Skip site navigation (1) Skip section navigation (2)

Re: security label support, revised

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: security label support, revised
Date: 2010-09-27 02:49:31
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
On Sat, Sep 25, 2010 at 7:04 AM, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> * The "dummy_esp" module and regression test for SECURITY LABEL statement.
>  This module allows only four labels: "unclassified", "classified",
>  "secret" and "top secret". The later two labels can be set by only
>  superusers. The new regression test uses this "dummy_esp" module to
>  find out future regression in SECURITY LABEL statement.
> * A minimum description about external security provider at the tail
>  of Database Roles and Privileges  chapter.
> * Add pg_seclabels system view
> * Revising pg_dump/pg_dumpall
>  - '--security-label' was replaced by '--no-security-label'
>  - implemented according to the manner in comments.
>    findSecLabels() and collectSecLabels() are added to reduce number of
>    SQL queries, in addition to dumpSecLabel().

Thanks, this looks like mostly good stuff.  Here's a new version of
the patch with some bug fixes, additional regression tests, and other
cleanup.  I think this is about ready to commit.  I didn't adopt your
documentation and I renamed your contrib module from dummy_esp to
dummy_seclabel, but the rest I took more or less as you had it.  For
now, I don't want to use the term "external security provider" because
that's not really what this provides - it just provides labels.  I
initially thought that an external security provider would really turn
out to be a concept that was somewhat embedded in the system, but on
further reflection I don't think that's the case.  I think what we're
going to end up with is a collection of hooks that might happen to be
useful for security-related things, but not necessarily just those.
Anyway, I feel that it's a bit premature to document too much about
what this might do someday; the documentation already in the patch is
adequate to explain what it does now.

Robert Haas
The Enterprise Postgres Company

Attachment: seclabel-v6.patch.gz
Description: application/x-gzip (21.7 KB)

In response to


pgsql-hackers by date

Next:From: David BorehamDate: 2010-09-27 04:17:11
Subject: pg_filedump binary for CentOS
Previous:From: Tom LaneDate: 2010-09-27 02:45:20
Subject: Re: [COMMITTERS] pgsql: Still more tweaking of git_changelog.

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group