.
I've seen enough to be happy that KaiGai has done a thorough job on
*attempting* to address the needs of the security people. Passing
security audit is the real test and I won't be beating him up if we do
miss slightly. We have to try, otherwise we'll never know.
My concerns are all about what it does to our code and the impacts of
that. These are things we know how to check.
-- Simon Riggs www.2ndQuadrant.comPostgreSQL Training, Services and Support