| From: | Andres Freund <andres(at)anarazel(dot)de> |
|---|---|
| To: | pgsql-hackers(at)lists(dot)postgresql(dot)org, Damien Clochard <damien(at)dalibo(dot)info> |
| Subject: | Re: Security Label Inheritance |
| Date: | 2025-02-25 09:34:16 |
| Message-ID: | E715622A-04DE-49E3-A7F2-2E68067ACFEF@anarazel.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
On February 25, 2025 10:08:44 AM GMT+01:00, Damien Clochard <damien(at)dalibo(dot)info> wrote:
>So my first question is : Do you think it would be helpful to update the SECURITY LABEL command documentation to clarify that security labels are not concerned by object inheritance ?
Couldn't hurt.
>My second question is more open : do you think it would be worth adding a new way to declare that a security label applies to an object and all its inheritants ? As I understand this would concern only roles and tables.
>
>Maybe a new optional `[ [WITH] INHERIT | NOINHERIT ]` syntax at the end of the SECURITY LABEL command....
>
>Something like this :
>
>SECURITY LABEL FOR anon ON ROLE extern IS 'MASKED' WITH INHERIT;
>
>SECURITY LABEL FOR anon ON COLUMN people.name
> IS 'MASKED WITH VALUE NULL'
> WITH INHERIT;
>
>The default would be NOINHERIT and all extensions that rely on the current behaviour would continue to work without any change.
I doubt that is viable. That'd mean we somehow need to teach the label infrastructure about all kinds of inheritance *and* make that recursive label collection fast. The caching right now uses generic infrastructure, it certainly couldn't with inheritance support.That'd be a fair bit of infrastructure.
Greetings,
Andres
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nisha Moond | 2025-02-25 09:37:10 | Re: Conflict detection for multiple_unique_conflicts in logical replication |
| Previous Message | Damien Clochard | 2025-02-25 09:08:44 | Security Label Inheritance |