| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Joe Conway <mail(at)joeconway(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Multi-tenancy with RLS |
| Date: | 2016-01-15 16:34:55 |
| Message-ID: | 21659.1452875695@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> * Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
>> However, by "not that much trouble" I only mean getting an implementation
>> that works and doesn't create more security problems than it fixes.
>> Usability is still likely to be a huge problem. In particular it seems
>> likely that any attempt to actually put RLS policies on the catalogs would
>> completely destroy the ability to run pg_dump except as a BYPASSRLS role.
>> That would be an unpleasant consequence.
> I don't follow how this would destroy the ability to run pg_dump.
> Ideally, we'd have a result where a user could run pg_dump without
> having to apply any filters of their own and they'd get a dump of all
> objects they're allowed to see.
You mean, other than the fact that pg_dump sets row_security = off
to ensure that what it's seeing *isn't* filtered.
The bigger picture here is that I do not think that you can just
arbitrarily exclude non-owned objects from its view and still expect to
get a valid dump; that will break dependency chains for example, possibly
leading to stuff getting output in an order that doesn't restore.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2016-01-15 16:38:21 | Re: Multi-tenancy with RLS |
| Previous Message | Shulgin, Oleksandr | 2016-01-15 16:31:39 | Re: Stream consistent snapshot via a logical decoding plugin as a series of INSERTs |