From: | Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Noah Misch <noah(at)leadboat(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: row_security GUC, BYPASSRLS |
Date: | 2015-09-15 19:18:21 |
Message-ID: | CAKRt6CQ8S3rhMVhCzGMz-z9k0j_HH172goTbdYJhgLs9NL4dEg@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Sep 15, 2015 at 2:26 PM, Joe Conway <mail(at)joeconway(dot)com> wrote:
> On 09/15/2015 12:53 PM, Tom Lane wrote:
>> Joe Conway <mail(at)joeconway(dot)com> writes:
>>> There are use cases where row_security=force will be set in production
>>> environments, not only in testing.
>>
>> What cases, exactly, and is there another way to solve those problems?
>> I concur with Noah's feeling that allowing security behavior to depend on
>> a GUC is risky.
>
> There are environments where there is a strong desire to use RLS to
> control access in production, even for table owners and superusers.
> Obviously there are more steps needed to completely achieve this level
> of control, but removing the ability to force row security is going in
> the wrong direction. Noah's suggestion of using a per table attribute
> would work -- in fact I like the idea of that better than using the
> current GUC.
FWIW, I also concur with a per table attribute for this purpose. In
fact, I think I really like the per-table flexibility over an
'all-or-nothing' approach better too.
I do, however, think that it makes it a bit more difficult for
testing, specifically, I'm not sure how much I like the idea of
'altering' a table so that it can be tested, but that might a price
worth paying for security sake.
I could also see a potential gap in such approach. Specifically, I
could see a case were there are two separate roles, one that is
entrusted with defining the policies but not able to create/modify
tables, and one with the opposite capability (I understand this to be
a fairly common use-case, at least at a system level). Since you
can't GRANT 'alter' rights to the table, then obviously the policy
definer would have to either be the owner of the table or a member of
the role that owns it, right? Given that, if by definition the policy
definer is not allowed to do anything other than define policies, then
obviously putting such a role in the table owners group would allow it
to do much more, correct?
-Adam
--
Adam Brightwell - adam(dot)brightwell(at)crunchydatasolutions(dot)com
Database Engineer - www.crunchydatasolutions.com
From | Date | Subject | |
---|---|---|---|
Next Message | Jesper Pedersen | 2015-09-15 19:30:02 | Re: Additional LWLOCK_STATS statistics |
Previous Message | Robert Haas | 2015-09-15 19:11:18 | Re: Additional LWLOCK_STATS statistics |