Re: row security roadmap proposal - Mailing list pgsql-hackers

From Gregory Smith
Subject Re: row security roadmap proposal
Date
Msg-id 52B3A8E2.1080105@gmail.com
Whole thread Raw
In response to Re: row security roadmap proposal  (Craig Ringer <craig@2ndquadrant.com>)
List pgsql-hackers
On 12/18/13 10:21 PM, Craig Ringer wrote:
> In the end, sometimes I guess there's no replacement for "WHERE 
> call_some_procedure()"

That's where I keep ending up at.  The next round of examples I'm 
reviewing this week plug pl/pgsql code into that model.  And the one 
after that actually references locally cached data that starts stored in 
LDAP on another machine altogether.  That one I haven't even asked for 
permission to share with the community because of my long standing LDAP 
allergy, but the whole thing plugs into the already submitted patch just 
fine.  (Shrug)

I started calling all of the things that generate data for RLS to filter 
on "label providers".  You've been using SELinux as an example future 
label provider.  Things like this LDAP originated bit are another 
provider.  Making the database itself a richer label provider one day is 
an interesting usability improvement to map out.  But on the proof of 
concept things I've been getting passed I haven't seen an example where 
I'd use that yet anyway.  The real world label providers are too 
complicated.





pgsql-hackers by date:

Previous
From: Jim Nasby
Date:
Subject: Re: preserving forensic information when we freeze
Next
From: Alvaro Herrera
Date:
Subject: Re: preserving forensic information when we freeze