Re: rest of works for security providers in v9.1

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PgSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: rest of works for security providers in v9.1
Date: 2010-12-14 04:13:09
Message-ID: 4D06EED5.6040501@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

(2010/12/14 12:53), Robert Haas wrote:
> 2010/12/13 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>> (2010/12/14 12:10), Robert Haas wrote:
>>> 2010/12/13 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>>>> The starter version is not intended to use in production system,
>>>
>>> Well, what's the point, then? I thought we had enough infrastructure
>>> in place at this point to build a simple system that, while it
>>> wouldn't meet every use case, would be useful to some people for
>>> limited purposes. If that's not the case, I'm disappointed.
>>>
>> The point is performance is not first priority right now.
>> I guess its performance does not become a major issue, because lack
>> of some features (such as DDL, row-level) are more glaring than its
>> performance.
>> It is an independent topic whether it is useful for limited purpose,
>> or not. For example, when existing permission checks disallow all
>> the DDL commands from web-applications anyway, it will achieve an
>> expected role.
>
> But you could also install a control into ProcessUtility_hook, right?

Yes, it may be an option to get control DDL statement, although it is
not fine-grained. Of course, we have a trade-off to the scale of patch.

> Saying, for example, you must have we_trust_you_a_lot_t to do any DDL?

No. Right now, it does not check anything on DDL commands, so all the
clients (independent from its security label) are allowed to run any
DDL commands, as long as existing permission allows it.

Thanks,
--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2010-12-14 04:31:48 Re: rest of works for security providers in v9.1
Previous Message Tom Lane 2010-12-14 03:58:17 Re: pg_execute_from_file, patch v10