[COMMITTERS] pgsql: Improve RLS planning by marking individual quals with securityl - Mailing list pgsql-committers
| From | Tom Lane |
|---|---|
| Subject | [COMMITTERS] pgsql: Improve RLS planning by marking individual quals with securityl |
| Date | |
| Msg-id | E1cTuVJ-0003ZU-A2@gemulon.postgresql.org Whole thread Raw |
| List | pgsql-committers |
Improve RLS planning by marking individual quals with security levels. In an RLS query, we must ensure that security filter quals are evaluated before ordinary query quals, in case the latter contain "leaky" functions that could expose the contents of sensitive rows. The original implementation of RLS planning ensured this by pushing the scan of a secured table into a sub-query that it marked as a security-barrier view. Unfortunately this results in very inefficient plans in many cases, because the sub-query cannot be flattened and gets planned independently of the rest of the query. To fix, drop the use of sub-queries to enforce RLS qual order, and instead mark each qual (RestrictInfo) with a security_level field establishing its priority for evaluation. Quals must be evaluated in security_level order, except that "leakproof" quals can be allowed to go ahead of quals of lower security_level, if it's helpful to do so. This has to be enforced within the ordering of any one list of quals to be evaluated at a table scan node, and we also have to ensure that quals are not chosen for early evaluation (i.e., use as an index qual or TID scan qual) if they're not allowed to go ahead of other quals at the scan node. This is sufficient to fix the problem for RLS quals, since we only support RLS policies on simple tables and thus RLS quals will always exist at the table scan level only. Eventually these qual ordering rules should be enforced for join quals as well, which would permit improving planning for explicit security-barrier views; but that's a task for another patch. Note that FDWs would need to be aware of these rules --- and not, for example, send an insecure qual for remote execution --- but since we do not yet allow RLS policies on foreign tables, the case doesn't arise. This will need to be addressed before we can allow such policies. Patch by me, reviewed by Stephen Frost and Dean Rasheed. Discussion: https://postgr.es/m/8185.1477432701@sss.pgh.pa.us Branch ------ master Details ------- http://git.postgresql.org/pg/commitdiff/215b43cdc8d6b4a1700886a39df1ee735cb0274d Modified Files -------------- src/backend/nodes/copyfuncs.c | 2 + src/backend/nodes/equalfuncs.c | 1 + src/backend/nodes/outfuncs.c | 6 + src/backend/optimizer/README | 102 +++ src/backend/optimizer/path/allpaths.c | 166 ++-- src/backend/optimizer/path/equivclass.c | 61 +- src/backend/optimizer/path/indxpath.c | 26 +- src/backend/optimizer/path/tidpath.c | 25 +- src/backend/optimizer/plan/createplan.c | 53 +- src/backend/optimizer/plan/initsplan.c | 90 ++- src/backend/optimizer/plan/planner.c | 125 +-- src/backend/optimizer/prep/Makefile | 2 +- src/backend/optimizer/prep/prepjointree.c | 1 + src/backend/optimizer/prep/prepsecurity.c | 486 ------------ src/backend/optimizer/prep/prepunion.c | 71 +- src/backend/optimizer/util/clauses.c | 14 +- src/backend/optimizer/util/orclauses.c | 3 + src/backend/optimizer/util/relnode.c | 14 + src/backend/optimizer/util/restrictinfo.c | 125 ++- src/include/nodes/relation.h | 22 + src/include/optimizer/planmain.h | 4 +- src/include/optimizer/prep.h | 5 - src/include/optimizer/restrictinfo.h | 8 +- .../test_rls_hooks/expected/test_rls_hooks.out | 24 +- src/test/regress/expected/equivclass.out | 42 + src/test/regress/expected/rowsecurity.out | 877 +++++++++------------ src/test/regress/expected/updatable_views.out | 304 +++---- src/test/regress/sql/equivclass.sql | 32 + src/test/regress/sql/updatable_views.sql | 4 +- 29 files changed, 1137 insertions(+), 1558 deletions(-)
pgsql-committers by date: