| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: security label support, part.2 |
| Date: | 2010-07-23 12:47:02 |
| Message-ID: | AANLkTikUR_TcxDguiDeocD7LsO1eQ3OxbgzmHy1CmUAR@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, Jul 23, 2010 at 8:32 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
>> I don't understand why we wouldn't be able to support multiple
>> providers for row-level security. Why do you think that's a problem?
>
> My guess would be that he's concerned about only having space in the
> tuple header for 1 label. I see two answers- only allow 1 provider for
> a given relation (doesn't strike me as a horrible limitation), or handle
> labels as extra columns where you could have more than one.
I think we've been pretty clear in previous discussions that any
row-level security implementation should be a general one, and
SE-Linux or whatever can integrate with that to do what it needs to
do. So I'm pretty sure we'll be using regular columns rather than
cramming anything into the tuple header. There are pretty substantial
performance benefits to such an implementation, as well.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | KaiGai Kohei | 2010-07-23 12:59:27 | Re: security label support, part.2 |
| Previous Message | Stephen Frost | 2010-07-23 12:32:34 | Re: security label support, part.2 |