Re: Multi-tenancy with RLS

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: "Joshua D(dot) Drake" <jd(at)commandprompt(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Joe Conway <mail(at)joeconway(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Multi-tenancy with RLS
Date: 2016-02-09 21:07:21
Message-ID: 20160209210721.GK3331@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

JD,

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> On 02/09/2016 12:28 PM, Stephen Frost wrote:
> >* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> >>pg_dump -U $non-super_user
> >>
> >>Should just work, period.
> >
> >That ship has sailed already, where you're running a pg_dump against
> >objects you don't own and which have RLS enabled on them.
>
> Just to be clear, what I was suggesting is that pg_dump would just
> work (and RLS would properly execute) or in other words, I shouldn't
> have to tell pg_dump to enable row security else throw an error. If
> RLS is enabled, then the backup just runs with appropriate
> permissions.
>
> Or am I missing something?

You do have to tell pg_dump to enable RLS if you want it to be enabled
when performing a pg_dump. There's multiple reasons for this, the first
being that, otherwise, you might get an incomplete dump, and secondly,
you might execute a function that some untrusted user wrote and included
in their RLS policy. We want to avoid both of those, unless you've
specifically asked for it to be done. That's why row_security is set to
'off' by pg_dump by default.

Thanks!

Stephen

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Dean Rasheed 2016-02-09 21:09:37 Re: Multi-tenancy with RLS
Previous Message Joshua D. Drake 2016-02-09 21:04:01 Re: Multi-tenancy with RLS