Skip site navigation (1) Skip section navigation (2)

Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Simon Riggs <simon(at)2ndquadrant(dot)com>, Robert Haas <rhaas(at)postgresql(dot)org>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().
Date: 2010-07-09 17:33:26
Message-ID: AANLkTinv3Wt0-bhazFODx40_M9uOEHhnoMht8RPM4bHT@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-committerspgsql-hackers
On Fri, Jul 9, 2010 at 1:21 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Simon Riggs <simon(at)2ndQuadrant(dot)com> writes:
>> On Fri, 2010-07-09 at 11:09 -0400, Tom Lane wrote:
>>> Simon Riggs <simon(at)2ndQuadrant(dot)com> writes:
>>>> Strangely, I was looking into removing the ExecCheckRTPerms check
>>>> altogether by forcing plan invalidation when permissions are updated.
>>>> That would be a performance tweak that would render this change useless.
>>>
>>> That seems both pointless and wrong.  Permissions checks should happen
>>> at execution time not plan time.
>
>> Agreed that permission checks should logically be applied at execution
>> time. I am proposing a performance optimisation, not a change in
>> behaviour.
>
> Except that it *is* a change in behavior: the first check will occur too
> soon.

You might be able to get around this by doing the first check on first
use of the plan and then going and marking all the plans as needing a
recheck whenever a permissions change happens.  Whether the
performance savings are sufficient to justify such a thing is another
matter.

> The fact that we're interested in adding plugin permissions checking
> pretty much destroys the idea anyway.  You cannot assume that a plan
> cache invalidation will happen for any change in external state that
> a plugin might be consulting.

This is certainly true, but I also wonder what SE-PostgreSQL plans to
do about this.  Taking this to its logical exteme, the system security
policy could change in mid-query - and while you'd like to think that
the system would stop emitting tuples on a dime, that's probably not
too feasible in practice.  I am assuming that SE-PostgreSQL will want
to do some kind of caching, but I wonder how one decides what to cache
and for how long, and whether there's any mechanism for propagating
cache invalidations.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company

In response to

Responses

pgsql-hackers by date

Next:From: Simon RiggsDate: 2010-07-09 17:38:52
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().
Previous:From: Stephen FrostDate: 2010-07-09 17:28:26
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().

pgsql-committers by date

Next:From: Simon RiggsDate: 2010-07-09 17:38:52
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().
Previous:From: Stephen FrostDate: 2010-07-09 17:28:26
Subject: Re: [COMMITTERS] pgsql: Add a hook in ExecCheckRTPerms().

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group