From: | Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com> |
---|---|
To: | Andres Freund <andres(at)anarazel(dot)de> |
Cc: | pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Transparent column encryption |
Date: | 2023-03-29 17:08:25 |
Message-ID: | ee1429d1-a627-db6b-6e43-60491a50896e@enterprisedb.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 29.03.23 18:24, Andres Freund wrote:
> Hi,
>
> On 2023-03-29 18:08:29 +0200, Peter Eisentraut wrote:
>> On 24.03.23 19:12, Andres Freund wrote:
>>>> I thought about this some more. I think we could get rid of attusertypmod
>>>> and just hardcode it as -1. The idea would be that if you ask for an
>>>> encrypted column of type, say, varchar(500), the server isn't able to
>>>> enforce that anyway, so we could just prohibit specifying a nondefault
>>>> typmod for encrypted columns.
>>>
>>> Why not just use typmod for the underlying typmod? It doesn't seem like
>>> encrypted datums will need that? Or are you using it for something important there?
>>
>> Yes, the typmod of encrypted types stores the encryption algorithm.
>
> Why isn't that an attribute of pg_colenckey, given that attcek has been added
> to pg_attribute?
One might think that, but the precedent in other equivalent systems is
that you reference the key and the algorithm separately. There is some
(admittedly not very conclusive) discussion about this near [0].
>> (Also, mixing a type with the typmod of another type is weird in a variety
>> of ways, so this is a quite clean solution.)
>
> It's not an unrelated type though. It's the actual typmod of the column we're
> talking about.
What I mean is that various parts of the system think that typid+typmod
make sense together. If the typmod actually refers to usertypid, well,
the code doesn't know that, so who knows what happens.
Also, with the current proposal, the system is internally consistent:
pg_encrypted_* can actually look at their own typmod and verify their
own input values that way, which is what a typmod is for. This just
works out of the box.
> I find it a lot less clean to make all non-CEK uses of
> pg_attribute pay the price of storing three new fields.
With the proposed removal of usertypmod, it's only two fields: the link
to the key and the user-facing type.
From | Date | Subject | |
---|---|---|---|
Next Message | Jonathan S. Katz | 2023-03-29 17:17:33 | Re: Doc: Rework contrib appendix -- informative titles, tweaked sentences |
Previous Message | Karl O. Pinc | 2023-03-29 17:07:38 | Re: Doc: Rework contrib appendix -- informative titles, tweaked sentences |