Re: RLS Design

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Yeb Havinga <yeb(dot)havinga(at)portavita(dot)nl>
Subject: Re: RLS Design
Date: 2014-07-11 17:43:01
Message-ID: CA+TgmoZ7waKyitMu_sgtp6Z_xcHJd1Rsdg=DRn1HnuVEry2u0Q@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Jul 11, 2014 at 4:55 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> On Thursday, July 10, 2014, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> On Wed, Jul 9, 2014 at 2:13 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> > Yes, this would be possible (and is nearly identical to the original
>> > patch, except that this includes per-role considerations), however, my
>> > thinking is that it'd be simpler to work with policy names rather than
>> > sets of quals, to use when mapping to roles, and they would potentially
>> > be useful later for other things (eg: for setting up which policies
>> > should be applied when, or which should be OR' or AND"d with other
>> > policies, or having groups of policies, etc).
>>
>> Hmm. I guess that's reasonable. Should the policy be a per-table
>> object (like rules, constraints, etc.) instead of a global object?
>>
>> You could do:
>>
>> ALTER TABLE table_name ADD POLICY policy_name (quals);
>> ALTER TABLE table_name POLICY FOR role_name IS policy_name;
>> ALTER TABLE table_name DROP POLICY policy_name;
>
> Right, I was thinking they would be per table as they would specifically
> provide a name for a set of quals, and quals are naturally table-specific. I
> don't see a need to have them be global- that had been brought up before
> with the notion of applications picking their policy, but we could also add
> that later through another term (eg: contexts) which would then map to
> policies or similar. We could even extend policies to be global by mapping
> existing per-table ones to be global if we really needed to...
>
> My feeling at the moment is that having them be per-table makes sense and
> we'd still have flexibility to change later if we had some compelling reason
> to do so.

I don't think you can really change it later. If policies are
per-table, then you could have a policy p1 on table t1 and also on
table t2; if they become global objects, then you can't have p1 in two
places. I hope I'm not beating a dead horse here, but changing syntax
after it's been released is very, very hard.

But that's not an argument against doing it this way; I think
per-table policies are probably simpler and better here. It means,
for example, that policies need not have their own permissions and
ownership structure - they're part of the table, just like a
constraint, trigger, or rule, and the table owner's permissions
control. I like that, and I think our users will, too.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2014-07-11 17:45:10 Re: things I learned from working on memory allocation
Previous Message Alvaro Herrera 2014-07-11 17:39:13 Re: Supporting Windows SChannel as OpenSSL replacement