Re: Multi-tenancy with RLS

On Tue, Feb 9, 2016 at 3:26 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> Arbitrary code execution is quite a different concern from the prior
> concern regarding incomplete dumps.

I've had both concerns all along, and I think I've mentioned them before.

> To the extent that untrusted code execution is an issue (and my
> experience with environments which would deploy RLS tells me that it
> isn't a practical concern), an option could be created which would cause
> an error to be thrown on non-catalog RLS being run.

There's a major release already in the wild that doesn't behave that
way. And anyway I think that's missing the point: it's true that
features that are turned off don't cause problems, but features that
are turned on shouldn't break things either.

> When it comes to multi-tenancy environments, as this thread is about,
> chances are the only tables you can see are ones which you own or are
> owned by a trusted user, which is why I don't view this as a pratical
> concern, but I'm not against having a solution to address the issue
> raised regarding arbitrary code execution, provided it doesn't create
> more problems than it purports to solve.

Well, I'm against accepting this patch without such a solution.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company