Re: How to get SE-PostgreSQL acceptable

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Joshua Brindle <method(at)manicmethod(dot)com>, Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: How to get SE-PostgreSQL acceptable
Date: 2009-01-29 03:15:27
Message-ID: 49811F4F.6040101@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Robert Haas wrote:
> On Wed, Jan 28, 2009 at 6:57 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Hmm. If that's the expected application environment then the patch as
>> proposed has fatal performance problems anyway, for lack of a way to
>> get rid of no-longer-referenced pg_security rows. We had been led to
>> understand that there wouldn't be all that many distinct labels in use,
>> but this seems to imply that there are going to be $bignum of them.
>> That changes pg_security leakage from a can-live-with-for-first-cut
>> issue to a must-fix-to-be-credible issue.
>
> It's worth noting that this is yet another thing that is mostly a
> problem in the context of row-level security. It seems to me that if
> security labels are only applied to tables and columns, then it will
> be possible to scan the whole database relatively quickly and find all
> the labels that are still in use, probably without breaking a sweat.
> On the other hand, when you have row-level security, it gets a lot
> harder.

Yes, I think we shoule not ignore upcoming feature, even if it is
not on time of the next release.

> I'm wondering if this problem could be solved with a sort of
> mark-and-sweep garbage collection: add a boolean column `used' to
> pg_security (which I really think out to be renamed to
> pg_selinux_context or something, and make a new table if we someday
> support Trusted Solaris or whatever). Whenever you do an OID lookup
> and find a row that says "false", do a non-transactional update and
> change it to say "true".

It seems to me reference-counter is more preferable than boolean,
at least. But it makes performance pain on writer access when it
is expanded to row-level security.

> Then you can write something which goes through and sets all the rows
> to false and then visits every row of every table in the database and
> forces OID lookups on the security ID of each. When you get done, any
> rows that still say false are unreferenced and can be killed.
>
> Also... even if there are thousands of contexts, it only matters to
> the extent that there is a lot of churn, and I'm not sure whether
> that's something that is expected. Josh Brindle, any thoughts?

Unless the security policy writer got crazy, it would be unrealistic.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Fujii Masao 2009-01-29 03:18:12 Re: Hot standby, recovery infra
Previous Message Robert Haas 2009-01-29 03:12:10 Re: pg_upgrade project status