|From:||Pierre Ducroquet <p(dot)psql(at)pinaraf(dot)info>|
|Cc:||Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>|
|Subject:||Re: Row Level Security − leakproof-ness and performance implications|
|Views:||Raw Message | Whole Thread | Download mbox | Resend email|
On Wednesday, February 20, 2019 5:24:17 PM CET Tom Lane wrote:
> Pierre Ducroquet <p(dot)psql(at)pinaraf(dot)info> writes:
> > For simple functions like enum_eq/enum_ne, marking them leakproof is an
> > obvious fix (patch attached to this email, including also textin/textout).
> This is not nearly as "obvious" as you think. See prior discussions,
> Up to now we've taken a very strict definition of what leakproofness
> means; as Noah stated, if a function can throw errors for some inputs,
> it's not considered leakproof, even if those inputs should never be
> encountered in practice. Most of the things we've been willing to
> mark leakproof are straight-line code that demonstrably can't throw
> any errors at all.
> The previous thread seemed to have consensus that the hazards in
> text_cmp and friends were narrow enough that nobody had a practical
> problem with marking them leakproof --- but we couldn't define an
> objective policy statement that would allow making such decisions,
> so nothing's been changed as yet. I think it is important to have
> an articulable policy about this, not just a seat-of-the-pants
> conclusion about the risk level in a particular function.
> regards, tom lane
I undestand these decisions, but it makes RLS quite fragile, with numerous un-
documented side-effects. In order to save difficulties from future users, I
wrote this patch to the documentation, listing the biggest restrictions I hit
with RLS so far.
|Next Message||MikalaiKeida||2019-02-21 15:01:26||RE: Timeout parameters|
|Previous Message||Amit Kapila||2019-02-21 14:37:46||Re: WIP: Avoid creation of the free space map for small tables|