From: | Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Multi-tenancy with RLS |
Date: | 2015-12-30 00:28:24 |
Message-ID: | CAJrrPGd6-ebJucunkCPLAoF0tcXGsuWogzt70oe193YyFYZqkg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Dec 17, 2015 at 12:46 PM, Haribabu Kommi
<kommi(dot)haribabu(at)gmail(dot)com> wrote:
> Rebased patch is attached as it is having an OID conflict with the
> latest set of changes
> in the master branch.
Here I attached new series of patches with a slightly different approach.
Instead of creating the policies on the system catalog tables whenever
the catalog security command is executed, just enable row level security
on the system catalog tables. During the relation build, in
RelationBuildRowSecurity function, if it is a system relation, frame the
policy using the policy query which we earlier used to create by parsing it.
With the above approach, in case of any problems in the policy, to use
the corrected policy, user just needs to replace the binaries. whereas in
earlier approach, either pg_upgrade or disabling and enabling of catalog
security is required.
Currently it is changed only for shared system catalog tables and also the
way of enabling catalog security on shared system catalog tables is through
initdb only. This also can be changed later. I will do similar changes for
remaining catalog tables.
Any comments on the approach?
Regards,
Hari Babu
Fujitsu Australia
Attachment | Content-Type | Size |
---|---|---|
3_shared_catalog_tenancy_v2.patch | application/octet-stream | 18.8 KB |
1_any_privilege_option_v2.patch | application/octet-stream | 5.3 KB |
2_view_security_definer_v2.patch | application/octet-stream | 12.9 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | David Rowley | 2015-12-30 00:39:55 | Re: Combining Aggregates |
Previous Message | Joe Conway | 2015-12-30 00:17:22 | Re: pg_controldata/pg_resetxlog "Latest checkpoint's NextXID" format |