| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Tom Dunstan <pgsql(at)tomd(dot)cc> |
| Cc: | pgsql-general(at)lists(dot)postgresql(dot)org |
| Subject: | Re: RLS without leakproof restrictions? |
| Date: | 2023-02-22 03:46:05 |
| Message-ID: | 4136571.1677037565@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Tom Dunstan <pgsql(at)tomd(dot)cc> writes:
> I'm currently researching different strategies for retrofitting some
> multi-tenant functionality into our existing Postgres-backed application.
> One of the options is using RLS policies to do row filtering. This is quite
> attractive as I dread the maintenance and auditing burden of adding
> filtering clauses to the majority of our queries. I'm somewhat concerned
> though about getting unexpected query plans based on the planner avoiding
> non-leakproof functions until row filtering has occurred - warning about
> this seems common in articles on RLS.
> Our application is the only "user" of the database, and we do not pass
> database errors through to the user interface, so for our case leakproof
> plans are overkill - we'd just like the implicit filtering clauses added
> based on some session GUCs that we set.
> Is there any way to get what we're looking for here? I don't see anything
> documented on CREATE POLICY, ALTER TABLE or any GUCs.
If you're happy allowing the application to decide if the filters will
be enforced, maybe just create some views embodying those filters, and
query those views when you want restrictions?
> Alternatively, are the concerns about changed plans unfounded?
Hard to tell without experimentation.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Dunstan | 2023-02-22 04:12:52 | Re: RLS without leakproof restrictions? |
| Previous Message | Tom Dunstan | 2023-02-22 03:45:55 | Re: RLS without leakproof restrictions? |