From: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
---|---|
To: | Greg Stark <stark(at)enterprisedb(dot)com> |
Cc: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Martijn van Oosterhout <kleptog(at)svana(dot)org>, bogdan(at)omnidatagrup(dot)ro, David Fetter <david(at)fetter(dot)org>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: SE-PostgreSQL and row level security |
Date: | 2009-02-17 01:59:02 |
Message-ID: | 499A19E6.2080601@ak.jp.nec.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
>> It is incorrect.
>> It seems to me you confound a covert channel and granularity in access
>> controls. The purpose of row-level security is to provide users more
>> flexibility in access controls, not related to covert channels.
>
> No, I claim it's you that's confounding the data hiding scheme with
> row-level granular access controls.
Please note that SE-PostgreSQL does not make an assurance to hide
existence of invisible data. It ensures to prevent to read invisible
data via formal route, not a covert channel.
> If a user types "SELECT count(*) from table" they should either get
> the correct count of records from that table or get a permission
> failure.
>
> If they want to get the count of records for which they have read
> access they should have to write "SELECT count(*) from table where
> access_check(security_label, current_user())" or something like that.
SE-PostgreSQL considers "SELECT count(*) FROM table;" is an unconditional
select from a simple view with a condition.
However, there is no fundamental differences between filtering-out and
raising-error in the point where user cannot see invisible data via
formal route.
For example, a GUC variable to switch the behavior may be an option.
(It will be necessary to consider more for conclusion.)
But needless to say, my preference is filtering-out because it does
not require users to add additional conditions to avoid violated
tuples for each queries.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2009-02-17 02:28:43 | Re: pg_migrator and handling dropped columns |
Previous Message | KaiGai Kohei | 2009-02-17 01:44:02 | Re: SE-PostgreSQL and row level security |