Bruce Momjian wrote:
> KaiGai Kohei wrote:
>>>> Today, I'll debug the modified code...
>>> Wow, that was fast. Where are you storing the security information for
>>> tables and columns? Did you add a special column to pg_class, etc?
>> Security information is stored within padding field of HeapTupleHeader
>> as we did. It can be fetched via sepgsql_(table|column|...)_getcon()
>> functions, and can be set via SECURITY_LABEL = 'xxx'.
>
> Well, we are not using row-level security values so why not store it in
> its own column regular or as part of the existing ACL structure. I
> think it will be very odd for system tables to have this special column
> but not user rows.
Sorry, my description might easily make confusion.
I read it again myself, indeed, it makes confusion. :(
SECURITY_LABEL = 'xxx' means following sytle:
CREATE TABLE t ( a int, b text SECURITY_LABEL = '...' ) SECURITY_LABEL = '...';
I don't provide both of "security_label" and "security_acl"
system columns for system/user tables.
I didn't write it explicitly, it might make you confusing.
User cannot see what security label is assigned to them
due to lack of system column, so new sepgsql_xxx_getcon()
functions are provided an interface to see security label.
In this patch, I don't touch new system columns.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
