Thread: Will there ever be support for Row Level Security on Materialized Views?
Hi. My question is similar to one that was asked but apparently never answered a couple of years ago on this list. (https://www.postgresql.org/message-id/20160112023419.GA30965%40moraine.isi.edu)
--
Basically, I'm wondering whether materialized views are likely to ever support row-level security.
I've been toying with using MVs to address some performance issues, until coming across this issue.
As explanation of the use case, I've got a DB that is shared across multiple sites ("segments"). Each site is a different DB user, and access to data is controlled by a function (has_segment_access).
So for a table, and a view, we use:
CREATE POLICY tbl_client_sites ON tbl_client FOR ALL USING (has_segment_access(agency_segment_code));
CREATE VIEW client AS SELECT * FROM tbl_client WHERE has_segment_access(agency_segment_code);
I'd been thinking I could just materialize some of these views, but then they are frozen data, like a table. But unlike a table, you can't apply RLS. Hence the email. Any insight or development crystal-balling appreciated. Thanks!
Ken
AGENCY Software
A Free Software data system
By and for non-profits
(253) 245-3801
learn more about AGENCY or
follow the discussion.
On Tue, Aug 14, 2018 at 5:24 PM Ken Tanzer <ken.tanzer@gmail.com> wrote:
Hi. My question is similar to one that was asked but apparently never answered a couple of years ago on this list. (https://www.postgresql.org/message-id/20160112023419.GA30965%40moraine.isi.edu)Basically, I'm wondering whether materialized views are likely to ever support row-level security.
Hi. Just wanted to follow up on my own email and see if anyone could answer this.
Cheers,
Ken
--
AGENCY Software
A Free Software data system
By and for non-profits
(253) 245-3801
learn more about AGENCY or
follow the discussion.
Hi David, and thanks for taking the time to respond.
--
On Mon, Aug 27, 2018 at 3:29 PM David Rowley <david.rowley@2ndquadrant.com> wrote:
You might think there's some master project-wide list of things that
are to implement that we all work from, but there's not.
I suppose I might have thought that, but I didn't. That's partly why I asked on this list.
New features normally appear for one of two reasons:
1) A developer gets inspired to make something happen; or
2) Someone pays a developer to make something happen.
OK.
So I guess in this case either 1 or 2 has not happened, or they have
but the correct people have either not seen your email or they just
simply don't want to answer.
Yes, that also partly why I resent. Generally it seems most questions sent to this list get some kind of response. So perhaps my original question was not seen by "the correct people."
Or perhaps they "simply don't want to answer." Well I wondered about that too, since the last person who asked about this didn't get a response either. Is it a particularly stupid question? Is there some history that makes it a touchy subject? Or is it just the Bermuda Triangle of this mailing list? :)
If you're desperate for the feature, I'd recommend looking into the
possibility of going with 1 or 2.
I'm not really desperate, and unlikely to do either 1 or 2. But it still would be helpful to have a sense of what the future _might_ look like in this area. This seems like a relatively common type of inquiry on this list. Maybe there are reasons this will never get implemented. (e.g., it's a Bad Idea, or it's so hard to implement that your head would explode if we explained it to you, or it would interfere with x, y or z). Maybe there's no conceptual or technical obstacles, and it really does just come down to someone doing it. Maybe something else entirely.
People on this list generally seem pretty generous in spirit and sharing of their knowledge, insights and opinions. It seemed a pretty reasonable and typical question to ask. I guess if there's no answer to be had, then so be it!
Cheers,
Ken
AGENCY Software
A Free Software data system
By and for non-profits
(253) 245-3801
learn more about AGENCY or
follow the discussion.
On Mon, Aug 27, 2018 at 4:19 PM David G. Johnston <david.g.johnston@gmail.com> wrote:
People on this list generally seem pretty generous in spirit and sharing of their knowledge, insights and opinions. It seemed a pretty reasonable and typical question to ask. I guess if there's no answer to be had, then so be it!You asked the question in a manner where the obvious reactions are: Reply Affirmative: "Yes, I am planning/working on that right now" or Do Nothing: "I'm not going to respond because while I'm not aware of any work in this area I have no clue what others might or might not be planning/doing in this area before the heat death of the universe (a reasonably close approximation of "ever")".Since most things are theoretically possible a flat out - "no that will never happen is unlikely".
Thanks David J. So I guess I could have asked:
- Is there any reason there is no RLS / MV support now?
- Are there any reason fundamental reasons why PG couldn't support RLS for MVs?
- Is it just a matter of nobody has done it yet?
- Is there other development work that would need to happen before this could be implemented?
- In the scheme of things, is it a lot of work or not so much?
- Has there been any discussion of implementing this feature, and if so is there a link to it?
--
AGENCY Software
A Free Software data system
By and for non-profits
(253) 245-3801
learn more about AGENCY or
follow the discussion.
On Mon, Aug 27, 2018 at 4:23 PM David Rowley <david.rowley@2ndquadrant.com> wrote:
If I had to guess what's going on here then I'd say that nobody has
been sufficiently motivated to work on this yet. If that's the case,
everyone who reads your email is not the person working on this
feature, so can't answer your question. I just answered to suggest
the reasons why you might not be getting an answer.
Thanks, that makes sense, and I appreciate that.
--
David Rowley http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services
AGENCY Software
A Free Software data system
By and for non-profits
(253) 245-3801
learn more about AGENCY or
follow the discussion.