Re: [HACKERS] RLS policy not getting honer while pg_dump ondeclarative partition - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: [HACKERS] RLS policy not getting honer while pg_dump ondeclarative partition
Date
Msg-id 20170617002025.GI1769@tamriel.snowman.net
Whole thread Raw
In response to [HACKERS] RLS policy not getting honer while pg_dump on declarative partition  (Rushabh Lathia <rushabh.lathia@gmail.com>)
Responses Re: [HACKERS] RLS policy not getting honer while pg_dump ondeclarative partition
List pgsql-hackers
Greetings,

* Rushabh Lathia (rushabh.lathia@gmail.com) wrote:
> While doing some testing I noticed that RLS policy not getting honer
> while pg_dump on declarative partition.
>
> I can understand that while doing SELECT on individual child
> table, policy of parent is not getting applied. But is this desirable
> behaviour? I think for partitions, any policy on the root table should
> get redirect to the child, thoughts?
>
> If current behaviour is desirable then atleast we should document this.

The current behaviour matches how the GRANT system works, unless it's
been changed as part of the partitioning patches, we don't check the
privileges on tthe parent to see if an individual has access to the
child.

I think we could certainly consider if this behavior is desirable in a
system which includes partitioning instead of inheritance, but if we
wish to do so then I think we should be considering if the GRANT system
should also be changed as I do feel the two should be consistent.

Thinking it through a bit though, I would imagine someone certainly
might want to GRANT access to a given partition and not others, though
that could actually be done with an appropriate RLS policy on the
parent, but until we improve the performance of constraint exclusion (or
change entirely how all of that works with partitions...), I'm not sure
that's a practical answer in all cases.  It might also be the case that
one would wish for different policies to be used when a user is
accessing a table directly vs. going through the parent.

Thanks!

Stephen

pgsql-hackers by date:

Previous
From: Michael Paquier
Date:
Subject: [HACKERS] Incorrect comment in 001_ssltests.pl
Next
From: Tatsuo Ishii
Date:
Subject: Re: [HACKERS] Restrictions of logical replication