Re: [v9.2] Fix leaky-view problem, part 2

On Fri, Jul 8, 2011 at 4:57 PM, Noah Misch <noah(at)2ndquadrant(dot)com> wrote:
> Note that it does not matter whether we're actually doing an index scan -- a seq
> scan with a filter using only leakproof operators is equally acceptable.  What I
> had in mind was to enumerate all operators in operator classes of indexes below
> each security view.  Those become the leak-free operators for that security
> view.  If the operator for an OpExpr is considered leak-free by all sources of
> its operands, then we may push it down.  That's purely a high-level sketch: I
> haven't considered implementation concerns in any detail.  The resulting
> behavior could be surprising: adding an index may change a plan without the new
> plan actually using the index.
>
> I lean toward favoring the pg_proc flag.  Functions like "texteq" will be taken
> as leakproof even if no involved table has an index on a text column.  It works
> for functions that will never take a place in an operator class, like
> length(text).  When a user reports a qualifier not getting pushed down, the
> answer is much more satisfying: "Run 'CREATE OR REPLACE FUNCTION
> ... I_DONT_LEAK' as a superuser."  Compare to "Define an operator class that
> includes the function, if needed, and create an otherwise-useless index."  The
> main disadvantage I see is the loss of policy locality.  Only a superuser (or
> maybe database owner?) can create or modify declared-leakproof functions, and
> that decision applies throughout the database.  However, I think the other
> advantages clearly outweigh that loss.

This strikes me as a fairly compelling refutation of Heikki's proposed approach.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company