| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Kevin Grittner <kgrittn(at)mail(dot)com> |
| Cc: | Simon Riggs <simon(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Review of Row Level Security |
| Date: | 2012-12-20 19:42:13 |
| Message-ID: | 20121220194213.GI12354@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Kevin, all,
* Kevin Grittner (kgrittn(at)mail(dot)com) wrote:
> The more secure behavior is to allow entry of data which will not
> be visible by the person doing the entry.
wrt this- I'm inclined to agree with Kevin. It's certainly common in
certain environments that you can write to a higher level than you can
read from. Granting those writers access to read the data later would
be... difficult.
What we're really arguing about here, afaict, is what the default should
be. In line with Kevin's comments and Tom's reading of the spec (along
with my own experience in these environments), I'd argue for the default
to allow writing rows you're not allowed to read.
It would certainly be ideal if we could support both options, on a
per-relation basis, when we release the overall feature. It doesn't
"feel" like it'd be a lot of work to do that, but I've not been able to
follow this discussion up til now. Thankfully, I'm hopeful that I'm
going to have more time now to keep up with PG. :)
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2012-12-20 20:19:32 | Re: Review of Row Level Security |
| Previous Message | Bruce Momjian | 2012-12-20 19:29:49 | Re: Feature Request: pg_replication_master() |