Re: Multi-tenancy with RLS

On 02/09/2016 12:47 PM, Robert Haas wrote:
> On Tue, Feb 9, 2016 at 3:28 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> JD,
>>
>> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
>>> pg_dump -U $non-super_user
>>>
>>> Should just work, period.
>>
>> That ship has sailed already, where you're running a pg_dump against
>> objects you don't own and which have RLS enabled on them.
>
> But you'll get an error rather than an incomplete dump, and you won't
> run some code that you didn't want to run. Those distinctions matter.

From the perspective of that unprivileged user, the dump is not
incomplete -- it is exactly as complete as it is supposed to be.

Personally I don't buy that the current situation is a good thing. I
know that the "ship has sailed" and regret not having participated in
the earlier discussions, but I agree with JD here -- the unprivileged
user should not have to even think about whether RLS exists, they should
only see what they have been allowed to see by the privileged users (and
in the context of their own objects, owners are privileged). I don't
think an unprivileged user should get to decide what code runs in order
to make that happen.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development