KaiGai Kohei wrote:
> > 1) When are we getting column-level permissions that you can
> > plug into?
>
> Please note that SE-PostgreSQL checks its column-level permission *after* VIEWs
> are expanded, because it focuses on "what" object is accessed, not "how".
> Thus, it walks on the query tree just after QueryRewrite() to pick up columns
> to be refered in this query.
> The term is same, but it's unclear for me whether it can share the code based
> on SQL standards, or not.
> (In my opinion, it is not a matter, just a difference in security model.)
I understand.
> > 2) Do we want row-level permissions at the SQL level?
>
> Now I'm working for it and will submit patches due to the end of Oct,
> if it is really required to make progress reviewing of SE-PostgreSQL
> on the v8.4 development cycle.
> However, the scale of its demand is unclear for me.
Yes, which is why I would like the community to answer the question
before you have to start coding things. I will say that if we do want
it, the SE-Linux code will be 96% in separate modules and will make it
much easier to accept.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +