Re: Prohibit row-security + inheritance in 9.4? - Mailing list pgsql-hackers

From Yeb Havinga
Subject Re: Prohibit row-security + inheritance in 9.4?
Date
Msg-id 52EBB9AC.8020604@mgrid.net
Whole thread Raw
In response to Re: Prohibit row-security + inheritance in 9.4?  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
On 2014-01-31 15:10, Stephen Frost wrote:
> * Craig Ringer (craig@2ndquadrant.com) wrote:
>> On 01/31/2014 09:01 AM, Stephen Frost wrote:
>> The only case prevented is one where access to the child via the parent
>> shows rows that the parent's row-security qual would hide, because the
>> child's qual doesn't.
> It makes absolutely zero sense, in my head anyway, to have rows returned
> when querying the parent which should NOT be returned based on the quals
> of the parent.

IMHO, there is another way to implement this, other than the procedure 
to override the child-rel-quals with the ones from the parent. At DDL 
time, synchronize quals on the parent with rls quals of the childs. 
Isn't this also what happens with constraints?

Then during expansion of the range table, no code is needed to ignore 
child rls quals and copy parent rels to child rels.

Also, the security policy applied would be invariant to the route 
through which the rows were accessed:
- directly to the child row: child rls quals and parent quals (by 
propagate at ddl) are applied.
- through the parent: child rls quals and parent quals applied.

regards,
Yeb Havinga




pgsql-hackers by date:

Previous
From: Marko Kreen
Date:
Subject: Re: [COMMITTERS] pgsql: libpq: Support TLS versions beyond TLSv1.
Next
From: Bruce Momjian
Date:
Subject: Re: pgindent wishlist item