From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Thom Brown <thom(at)linux(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: RLS - permissive vs restrictive |
Date: | 2014-10-07 16:26:11 |
Message-ID: | 20141007162611.GT28859@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> The key point from my angle is that if you grant user alice the right
> to see records where a = 1 and user bob the right to see records where
> a = 2, the multiple-policy approach allows those quals to be
> implemented as index-scans. If you had a single policy granting all
> users the right to see records where policyfunc() returns true, it
> would never be indexable.
Right, that is certainly an important aspect also.
> I think that Thom's idea of having some policies that are additional
> filter conditions on top of everything else is a pretty good one.
> It's probably possible to construct a case where you need multiple
> levels of AND and OR logic, which Thom's proposal does not provide
> for. But are there really cases like that which anyone cares about?
I keep coming back to the feeling that we'd need some kind of exception
capability (more than just excluding the owner), without which this
feature wouldn't end up being practical.
> I think we're going to be tempted to think about that question for
> about 60 seconds and say "nope", and that's probably not enough
> thought. It deserves serious reflection, because I think Thom's
> proposal is terminal: if we do what he's proposing, it'll be hard to
> extend the idea any further if we later discover that it isn't general
> enough. That having been said, what he's proposing is simple and
> covers a fair amount of ground, and is thus worthy of serious
> consideration, at least IMHO.
Even given the above, I do like the idea in general and have been
thinking we need to provide something along these lines. I've been
trying to work out if we could provide a way to get to a generalized
CNF capability for policies, but I agree that it's unclear if there's
a real-world need for such.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2014-10-07 16:30:07 | Re: pgaudit - an auditing extension for PostgreSQL |
Previous Message | Simon Riggs | 2014-10-07 16:24:29 | Re: pgaudit - an auditing extension for PostgreSQL |