From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: [RFC] Security label support |
Date: | 2010-05-27 20:25:00 |
Message-ID: | 20100527202500.GN21875@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Stephen Frost <sfrost(at)snowman(dot)net> writes:
> > Err, your question comes across to me like "if you added comments to
> > pg_depend, you'd only be able to use a given comment X for one object?".
> > Doesn't make alot of sense. :)
>
> Well, one of us is confused. I thought the idea was that the same
> security label would apply to many different objects. If each object
> has its own label, you're going to need an awfully large label cache
> for performance to be sane.
It's certainly true that many objects could, and probably would in most
situations, have the same label. I feel like that could be true of
comments as well. We were just thinking about keeping it simple in the
first go-round. Going back to what I think was KaiGai's earlier
question about which way to go:
#1: only have pg_description-like pg_seclabel
(objoid oid, classoid oid, objsubid integer, label text)
#2: have long-lived labels in pg_seclabels with (secoid oid, label text)
have label_oid in various system catalogs (pg_class, etc)
#3: have long-lived labels in pg_seclabels with (secoid oid, label text)
have mapping from each object to OID of label associated with it
(objoid oid, classoid oid, objsubid integer, secoid oid)
My inclination would generally be towards #2, to be honest, but I
thought we wanted to avoid changing pg_namespace, pg_class and
pg_attribute for this.
> OK, but the notion that you would try to remove "orphan" pg_labels
> entries seems entirely wrongheaded to me. The labels would be
> long-lived objects.
OK, then we should really go with either #2 or #3 from above, and make
sure that we add appropriate grammar to allow adding and removing of
security labels. Do we then throw an error if someone tries to put a
label on an object that we don't already know of? We certainly need to
complain if someone tries to remove a label that is used by an object
somewhere. Typically, I'd expect the set of labels to be pretty well
defined, but there will still be some amount of churn, and we'll need a
way for people to determine what objects are still using certain labels.
Not unlike how we deal with roles today already though.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2010-05-27 20:31:46 | Re: Synchronization levels in SR |
Previous Message | Joe Conway | 2010-05-27 20:21:55 | Re: Idea for getting rid of VACUUM FREEZE on cold pages |