Re: Multi-tenancy with RLS

From: Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>
To: Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Multi-tenancy with RLS
Date: 2016-01-06 01:17:46
Message-ID: CAJrrPGe9=KvDyk5T0Y942egGeTP7QwpYoig0mfzi=SfU6mH_Nw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Mon, Jan 4, 2016 at 10:43 PM, Haribabu Kommi
<kommi(dot)haribabu(at)gmail(dot)com> wrote:
> On Mon, Jan 4, 2016 at 8:34 PM, Amit Langote
> <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp> wrote:
>>
>> I tried your latest patch to see what may have caused the infinite
>> recursion. The recursion occurs during backend startup itself, right?
>>
>> ISTM, doing transformWhereClause during RelationCacheInitializePhase3()
>> would not work. Things like operators, functions within the policy qual
>> require namespace lookup which down the line would call
>> RelationBuildRowSecurity for pg_namespace build and so on thus causing the
>> infinite recursion. Perhaps, it would have to be done in a separate phase
>> after the phase 3 but I'm not sure.
>
> Thanks for the test. Yes, the issue happens at backend startup itself.
> I will give a try by separating the initialization of security
> policies after init phase 3.

Here I attached updated patches with the fix of infinite recursion in
RelationBuildRowSecurity function by checking with a variable that
whether the build row security is already in progress for a system
relation or not. If it is already in progress for a relation, then it doesn't
build the row security description for this relation.

Regards,
Hari Babu
Fujitsu Australia

Attachment Content-Type Size
4_database_catalog_tenancy_v5.patch application/octet-stream 92.5 KB
3_shared_catalog_tenancy_v4.patch application/octet-stream 20.9 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2016-01-06 01:21:52 Re: Add schema-qualified relnames in constraint error messages.
Previous Message Tom Lane 2016-01-06 01:02:16 Re: pg_conversion seems rather strangely defined