Re: Multi-tenancy with RLS - Mailing list pgsql-hackers
| From | Stephen Frost |
|---|---|
| Subject | Re: Multi-tenancy with RLS |
| Date | |
| Msg-id | 20160107032927.GT3685@tamriel.snowman.net Whole thread Raw |
| In response to | Re: Multi-tenancy with RLS (Robert Haas <robertmhaas@gmail.com>) |
| Responses |
Re: Multi-tenancy with RLS
(Haribabu Kommi <kommi.haribabu@gmail.com>)
|
| List | pgsql-hackers |
Robert, * Robert Haas (robertmhaas@gmail.com) wrote: > On Tue, Jan 5, 2016 at 11:07 PM, Haribabu Kommi > <kommi.haribabu@gmail.com> wrote: > > May be you missed to apply the 3_shared_catalog_tenancy_v4 path, > > because 4_database_catalog_tenancy_v5 patch depends on it. > > > > Here I attached all the patches for your convenience, I am able to > > apply all patches in the order without any problem. > > Is any committer thinking about taking a serious look at this patch series? Joe took a look at it earlier and I'm definitely interested in it. Furhter, he and I have chatted about it a few times. Reference here to comments from Joe: http://www.postgresql.org/message-id/55F1FB2E.8020101@joeconway.com > I ask because (1) it seems like it could be nice to have but (2) it > frightens me terribly. We are generally very sparing about assuming > that "stuff" (triggers, partial indexes, etc.) that works for user > tables can also be made to work for system tables. I haven't thought > deeply about what might go wrong in this particular case, but it > strikes me that if Haribabu Kommi is building something that is doomed > for some reason, it would be good to figure that out before he spends > any more time on it than he already has. I'm not aware of any particular reason for it to be doomed out of the gate. That isn't to say that we won't find an issue with it or that I've given it an in depth look (I've not), but the concept seems reasonable enough and I can't think of any off-hand reasons why it won't work. I will note that there's a couple different patches involved here and they really deserve their own review and consideration. > Apart from the issue of whether this is doomed for some architectural > reason, it is not entirely clear to me that there's any consensus that > we want this. I don't think that I understand the issues here well > enough to proffer an opinion of my own just yet... but I'd like to > hear what other people think. I'm certainly of the opinion that we want this or something similar. The big caveat kicking around in my head is if we want to have our own set of defined policies or if we want to give flexibility to the administrator to define their own policies. In particular, I'm wondering about things like: CREATE POLICY namespace_limit ON pg_namespace TO company1 USING (substring(nspname,1,8) = 'company1_'); Which is a bit different, as I understand it, from what Haribadu has been proposing and quite a bit more complicated, as we'd then have to make the internal lookups respect the policy (so things like CREATE SCHEMA would have to check if you're allowed to actually create that schema, which would be based on the policy...). I don't know if we want to try and support that level of flexibility or if we'd like to simply go based on the concept of 'you only get to see what you have access to', which I'm thinking will allow us to avoid changing the existing functions as they are already doing permissions checks. My general thinking here is that we could support one set of provided policies via these patches and then, if there is sufficient interest, generalize how policies on system catalogs are handled and eventually allow users to redefine the system catalog policies. Thanks! Stephen
pgsql-hackers by date: