| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Simon Riggs <simon(at)2ndquadrant(dot)com>, Joshua Brindle <method(at)manicmethod(dot)com>, Ron Mayer <rm_pg(at)cheapcomplexdevices(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>, Merlin Moncure <mmoncure(at)gmail(dot)com>, "Jonah H(dot) Harris" <jonah(dot)harris(at)gmail(dot)com>, Gregory Stark <stark(at)enterprisedb(dot)com>, Bernd Helmle <mailings(at)oopsware(dot)de>, Peter Eisentraut <peter_e(at)gmx(dot)net>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: 8.4 release planning |
| Date: | 2009-01-28 22:39:45 |
| Message-ID: | 200901282239.n0SMdj403217@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > On Tue, Jan 27, 2009 at 12:52 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> >> Right, but you expect that to be a small and predictable cost, say in
> >> the single-digits-percentage range. Plan optimizations that
> >> suddenly stop happening can cost you multiple orders of magnitude.
>
> > Well, look at it another way. If we don't accept row-level security
> > into PostgreSQL, then people will have to implement it themselves. In
> > fact, I currently have a real application that does exactly this. The
> > row-filtering is done, in essence, by having the web application add
> > certain conditions to the WHERE clause of certain queries depending on
> > which user is making the request. And if those WHERE clauses happen
> > to mention columns from table X, then table X won't be a candidate for
> > join removal. The only difference is that the logic is in my app
> > rather than in the database itself.
>
> > To put that another way, row-level permissions are just another
> > attribute of a table that could potentially affect the query result,
> > and the impact of referring to that attribute will be exactly the same
> > as the impact of referring to any other attribute in that table.
>
> The flaw in that argument is that as you are doing it, the
> de-optimization only happens on queries that actually need the behavior.
> As the SEPostgres patch is constructed, the planner could *never* trust
> an FK for optimization since it would have no way to know whether row
> level permissions might be present (perhaps only for some rows) at
> execution time. You could only get back the optimization in builds with
> SEPostgres compiled out. That's pretty nasty, especially for packagers
> who have to decide which build setting will displease fewer users.
I am afraid that SQL-level row permissions would also cause that
problem, and I thought they were enabled by default. (The configure
flag --enable-selinux only controls SE-Linux support.)
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2009-01-28 22:40:26 | Re: Output filter for psql |
| Previous Message | Ron Mayer | 2009-01-28 22:25:20 | Re: How to get SE-PostgreSQL acceptable |