Re: Multi-tenancy with RLS - Mailing list pgsql-hackers

From Robert Haas
Subject Re: Multi-tenancy with RLS
Date
Msg-id CA+TgmobNPEmYTyX4JKDEfu7fxnuGz0=pqgagmDSB3CGD91aeZA@mail.gmail.com
Whole thread Raw
In response to Re: Multi-tenancy with RLS  (Joe Conway <mail@joeconway.com>)
Responses Re: Multi-tenancy with RLS
Re: Multi-tenancy with RLS
List pgsql-hackers
On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway <mail@joeconway.com> wrote:
> On 02/09/2016 11:47 AM, Robert Haas wrote:
>> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfrost@snowman.net> wrote:
>>>> Whereupon you'd have no certainty that what you got represented a
>>>> complete dump of your own data.
>>>
>>> It would be a dump of what you're allowed to see, rather than an error
>>> saying you couldn't dump something you couldn't see, which is the
>>> alternative we're talking about here.  Even if you've got a dependency
>>> to something-or-other, if you don't have access to it, then you're
>>> going to get an error.
>>
>> I think you're dismissing Tom's concerns far too lightly.  The
>> row_security=off mode, which is the default, becomes unusable for
>> non-superusers under this proposal.  That's bad.  And if you switch to
>> the other mode, then you might accidentally fail to get all of the
>> data in some table you're trying to back up.  That's bad too: that's
>> why it isn't the default.  There's a big difference between saying
>> "I'm OK with not dumping the tables I can't see" and "I'm OK with not
>> dumping all of the data in some table I *can* see".
>
> I don't grok what you're saying here. If I, as a non-superuser could
> somehow see all the rows in a table just by running pg_dump, including
> rows that I could not normally see due to RLS policies, *that* would be
> bad. I should have no expectation of being able to dump rows I can't
> normally see.

That's true.  But I should also have an expectation that running
pg_dump won't trigger arbitrary code execution, which is why by
default, pg_dump sets row_security to OFF.  That way, if a row
security policy applies, I get an error rather than an incomplete,
possibly-invalid dump (and arbitrary code execution on the server
side).  If I'm OK with doing the dump subject to row security, I can
rerun with --enable-row-security.  But this proposal would force
non-superusers to always use that option, and that's not a good idea.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company



pgsql-hackers by date:

Previous
From: Joe Conway
Date:
Subject: Re: Multi-tenancy with RLS
Next
From: Tom Lane
Date:
Subject: Re: Tracing down buildfarm "postmaster does not shut down" failures