Re: [v9.2] Leaky view and RLS - Mailing list pgsql-hackers
From | Kohei Kaigai |
---|---|
Subject | Re: [v9.2] Leaky view and RLS |
Date | |
Msg-id | A9F5079BABDEE646AEBDB6831725762C5560112179@EUEXCLU01.EU.NEC.COM Whole thread Raw |
In response to | [v9.2] Leaky view and RLS (Kohei Kaigai <Kohei.Kaigai@EMEA.NEC.COM>) |
List | pgsql-hackers |
Oops, I overlooked a scenario that we discussed before. [4] Unexpected qualifier distributions into inside of join-loop If a qualifier being appended on outside of join-loop references only one-side of the join, the optimizer will unexpectedly distribute it into inside of the join-loop. In the result, these exogenetic qualifiers may be evaluated earlier than security policy functions inside of a view that contains join. It also allows unprivileged users to reference contents of invisible tuples, so it shall be a problem to be fixed up according to the principle I described below. As a reference information, we had discussed the following approach: We tried to extend CREATE VIEW statement to accept SECURITY attribute to prevent unexpected qualifier distribution into inside of join-loop originated from security views. In addition, we also tried to add a variable to track original nest-level of qualifiers to order qualifiers in WHERE clause. It enabled to fix up [1] and [4]. However, the [3] was pointed out during the discussion and I was not sure where was the essence of this issue. So, the patch was returned with feedbacks, then it got postponed to v9.2 to solve this problem. Thanks, > -----Original Message----- > From: pgsql-hackers-owner@postgresql.org [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of > Kohei Kaigai > Sent: 10. Mai 2011 12:56 > To: Robert Haas; Stephen Frost; Heikki Linnakangas; Tom Lane > Cc: pgsql-hackers > Subject: [HACKERS] [v9.2] Leaky view and RLS > > I'd like to summarize expected issues corresponding to leaky-view and RLS > towards v9.2, and PGcon2011/Developer Meeting. > > We already made consensus the leaky-view is a problem to be fixed previous > to the row-level security feature. > > We know several ways to leak/infer contents of tuples to be invisible using > a view that is defined to row-level security purpose. > > [1] User defined functions with small-cost and side-effects (E.g error message) > > If these functions are appended to WHERE clause, it may be executed earlier > than functions to be performed as row-level security policy of security views. > These function can take arguments that references either visible or invisible > tuples, so functions with side-effects enables to leak the contents of invisible > tuples, when it was invoked earlier than conditions to filter out. > > [2] Iteration in proving PK/FK or UNIQUE constratins > > This type of iteration enables to estimate invisible values. E.g, fails to insert > a tuple with a particular primary-key gives us a hint of existence of invisible > tuple. We made consensus that RLS does not handle this type of scenario called as > covert-channels. The point is user cannot see the hidden value directly. > > [3] Reference to statistics delivered from table contents > > One example was selectivity-estimator function; Tom mentioned about before. > The pg_statistic holds statistical information delivered from table contents, > so it may help users to infer the contents using its histograms. > The discussion didn't get hot at that time. However, the point of mine is same > as the reason why we don't handle covert-channels. > The statistical is irreversible translation from the original data, so we need > an intelligence process to infer them, not a direct data reference. > > > We also had a discussion about a principle what type of scenarios should be > considered as problem. > One was that we didn't consider it is not a problem if a function internally > references invisible rows, as long as it consumes them internally. Thus, we > considered index-access-methods can be launched earlier than functions to > filter out violated rows. > Second was that we didn't consider it is not a problem if RLS allows users > to infer invisible rows from the circumstances, as long as it is not possible > to dump invisible data directly, because its bandwidth to leak information > was quite slow. So, we decided not to handle covert-channel such as iteration > of PK/FK proving in RLS. > > I still think the scenario [1] is the only problem to be solved prior to RLS > features. The scenario [2] and [3] don't allow to leak the original data > directly. In addition, the estimator function mentioned in [3] just references > statistical data internally. It is same situation with index-access-method. > > Please give us the points at issue, if I now overlooked. > -- NEC Europe Ltd, SAP Global Competence Center KaiGai Kohei <kohei.kaigai@emea.nec.com>
pgsql-hackers by date: