Re: [PATCH] Add reloption for views to enable RLS

From: Laurenz Albe <laurenz(dot)albe(at)cybertec(dot)at>
To: walther(at)technowledgy(dot)de, Christoph Heiss <christoph(dot)heiss(at)cybertec(dot)at>, pgsql-hackers(at)postgresql(dot)org
Cc: Hans-Jürgen Schönig <hs(at)cybertec(dot)at>
Subject: Re: [PATCH] Add reloption for views to enable RLS
Date: 2022-02-15 15:25:40
Message-ID: 401ce4003896ba3fb8944b9f266d388bafb6d63a.camel@cybertec.at
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, 2022-02-15 at 16:07 +0100, walther(at)technowledgy(dot)de wrote:
> Laurenz Albe:
> > > I converted the option to run_as_owner=true|false in the attached v7.
> > > It now definitely seems like the right way to move forward and getting
> > > more feedback.
> > I think we are straying from the target.
> >
> > "run_as_owner" seems wrong to me, because it is all about permission
> > checking and*not*  about running.  As we have established, the query
> > is always executed by the caller.
> >
> > So my preferred bikeshed colors would be "permissions_owner" or
> > "permissions_caller".
>
> My main point was the "xxx_owner = true by default" thing. Whether xxx
> is "permissions" or "run_as" doesn't change that. permissions_caller,
> however, would be a step backwards.
>
> I can see how permissions_owner is better than run_as_owner. The code
> uses checkAsUser, so check_as_owner would be an option, too. Although
> that could easily be associated with WITH CHECK OPTION. Thinking about
> that, the difference between LOCAL and CASCADED for CHECK OPTION pretty
> much sums up one of the confusing bits about the whole thing, too.
>
> Maybe "local_permissions_owner = true | false"? That would make it
> crystal-clear, that this is only about the very first permissions check
> and not about any checks later in a chain of multiple views.
>
> "local_permissions = owner | caller" could also work - as long as we're
> not using any of definer or invoker.

I don't think that "local" will make this clearer.
I'd be happy with "check_as_owner", except it is unclear *what* is checked.
"check_permissions_as_owner" is ok with me, but a bit long.

How about "check_permissions_owner"?

Yours,
Laurenz

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message walther 2022-02-15 15:32:49 Re: [PATCH] Add reloption for views to enable RLS
Previous Message Andrew Dunstan 2022-02-15 15:13:18 Re: fairywren is generating bogus BASE_BACKUP commands