Hi,
On February 25, 2025 10:08:44 AM GMT+01:00, Damien Clochard <damien@dalibo.info> wrote:
>So my first question is : Do you think it would be helpful to update the SECURITY LABEL command documentation to
clarifythat security labels are not concerned by object inheritance ?
Couldn't hurt.
>My second question is more open : do you think it would be worth adding a new way to declare that a security label
appliesto an object and all its inheritants ? As I understand this would concern only roles and tables.
>
>Maybe a new optional `[ [WITH] INHERIT | NOINHERIT ]` syntax at the end of the SECURITY LABEL command....
>
>Something like this :
>
>SECURITY LABEL FOR anon ON ROLE extern IS 'MASKED' WITH INHERIT;
>
>SECURITY LABEL FOR anon ON COLUMN people.name
> IS 'MASKED WITH VALUE NULL'
> WITH INHERIT;
>
>The default would be NOINHERIT and all extensions that rely on the current behaviour would continue to work without
anychange.
I doubt that is viable. That'd mean we somehow need to teach the label infrastructure about all kinds of inheritance
*and*make that recursive label collection fast. The caching right now uses generic infrastructure, it certainly
couldn'twith inheritance support.That'd be a fair bit of infrastructure.
Greetings,
Andres
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
