Re: How to get SE-PostgreSQL acceptable

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Joshua Brindle <method(at)manicmethod(dot)com>, Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Peter Eisentraut <peter_e(at)gmx(dot)net>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: How to get SE-PostgreSQL acceptable
Date: 2009-01-29 05:46:38
Message-ID: 498142BE.6060906@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Bruce Momjian wrote:
> Robert Haas wrote:
>> On Wed, Jan 28, 2009 at 6:57 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Hmm. If that's the expected application environment then the patch as
>>> proposed has fatal performance problems anyway, for lack of a way to
>>> get rid of no-longer-referenced pg_security rows. We had been led to
>>> understand that there wouldn't be all that many distinct labels in use,
>>> but this seems to imply that there are going to be $bignum of them.
>>> That changes pg_security leakage from a can-live-with-for-first-cut
>>> issue to a must-fix-to-be-credible issue.
>> It's worth noting that this is yet another thing that is mostly a
>> problem in the context of row-level security. It seems to me that if
>> security labels are only applied to tables and columns, then it will
>> be possible to scan the whole database relatively quickly and find all
>> the labels that are still in use, probably without breaking a sweat.
>> On the other hand, when you have row-level security, it gets a lot
>> harder.
>
> If we are not labeling every row, why not just use a TEXT column without
> using an OID to reference pg_security; there aren't that places,
> pg_class, pg_attribute, etc, i.e. they are not on every data row.

We should not assume every row are not labeled forever, at least.
It will lose expandability soon.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Jonah H. Harris 2009-01-29 05:55:36 Re: How to get SE-PostgreSQL acceptable
Previous Message Bruce Momjian 2009-01-29 05:34:36 Re: How to get SE-PostgreSQL acceptable