Postgres Pro
Downloads
Home   >   mailing lists

Re: API change advice: Passing plan invalidation info from the rewriter into the planner? - Mailing list pgsql-hackers

From Dean Rasheed
Subject Re: API change advice: Passing plan invalidation info from the rewriter into the planner?
Date
Msg-id CAEZATCW9L89E4Fpc_3OqH2bSbwW8v9jzOc3azCOwaPcn2sY6vw@mail.gmail.com
Whole thread Raw
In response to Re: API change advice: Passing plan invalidation info from the rewriter into the planner?  (Stephen Frost <sfrost@snowman.net>)
Responses Re: API change advice: Passing plan invalidation info from the rewriter into the planner?  (Dean Rasheed <dean.a.rasheed@gmail.com>)
RLS Design  (Stephen Frost <sfrost@snowman.net>)
List pgsql-hackers
Tree view 
On 24 June 2014 17:27, Stephen Frost <sfrost@snowman.net> wrote:
> Single policy vs Multiple, Overlapping policies vs Multiple, Non-overlapping policies
>

What I was describing upthread was multiple non-overlapping policies.

I disagree that this will be more complicated to use. It's a strict
superset of the single policy functionality, so if you want to do it
all using a single policy then you can. But I think that once the ACLs
reach a certain level of complexity, you probably will want to break
it up into multiple policies, and I think doing so will make things
simpler, not more complicated.

Taking a specific, simplistic example, suppose you had 2 groups of
users - some are normal users who should only be able to access their
own records. For these users, you might have a policy like
 WHERE person_id = current_user

which would be highly selective, and probably use an index scan. Then
there might be another group of users who are managers with access to
the records of, say, everyone in their department. This might then be
a more complex qual along the lines of
 WHERE person_id IN (SELECT ... FROM person_department                      WHERE mgr_id = current_user AND ...)

which might end up being a hash or merge join, depending on any
user-supplied quals.

You _could_ combine those into a single policy, but I think it would
be much better to have 2 distinct policies, since they're 2 very
different queries, for different use cases. Normal users would only be
granted permission to use the normal_user_policy. Managers might be
granted permission to use either the normal_user_policy or the
manager_policy (but not both at the same time).

That's a very simplified example. In more realistic situations there
are likely to be many more classes of users, and trying to enforce all
the logic in a single WHERE clause is likely to get unmanageable, or
inefficient if it involves lots of logic hidden away in functions.
Allowing multiple, non-overlapping policies allows the problem to be
broken up into more manageable pieces, which also makes the planner's
job easier, since only a single, simpler policy is in effect in any
given query.

Regards,
Dean

pgsql-hackers by date:

Previous
From: Heikki Linnakangas
Date:
Subject: Bug in spg_range_quad_inner_consistent for adjacent operator (was Re: Add a filed to PageHeaderData)
Next
From: Dean Rasheed
Date:
Subject: Re: API change advice: Passing plan invalidation info from the rewriter into the planner?