From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Haribabu Kommi <kommi(dot)haribabu(at)gmail(dot)com>, Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Multi-tenancy with RLS |
Date: | 2016-02-09 20:05:14 |
Message-ID: | CA+TgmobNPEmYTyX4JKDEfu7fxnuGz0=pqgagmDSB3CGD91aeZA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway <mail(at)joeconway(dot)com> wrote:
> On 02/09/2016 11:47 AM, Robert Haas wrote:
>> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>>>> Whereupon you'd have no certainty that what you got represented a
>>>> complete dump of your own data.
>>>
>>> It would be a dump of what you're allowed to see, rather than an error
>>> saying you couldn't dump something you couldn't see, which is the
>>> alternative we're talking about here. Even if you've got a dependency
>>> to something-or-other, if you don't have access to it, then you're
>>> going to get an error.
>>
>> I think you're dismissing Tom's concerns far too lightly. The
>> row_security=off mode, which is the default, becomes unusable for
>> non-superusers under this proposal. That's bad. And if you switch to
>> the other mode, then you might accidentally fail to get all of the
>> data in some table you're trying to back up. That's bad too: that's
>> why it isn't the default. There's a big difference between saying
>> "I'm OK with not dumping the tables I can't see" and "I'm OK with not
>> dumping all of the data in some table I *can* see".
>
> I don't grok what you're saying here. If I, as a non-superuser could
> somehow see all the rows in a table just by running pg_dump, including
> rows that I could not normally see due to RLS policies, *that* would be
> bad. I should have no expectation of being able to dump rows I can't
> normally see.
That's true. But I should also have an expectation that running
pg_dump won't trigger arbitrary code execution, which is why by
default, pg_dump sets row_security to OFF. That way, if a row
security policy applies, I get an error rather than an incomplete,
possibly-invalid dump (and arbitrary code execution on the server
side). If I'm OK with doing the dump subject to row security, I can
rerun with --enable-row-security. But this proposal would force
non-superusers to always use that option, and that's not a good idea.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Kupershmidt | 2016-02-09 20:09:56 | Re: proposal: make NOTIFY list de-duplication optional |
Previous Message | Tom Lane | 2016-02-09 20:05:01 | Re: Tracing down buildfarm "postmaster does not shut down" failures |