Re: SE-PostgreSQL and row level security

From: Greg Stark <stark(at)enterprisedb(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, bogdan(at)omnidatagrup(dot)ro, David Fetter <david(at)fetter(dot)org>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SE-PostgreSQL and row level security
Date: 2009-02-16 16:21:03
Message-ID: 4136ffa0902160821p337f6ff6ja52f43724103c3a9@mail.gmail.com
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Feb 16, 2009 at 4:14 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>
> I'm not sure I understand what you mean by that. I expect that if I
> deny a particular user access to SELECT from a particular table the
> system will throw a permissions error if that user later enters
> "SELECT * FROM <table-name>". I don't expect that the system will
> foresee every possible alternative way that a user might able to infer
> something about the contents of that table and block it. I similarly
> expect that if I install SE-PostgreSQL and configure it to filter out
> certain rows from accesses to certain tables, those rows will in fact
> be filtered. I still don't expect it to foresee every possible
> alternative way that a user might be able to infer something about the
> contents of the data to which the user does not have direct access.
>
> Is this fundamentally a semantic issue? If there's an asymmetry here
> in what is being claimed, I'm not seeing it.

Well the asymmetry is that in the former case the verb is "deny" and
the latter it's "filter"...

--
greg

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2009-02-16 16:26:32 Re: SE-PostgreSQL and row level security/Alternatives
Previous Message Alvaro Herrera 2009-02-16 16:20:11 Re: autovacuum not honoring pg_autovacuum in 8.3.5?