Re: row based security ... was Different views with same

From: Marc Munro <marc(at)bloodnok(dot)com>
To: Harald Massa <HaraldMassa(at)ghum(dot)de>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: row based security ... was Different views with same
Date: 2002-01-21 22:19:03
Message-ID: 1011651543.27529.3.camel@bloodnok.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Harald,
Yes, this solution can be a performance nightmare. I know of two ways
to deal with this, neither of them perfect. You should definitely mark
the function as iscachable no matter how you proceed.

1) Make your function return an indexed column, eg:
create view x as
select *
from t_x
where name = name_I_can_see();

This doesn't work too well though if you can see more than one row!
Naturally there are variants of this approach but they all tend to
make optimising the query that much harder than it should really be.

2) Write all your queries as though they were against the original table
"t_x", rather than the view "x".

By this I mean that your application should provide all of the key
columns and specify all of the joins, as though you could see the
full set of data. The i_can_see() function then becomes a final
filter only after all other query and join criteria have been applied
by the optimiser. This kinda sucks too, as your user now has to know
details that you would probably like to be able to abstract away.

Whatever you choose to do, you are going to have to check your
performance very carefully as a badly written ad-hoc query will give you
all sorts of headaches.

FWIW, Oracle's VPD (Virtual Private Database) implementation has its
access checking functions return a text string predicate (eg "name =
'Marc' and x = y") which is added to the query plan at rewrite time.
They seem to believe that this offers the query optimiser more scope for
getting it right, which I suppose is true, but it seems like unnecessary
complexity to me. And I can't see how to do this in PostgreSQL.

On Mon, 2002-01-21 at 13:47, Harald Massa wrote:
> Marc,
>
> thank you very much for this idea.
>
> > create view x as
> > select *
> > from t_x
> > where i_can_see(name);
>
> i had this function "can_see(bid)", and the can_see function checked for the
> name.
> It works.
>
> BUT: this method kills the query-planner. seq_scan is chosen no matter what.
>
[ . . . ]
>
> HArald
>
>
--
Marc marc(at)bloodnok(dot)com

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Ross J. Reedstrom 2002-01-21 23:15:44 Re: [GENERAL] PostgreSQL Licence: GNU/GPL
Previous Message Haroldo Stenger 2002-01-21 22:18:15 Re: [HACKERS] PostgreSQL Licence: GNU/GPL