Re: security checks for largeobjects?

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: security checks for largeobjects?
Date: 2009-06-23 04:06:02
Message-ID: 4A4054AA.2080400@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

KaiGai Kohei wrote:
> KaiGai Kohei wrote:
>> The todo list says, as follows:
>> * Binary Data
>> o Add security checks for large objects
>>
>> http://wiki.postgresql.org/wiki/Todo#Binary_Data
>>
>> Is anyone working on? or interested in?
>
> OK, it seems to me nobody is working on the todo item.
> I'll also submit this feature on the v8.5 development cycle.
>
> At first, I would have a discussion about its interfaces and
> functionalities. Here are a few issues.
>
> * What permissions should be checked?
> It is quite natural to check 'read' and 'write' permission for
> largeobjects. In addition, we may need to consider how 'create'
> and 'unlink' permission should be handled.
> When we create a database objects under the certain schema,
> it checks ACL_CREATE privilege on the parent schema object.
> But, now largeobjects are not corresponding to any certain
> schemas.
> When we drop a database objects, it checks ownership of the
> target objects. But, now largeobjects does not have its owner
> identifier within pg_largeobject.
>
> My preference is to add a namespace and a owner id for each
> largeobjects and checks create permissions for the schema
> object, and unlink permission based on its ownership.
>
> * What interface is preferable?
> We have two options here.
> The one is an enhancement of current GRANT/REVOKE statement,
> such as:
> GRANT READ,WRITE ON LARGE OBJECT 1234 TO kaigai;
>
> The other option is a few new largeobject functions to set up
> permissions on largeobjects, such as:
> SELECT lo_grant(1234, 'kaigai', 'read,write');
>
> My preference is the later approach because the first one consumes
> two new permission bits, although here is no fundamental differences
> to SELECT and UPDATE.
>
> Thanks, any comments please.

From the viewpoint of the implementation, we have two approaches.

Someone needs to have various kind of attributes corresponding to
a certain largeobject, such as owner-id, namespace-id and acls.
We call them metadata.

1. Metadata within pg_largeobject
Now, a largeobject consists of multiple page-frames, stored in
pg_largeobject system catalog. This approach adds a few new fields
to store the metadata on the pg_largeobject system catalog, and
copies the metadata to all the page-frames.
It will minimize the changes in largeobject subsystem, but data
structure is not smart in my sense.

2. Metadata within separated system catalog.
This approach adds a new system catalog to manage the metadata
of the largeobjects. It will contain the owner-id, namespace-id
and acls, and all the page-frames within pg_largeobject will
indicate a tuple within the new system catalog.
It will provide natural data structure, but scale of the changes
may be larger than the first approach.

My preference is the later one. It reduces the pain to manage
consistency of the metadata between page-frames.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message David Fetter 2009-06-23 04:06:32 Re: security checks for largeobjects?
Previous Message Tom Lane 2009-06-23 03:43:29 Re: building without perl