Postgres Pro
Downloads
Home   >   mailing lists

Re: [RFC] Interface of Row Level Security - Mailing list pgsql-hackers

From Kohei KaiGai
Subject Re: [RFC] Interface of Row Level Security
Date
Msg-id CADyhKSXKFhzZoN30HDpfP5TCb3bJ32hJPk6SNcUq_NY1sQXGbg@mail.gmail.com
Whole thread Raw
In response to Re: [RFC] Interface of Row Level Security  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: [RFC] Interface of Row Level Security
List pgsql-hackers
Tree view 
2012/5/23 Tom Lane <tgl@sss.pgh.pa.us>:
> Kohei KaiGai <kaigai@kaigai.gr.jp> writes:
>> Let me have a discussion to get preferable interface for row-level security.
>> My planned feature will perform to append additional conditions to WHERE
>> clause implicitly, to restrict tuples being visible for the current user.
>> For example, when row-level policy "uname = getpgusername()" is configured
>> on the table T1, the following query:
>>     select * from T1 where X > 20;
>> should be rewritten to:
>>     select * from T1 where (X > 20) AND (uname = getpgusername());
>
> Hm.  Simple and fairly noninvasive, but ... would this not be subject to
> the same sorts of information-leak hazards that were addressed in the
> "security views" feature?  That is, I see no guarantee that the RLS
> condition will be evaluated before any conditions supplied by the user.
> So it seems easy to get information out of rows the RLS policy is
> supposed to prevent access to.  It would be far more secure to just
> use a security view to apply the RLS condition.
>
I wanted to have discussion to handle this problem.

Unlike leaky-view problem, we don't need to worry about unexpected
qualifier distribution on either side of join, because a scan on table
never contains any join. Thus, all we need to care about is order of
qualifiers chained on a particular scan node; being reordered by
the cost to invoke functions.

How about an idea to track FuncExpr come from the security policy
and enforce "0" on its cost? Regular functions never reach zero
cost, so the security policy must be re-ordered to the head.

> Also, if the point here is to provide security for tables not views,
> it seems like you really need to have (at least a design for) RLS
> security on insert/update/delete operations.  Just adding the same
> filter condition might be adequate for deletes, but I don't think it
> works at all for inserts.  And for updates, what prevents the user from
> updating columns he shouldn't, or updating them to key values he
> shouldn't be able to use?
>
If we also apply the security policy to newer version of tuples on
update and insert, one idea is to inject a before-row-(update|insert)
trigger to check whether it satisfies the security policy.
For same reason, the trigger should be executed at the end of
trigger chain.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: External Open Standards
Next
From: Jeff Janes
Date:
Subject: Re: Archiver not exiting upon crash