Re: API change advice: Passing plan invalidation info from the rewriter into the planner? - Mailing list pgsql-hackers
From | Robert Haas |
---|---|
Subject | Re: API change advice: Passing plan invalidation info from the rewriter into the planner? |
Date | |
Msg-id | CA+TgmoYc+D=uLhf3f287gJ9XEKLY31WzT2NB99rO-67f2B9hKA@mail.gmail.com Whole thread Raw |
In response to | Re: API change advice: Passing plan invalidation info from the rewriter into the planner? (Stephen Frost <sfrost@snowman.net>) |
Responses |
Re: API change advice: Passing plan invalidation info from
the rewriter into the planner?
(Stephen Frost <sfrost@snowman.net>)
|
List | pgsql-hackers |
On Thu, Jun 12, 2014 at 8:13 PM, Stephen Frost <sfrost@snowman.net> wrote: >> I'm in full agreement we should clearly communicate the issues around >> pg_dump in particular, because they can't necessarily be eliminated >> altogether without some major work that's going to take a while to finish. >> And if the work-around is some sort of GUC for killing RLS altogether, >> that's ugly but not unacceptable to me as a short-term fix. > > A GUC which is enable / disable / error-instead may work quiet well, with > error-instead for pg_dump default if people really want it (there would have > to be a way to disable that though, imv). > > Note that enable is default in general, disable would be for superuser only > (or on start-up) to disable everything, and error-instead anyone could use > but it would error instead of implementing RLS when querying an RLS-enabled > table. > > This approach was suggested by an existing user testing out this RLS > approach, to be fair, but it looks pretty sane to me as a way to address > some of these concerns. Certainly open to other ideas and thoughts though. In general, I agree that this is a good approach. I think it will be difficult to have a GUC with three values, one of which is superuser-only and the other two of which are not. I don't think there's any precedent for something like that in the existing framework, and I think it's likely we'll run into unpleasant corner cases if we try to graft it in. Also, I think we need to separate things: whether the system is willing to allow the user to access the table without RLS, and whether the user is willing to accept RLS if the system deems it necessary. For the first one, two solutions have been proposed. The initial proposal was to insist on RLS except for the superuser (and maybe the table owner?). Having a separate grantable privilege, as Dean suggests, may be better. I'll reply separately to that email also, as I have a question about what he's proposing. For the second one, I think the two most useful behaviors are "normal mode" - i.e. allow access to the table, applying RLS predicates if required and not applying them if I am exempt - and "error-instead" mode - i.e. if my access to this table would be mediated by an RLS predicate, then throw an error instead. There's a third mode which might be useful as well, which is "even though I have the *right* to bypass the RLS predicate on this table, please apply the predicate anyway". This could be used by the table owner in testing, for example. Here again, the level of granularity we want to provide is an interesting question. Having a GUC (e.g. enable_row_level_security = on, off, force) would be adequate for pg_dump, but allowing the table name to be qualified in the query, as proposed downthread, would be more granular, admittedly at some parser cost. I'm personally of the view that we *at least* need the GUC, because that seems like the best way to secure pg_dump, and perhaps other applications. We can and should give pg_dump an--allow-row-level-security flag, I think, but pg_dump's default behavior should be to configure the system in such a way that the dump will fail rather than complete with a subset of the data. I'm less sure whether we should have something that can be used to qualify table names in particular queries. I think it would be really useful, but I'm concerned that it will require creating additional fully-reserved keywords, which are somewhat painful for users. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
pgsql-hackers by date: