Re: [RFC] Interface of Row Level Security

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Alastair Turner <bell(at)ctrlf5(dot)co(dot)za>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [RFC] Interface of Row Level Security
Date: 2012-05-23 20:04:50
Message-ID: CADyhKSXJ9UWy6haf5vyRT6EHn8r0FN9vEAGaBWSk3whCkeVx0A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

2012/5/23 Alastair Turner <bell(at)ctrlf5(dot)co(dot)za>:
> On Wed, May 23, 2012 at 5:09 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> writes:
>>> Let me have a discussion to get preferable interface for row-level security.
>>> My planned feature will perform to append additional conditions to WHERE
>>> clause implicitly, to restrict tuples being visible for the current user.
>>> For example, when row-level policy "uname = getpgusername()" is configured
>>> on the table T1, the following query:
>>>     select * from T1 where X > 20;
>>> should be rewritten to:
>>>     select * from T1 where (X > 20) AND (uname = getpgusername());
>>
>> Hm.  Simple and fairly noninvasive, but ... would this not be subject to
>> the same sorts of information-leak hazards that were addressed in the
>> "security views" feature?  That is, I see no guarantee that the RLS
>> condition will be evaluated before any conditions supplied by the user.
>> So it seems easy to get information out of rows the RLS policy is
>> supposed to prevent access to.  It would be far more secure to just
>> use a security view to apply the RLS condition.
>
> Since adding a condition to the where clause is a relatively simple
> operation (compared to the full potential scope of a view) could the
> RLS rewrite of the query create a CTE with the additional condition[s]
> rather than adding condition[s] to the user-supplied query? This would
> provide the forced ordering of the evaluating the conditions, thereby
> avoiding many of the potential points of leakage.
>
An interesting idea. However, I cannot imagine how does it works on
update or delete statement.

For select statement, it will get better performance to rewrite reference
to a particular table by a subquery with security_barrier flag than CTE,
because it allows to push down leakproof functions.

Could you tell me your idea for more details?
An example will help me understand well.

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2012-05-23 20:10:35 Re: Archiver not exiting upon crash
Previous Message Tom Lane 2012-05-23 19:59:32 Re: should postgres -C print units?