Re: Updates of SE-PostgreSQL 8.4devel patches - Mailing list pgsql-hackers

From KaiGai Kohei
Subject Re: Updates of SE-PostgreSQL 8.4devel patches
Date
Msg-id 48DC4461.9010108@ak.jp.nec.com
Whole thread Raw
In response to Re: Updates of SE-PostgreSQL 8.4devel patches  (Tom Lane <tgl@sss.pgh.pa.us>)
List pgsql-hackers
Tom Lane wrote:
> "Robert Haas" <robertmhaas@gmail.com> writes:
>>> This is just a different syntax for KaiGai's label storage
>>> implementation.  It doesn't really answer any of the hard questions,
>>> like what the heck is the behavior of foreign keys.
> 
>> What do you find inadequate about KaiGai's answers to those hard questions?
> 
> Mainly just that they're only one set of possible answers.  If we're
> thinking of baking a particular set of semantics into SQL syntax,
> we'd better be darn sure that they are the right semantics --- both
> in terms of widest usefulness, and in terms of not being stuck behind
> the eight-ball if the SQL standards committee ever moves to standardize
> a similar behavior.

If SQL standard adopts row-level security, it also welcomes for me.
Please note that SE-PostgreSQL works orthogonally from the native
access controls of PostgreSQL.
I think it is usefulness to apply different security policies based on
different rules, architecture and philosophy.

> Another point is that the proposed behavior leaks quite a lot of
> information, since it will fail operations on the basis of tuples that
> supposedly aren't visible to the invoking user.  While I admit that it's
> hard to see an alternative if we're to preserve FK integrity, I have to
> worry that this definition isn't going to satisfy the tin-foil-hat
> brigade that are supposed to be the main users of SEPostgres.  If the
> goal is "you don't know the row is there", this doesn't seem to meet it.

Yes, it is just a limitation of SE-PostgreSQL's row-level access control.
However, we can avoid actual matter by applying alternative keys for these
kind of databases, as Bruce mentioned before.
No need to say, it is a thing to be described in documentation,
and end-users should make their decison.

One considerable option provided to end-user is to add a switch called as
"boolean" to allow all of row-level access controls.

> I wonder whether it wouldn't make more sense to pursue restrictions
> at some different level.  SQL already has the concept of REFERENCE
> permission, ie, not just anybody can make a foreign key reference to
> your table.  Maybe there has to be a rule that you can't make an FK
> reference to a table you don't have full read permissions for.  The
> restrictions in the other direction (what can PK table's owner find out
> about FK table's contents) are pretty interesting too.

SE-PostgreSQL focuses on the fact client can see the PK refered.
It is different from native SQL's permission, but it think it is just a
difference between security models.

It is worthwhile to achieve secure state of databases in different levels.
For example, privileged database user can override all of access controls.
It is a unignorable risk, as root is considered as a risk in operating
system.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>


pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Bug in ILIKE?
Next
From: "Robert Haas"
Date:
Subject: Re: Updates of SE-PostgreSQL 8.4devel patches