Re: row_security GUC, BYPASSRLS

On Thu, Oct 1, 2015 at 11:10 PM, Noah Misch <noah(at)leadboat(dot)com> wrote:
> On Mon, Sep 28, 2015 at 05:13:56PM -0400, Stephen Frost wrote:
>> * Noah Misch (noah(at)leadboat(dot)com) wrote:
>> > In schema reviews, I will raise a red flag for use of this feature; the best
>> > designs will instead use additional roles. I forecast that PostgreSQL would
>> > fare better with no owner-constrained-by-RLS capability. Even so, others want
>> > it, and FORCE ROW SECURITY would deliver it with an acceptable risk profile.
>>
>> I've attached a patch to implement it. It's not fully polished but it's
>> sufficient for comment, I believe. Additional comments, documentation
>> and regression tests are to be added, if we have agreement on the
>> grammer and implementation approach.
>
> This patch has FORCE ROW LEVEL SECURITY take precedence over row_security=off,
> which thwarts pg_dump use of row_security=off to ensure dump completeness.

Yeah, I think that's NOT ok.

> Should this be a table-level flag, or should it be a policy-level flag? A
> policy-level flag is more powerful. If nobody really anticipates using that
> power, this table-level flag works for me.

Either works for me.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company