From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Charles Clavadetscher <clavadetscher(at)swisspug(dot)org>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: unclear about row-level security USING vs. CHECK |
Date: | 2015-09-23 19:07:10 |
Message-ID: | 20150923190710.GW295765@alvherre.pgsql |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Robert Haas wrote:
> On Wed, Sep 23, 2015 at 2:39 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> >> On Wed, Sep 23, 2015 at 12:01 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> >> > * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> >> >> My expectation would have been:
> >> >>
> >> >> If you specify USING, you can see only those rows, but you can give
> >> >> rows away freely. If you don't want to allow giving rows away under
> >> >> any circumstances, then specify the same expression for USING and WITH
> >> >> CHECK.
> >> >
> >> > Having an implicit 'true' for WITH CHECK would be very much against what
> >> > I would ever expect. If anything, I'd think we would have an implicit
> >> > 'false' there or simply not allow it to ever be unspecified.
> >>
> >> Huh? If you had an implicit false, wouldn't that prevent updating or
> >> deleting any rows at all?
> >
> > Right, just the same as how, if RLS is enabled and no explicit policies
> > are provided, non-owners can't see the rows or insert/update/delete
> > anything in the table. The same is true for the GRANT system, where
> > there are no permissions granted by default. I view the lack of an
> > explicit definition of a WITH CHECK clause to be the same, excepting the
> > simple case where it's the same as USING.
>
> Hmm, interesting. I guess that's a defensible position, but I still
> think that having them default to be the same thing implicitly is
> kinda weird. I'll defer to whatever the consensus, is, though.
I think an explicit statement of a "true" as WITH CHECK makes more sense
-- I think Stephen suggested it upthread as making the WITH CHECK be
mandatory. If you really want to allow rows to be "given away" (which
could be a security issue), a "WITH CHECK (true)" is easy enough to
specify.
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2015-09-23 19:20:08 | Re: unclear about row-level security USING vs. CHECK |
Previous Message | Andres Freund | 2015-09-23 19:00:30 | Re: Rework the way multixact truncations work |