Re: [RFC] Interface of Row Level Security

From: Alastair Turner <bell(at)ctrlf5(dot)co(dot)za>
To: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Florian Pflug <fgp(at)phlo(dot)org>, PgHacker <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: [RFC] Interface of Row Level Security
Date: 2012-05-27 19:32:57
Message-ID: CAFgq2fVGGASf9XmSChkoTXUVtDGh9jn6BOtuFYwwP-M5j9wy8g@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Excerpts from Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote on Fri, May 25,
2012 at 11:08 PM:
> If we assume RLS is applied when user has
> no privileges on tables, the current ExecCheckRTEPerms()
> always raises an error towards unprivileged users, prior to
> execution of queries.
> Isn't it preferable behavior to allow unprivileged users to
> reference a table (or columns) when it has RLS policy?
>
Rather than assuming the the RLS checks will be applied when there are
no privileges it would make sense to regard RLS as a limitation on the
scope of a particular privilege. This makes RLS a property of a
particular grant of a privilege rather than of the table. Viewed this
way it is possible to control which users are subject to restrictions
imposed by the RLS function, which will avoid RLS overhead for
operations which don't require it while allowing checks for those that
do, provide a mechanism exempting object owners from RLS checks and
make it possible to avoid pg_dump calling user defined code.

This suggests an alternative declaration syntax, to use the salesman example:

GRANT SELECT ON TABLE client_detail TO super_sales_group;
GRANT SELECT TABLE ON client_detail TO limited_sales_group WITH
(QUALIFICATION FUNCTION sales_view_check);

and since more easily usable security features will be used more
effectively, a possible future inlining of the condition:

GRANT SELECT ON TABLE client_detail TO limited_sales_group WHERE
sales_rep = my_sales_rep();

Regards,

Alastair.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2012-05-27 19:53:35 Re: Backends stalled in 'startup' state: index corruption
Previous Message Peter Eisentraut 2012-05-27 18:53:50 Re: Per-Database Roles