Re: Row-security on updatable s.b. views

On 02/06/2014 12:43 PM, Craig Ringer wrote:
> 1. Try (again) to do row-security in the rewriter. This was previously
> impossible because of the definition of row-security behaviour around
> inheritance, but with the simplified inheritance model now proposed I
> think it's possible.

Thanks to the simplified requirements for inheritance, this turns out to
be fairly easy. There's a version rewritten to use the rewriter in the tag:

rls-9.4-upd-sb-views-v6

on https://github.com/ringerc/postgres.git

The trickiest bit remaining is how to register the PlanInvalItem to
force plan invalidation when the user-id changes. This was easy in the
optimizer, but it's not obvious how to do it cleanly in the rewriter.
I've got a couple of ideas but don't much like either of them.
Recommendations from the experienced welcomed.

Other more minor open items, each of which look quite quick:

I haven't plugged in rewriter-based recursion detection yet, but that
looks fairly easy (famous last words?). It's 10pm and I have an early
start, so that won't happen tonight.

I haven't removed some cruft from the previous approach from the Query
node either; I need to trim the diff.

The regression test expected file needs adjustment to match the new
inheritance rules, and to cover a couple of new tests I've added.

Needs a better error when it gets an unacceptable rewrite product during
security qual rewriting (modeled on the errors for CTEs). Easy, just
some cookie cutter code.

Need to cherry-pick the docs patch back on top of the patch tree now
things are settling.

Amazingly, I think this has a hope.

--
Craig Ringer http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services