| From: | Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com> |
|---|---|
| To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Joe Conway <mail(at)joeconway(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Multi-tenancy with RLS |
| Date: | 2016-02-09 21:09:37 |
| Message-ID: | CAEZATCUCUZyVYS4gBEDY2+QOgBLg70S99KrfYVGNo2x3jHa_PA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 9 February 2016 at 19:47, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> I think you're dismissing Tom's concerns far too lightly. The
> row_security=off mode, which is the default, becomes unusable for
> non-superusers under this proposal. That's bad. And if you switch to
> the other mode, then you might accidentally fail to get all of the
> data in some table you're trying to back up. That's bad too: that's
> why it isn't the default. There's a big difference between saying
> "I'm OK with not dumping the tables I can't see" and "I'm OK with not
> dumping all of the data in some table I *can* see".
>
> It seems to me that there's a big difference between policies we ship
> out of the box and policies that are created be users: specifically,
> the former can be assumed benign, while the latter can't. I think
> that difference matters here, although I'm not sure exactly where to
> go with it.
>
It sounds like there needs to be a separate system_row_security
setting that controls RLS on the system catalogs, and that it should
be on by default in pg_dump.
Regards,
Dean
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joe Conway | 2016-02-09 21:10:27 | Re: Multi-tenancy with RLS |
| Previous Message | Stephen Frost | 2016-02-09 21:07:21 | Re: Multi-tenancy with RLS |