| From: | Joshua Brindle <method(at)manicmethod(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Stephen Frost <sfrost(at)snowman(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: How to get SE-PostgreSQL acceptable |
| Date: | 2009-01-28 18:49:21 |
| Message-ID: | 4980A8B1.5030304@manicmethod.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Joshua Brindle <method(at)manicmethod(dot)com> writes:
>> I'm not sure how much it would cut to remove row level access
>> controls, but I do have some points here. To me, row level access
>> controls are the most important part, this is the feature that lets us
>> put secret and top secret data in the same table and use the clients
>> selinux context to decide what they can see,
>
> For me, the row-level access controls are really the sticking point.
> There is absolutely nothing you can say that will convince me that they
> don't break SQL in fundamental ways, and I also don't believe that it's
> going to be possible to implement them without a constant stream of bugs
> of omission and commission. (Those two points are not unrelated.)
>
This isn't going to be something that the vast majority of your users use. The
people that need them understand the ramifications of row filtering and the
absence of inaccessible rows won't be surprising.
> Now that you've admitted that you aren't trying to accomplish the
> equivalent sort of data hiding within the filesystem, the argument that
We apply access controls on reading and writing files, this is equivalent (in my
mind) to applying access controls on tuples, as they are the structured object
holding data (just like files).
> you have to have them seems fairly weak, certainly not strong enough to
> justify the costs. We have already touched on some ways that you can
The costs are nil for people who don't want this feature.
> accomplish similar goals with just table- and column-level access
> permissions, which are well understood and don't violate anyone's
I've already pointed out how table and column level access control don't provide
enough. Holding data of multiple classifications in a single table is something
of great concern. Unmodified applications need to be able to query out of a
table and get the data they are cleared to see. Column level access control
doesn't help because those same applications, of course, will need access to the
data in those columns.
Splitting data into different tables isn't an option in many cases because
applications aren't always configurable wrt to the database or tables they use.
Further, clients of multiple clearances should be able to use the same
application, and we can not trust the application to make the decision as to
which database or table is correct.
And even further, maintaining multiple sets of databases or tables that hold the
same kinds of information (and therefore have the same schema) is a maintenance,
backup and restoration issue.
> expectations. There's probably a need to twiddle our permissions rules
> for inheritance/partitioning cases, but that was already on the table
> anyway for other reasons.
>
partitions don't help because, once again, the application would be making the
determination about which partition to query. For mandatory access control that
we need in the kind of environments to work the application doesn't get to make
security relevant decisions, the database holds the data and needs to say who
can access it.
Further, partitioning isn't fine grained. I can't say user X can read secret
rows and read/write top secret rows and get that data out in a transparent way
(the applications would have to be aware of the partitions). Relabeling of data
also looks like a challenge with partitions (if I correctly understand how they
work).
> I could be persuaded to get behind a patch that does Peter's step #1
> (ie, use SELinux permissions as an additional filter for existing SQL
> permission checks). I don't believe I will ever think that row-level
> checks are a good idea; as long as those are in the patch I will vote
> against applying it.
>
We've already used postgresql in sensitive environments and had to make
compromises because of the lack of fine grained access control. We've been
telling customers for years that we hope postgresql will have said access
controls in the future and that it will help them solve many of the problems
they have.
We've been enthusiastic about the work KaiGai has been doing with respect to the
environments we operate in and it would be a shame for all that to be discarded.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | D'Arcy J.M. Cain | 2009-01-28 18:51:06 | Re: Output filter for psql |
| Previous Message | Robert Haas | 2009-01-28 18:28:09 | Re: pg_upgrade project status |