Re: Multi-tenancy with RLS

On 02/09/2016 12:05 PM, Robert Haas wrote:

> That's true. But I should also have an expectation that running
> pg_dump won't trigger arbitrary code execution, which is why by
> default, pg_dump sets row_security to OFF. That way, if a row
> security policy applies, I get an error rather than an incomplete,
> possibly-invalid dump (and arbitrary code execution on the server
> side). If I'm OK with doing the dump subject to row security, I can
> rerun with --enable-row-security. But this proposal would force
> non-superusers to always use that option, and that's not a good idea.
>

If I understand correctly what we are talking about here is:

1. If RLS is enabled and a non-super user issues a pg_dump, it will
error unless I issue --enable-row-security

2. If RLS is not enabled and a non-super user issues a pg_dump the
behavior is basically what it is now.

3. If RLS is enabled or not and I am a super user, it doesn't matter
either way.

From my perspective, I should not have to enable row security as a
non-super user to take a pg_dump. It should just work for what I am
allowed to see. In other words:

pg_dump -U $non-super_user

Should just work, period.

Sincerely,

Joshua D. Drake

--
Command Prompt, Inc. http://the.postgres.company/
+1-503-667-4564
PostgreSQL Centered full stack support, consulting and development.
Everyone appreciates your honesty, until you are honest with them.