Re: [PATCH] Add reloption for views to enable RLS - Mailing list pgsql-hackers

From walther@technowledgy.de
Subject Re: [PATCH] Add reloption for views to enable RLS
Date
Msg-id 37cf6fdd-f509-f31b-b91a-44d1ec12254c@technowledgy.de
Whole thread Raw
In response to [PATCH] Add reloption for views to enable RLS  (Christoph Heiss <christoph.heiss@cybertec.at>)
List pgsql-hackers
Laurenz Albe:
>> I converted the option to run_as_owner=true|false in the attached v7.
>> It now definitely seems like the right way to move forward and getting
>> more feedback.
> I think we are straying from the target.
> 
> "run_as_owner" seems wrong to me, because it is all about permission
> checking and*not*  about running.  As we have established, the query
> is always executed by the caller.
> 
> So my preferred bikeshed colors would be "permissions_owner" or
> "permissions_caller".

My main point was the "xxx_owner = true by default" thing. Whether xxx 
is "permissions" or "run_as" doesn't change that. permissions_caller, 
however, would be a step backwards.

I can see how permissions_owner is better than run_as_owner. The code 
uses checkAsUser, so check_as_owner would be an option, too. Although 
that could easily be associated with WITH CHECK OPTION. Thinking about 
that, the difference between LOCAL and CASCADED for CHECK OPTION pretty 
much sums up one of the confusing bits about the whole thing, too.

Maybe "local_permissions_owner = true | false"? That would make it 
crystal-clear, that this is only about the very first permissions check 
and not about any checks later in a chain of multiple views.

"local_permissions = owner | caller" could also work - as long as we're 
not using any of definer or invoker.

Best

Wolfgang



pgsql-hackers by date:

Previous
From: Ashutosh Sharma
Date:
Subject: Re: Identify missing publications from publisher while create/alter subscription.
Next
From: Andrew Dunstan
Date:
Subject: Re: fairywren is generating bogus BASE_BACKUP commands