Re: How to get SE-PostgreSQL acceptable

Robert Haas wrote:
> On Wed, Jan 28, 2009 at 6:57 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Hmm. If that's the expected application environment then the patch as
> > proposed has fatal performance problems anyway, for lack of a way to
> > get rid of no-longer-referenced pg_security rows. We had been led to
> > understand that there wouldn't be all that many distinct labels in use,
> > but this seems to imply that there are going to be $bignum of them.
> > That changes pg_security leakage from a can-live-with-for-first-cut
> > issue to a must-fix-to-be-credible issue.
>
> It's worth noting that this is yet another thing that is mostly a
> problem in the context of row-level security. It seems to me that if
> security labels are only applied to tables and columns, then it will
> be possible to scan the whole database relatively quickly and find all
> the labels that are still in use, probably without breaking a sweat.
> On the other hand, when you have row-level security, it gets a lot
> harder.

If we are not labeling every row, why not just use a TEXT column without
using an OID to reference pg_security; there aren't that places,
pg_class, pg_attribute, etc, i.e. they are not on every data row.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +