Security Label Inheritance

Hi

My name's Damien Clochard and I'm the main developer of the PostgreSQL
Anonymizer extension. This extension relies heavily on security labels.
Among other things, users can add labels to define a "masking rule" upon
a column and to declare that a roles is "masked".

More details on how this works on the documentation:
https://postgresql-anonymizer.readthedocs.io/en/latest/dynamic_masking/

Currently a security label is applied to one and only one object. In
particular a label does not apply to the objects that inherit from the
objet it is originally associated with.

Consider the following

ALTER DATABASE foo SET session_preload_libraries = 'anon';
ALTER DATABASE foo SET anon.transparent_dynamic_masking = TRUE;

CREATE TABLE people AS SELECT 5432 AS id, 'slonik' AS name;
CREATE EXTENSION anon;
SECURITY LABEL FOR anon ON COLUMN people.name IS 'MASKED WITH VALUE
NULL';
CREATE ROLE extern INHERIT;
SECURITY LABEL FOR anon ON ROLE extern IS 'MASKED';
GRANT USAGE ON SCHEMA public TO extern;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO extern;
CREATE ROLE joe LOGIN IN ROLE extern;

When connecting as role joe, I will have all the privileges granted to
extern. However, joe is not affected by the security label defined on
the extern group. He can read the personal data.

\connect - joe

SELECT * FROM people;
id | name
------+--------
5432 | slonik

I need to explicitly change the role for the label to be applied and in
that case the mask upon the people.name column is applied

SET ROLE extern;

SELECT * FROM people;
id | name
------+------
5432 |

I am not suggesting that this behaviour should change but I receive a
lot of feedback from users showing some confusion as they would expect
that the INHERIT clause would also apply to security labels, just like
granted privileges.

A similar confusion occurs with inherited tables :

\connect - postgres
CREATE TABLE french (eat_frogs BOOLEAN) INHERITS(people);
INSERT INTO french VALUES (0,'damien', FALSE);
GRANT SELECT ON TABLE french TO extern;

SET ROLE extern;

The mask is applied to the parent table

SELECT * FROM people;
id | name
------+--------
5432 |
0 |

But it is not applied to the child table

SELECT * FROM french;
id | name | eat_frogs
----+--------+-----------
0 | damien | f

Again most users expect that the masking rule on people.name would also
be applied to french.name.

So my first question is : Do you think it would be helpful to update the
SECURITY LABEL command documentation to clarify that security labels are
not concerned by object inheritance ?

My second question is more open : do you think it would be worth adding
a new way to declare that a security label applies to an object and all
its inheritants ? As I understand this would concern only roles and
tables.

Maybe a new optional `[ [WITH] INHERIT | NOINHERIT ]` syntax at the end
of the SECURITY LABEL command....

Something like this :

SECURITY LABEL FOR anon ON ROLE extern IS 'MASKED' WITH INHERIT;

SECURITY LABEL FOR anon ON COLUMN people.name
IS 'MASKED WITH VALUE NULL'
WITH INHERIT;

The default would be NOINHERIT and all extensions that rely on the
current behaviour would continue to work without any change.

Let me know if I missed anything or if there's another way to achieve
this kind of security label inheritance.

Regards,

--
Damien