| From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
|---|---|
| To: | Florian Pflug <fgp(at)phlo(dot)org> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [v9.3] Row-Level Security |
| Date: | 2012-06-27 12:23:12 |
| Message-ID: | CADyhKSXF21V_B066hC0dnYw=08ZiPRBK6Ay==SzTWSQTmtuLuw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2012/6/27 Florian Pflug <fgp(at)phlo(dot)org>:
> On Jun27, 2012, at 07:18 , Kohei KaiGai wrote:
>> The problem is the way to implement it.
>> If we would have permission checks on planner stage, it cannot handle
>> a case when user-id would be switched prior to executor stage, thus
>> it needs something remedy to handle the scenario correctly.
>> Instead of a unique plan per query, it might be a solution to generate
>> multiple plans depending on user-id, and choose a proper one in
>> executor stage.
>>
>> Which type of implementation is what everybody is asking for?
>
> I think you need to
>
> a) Determine the user-id at planning time, and insert the matching
> RLS clause
>
> b1) Either re-plan the query if the user-id changes between planning
> and execution time, which means making the user-id a part of the
> plan-cache key.
>
> b2) Or decree that for RLS purposes, it's the user-id at planning time,
> not execution time, that counts.
>
My preference is b1, because b2 approach takes user visible changes
in concepts of permission checks.
Probably, plan-cache should be also invalidated when user's property
was modified or grant/revoke is issued, in addition to the table itself.
Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2012-06-27 12:40:58 | Re: foreign key locks |
| Previous Message | Ants Aasma | 2012-06-27 12:23:04 | Re: [PATCH] Lazy hashaggregate when no aggregation is needed |