Skip site navigation (1) Skip section navigation (2)

Re: [0/4] Proposal of SE-PostgreSQL patches

From: Greg Smith <gsmith(at)gregsmith(dot)com>
To: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Cc: pgsql-hackers(at)postgresql(dot)org, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Subject: Re: [0/4] Proposal of SE-PostgreSQL patches
Date: 2008-05-01 06:32:05
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackerspgsql-patches
On Wed, 30 Apr 2008, KaiGai Kohei wrote:

> [1/4] sepostgresql-pgace-8.4devel-3-r739.patch
>      provides PGACE (PostgreSQL Access Control Extension) framework.

For those overwhelmed by sheer volume here, this is the patch to start 
with, because it's got all the core changes to the server.  I'm also in 
the camp that would like to see this feature added, but rather than just 
giving it a +1 I started looking at it.

The overall code is nice:  easy to understand, structured modularly.  I 
have some concerns though.  The first two things that jump out at me on an 
initial review appear right from the beginning for those who want to take 
a look:

-I'm a bit unnerved by both the performance and reliability implications 
from how the security check calls are done in every case, even if there is 
no SELinux support included.  Those checks are sitting in some pretty low 
level tuple and heap calls.

The approach taken here is to put all the "#ifdef" logic into the 
underlying ACE interface (see patch [2/4]), so that the caller doesn't 
have to care.  If SELinux support is off then the calls turns into

   void x(y) {} or
   bool a(b) { return true; }

This is a very clean design, but it's putting extra (possibly optimized 
away) calls into a lot of places.  While it would be uglier, it might make 
sense to put that on/off logic in all the places where the calls are made, 
so that when you turn SELinux support off most of the code really does go 
completely away rather than just turning into stubs.

-The only error reporting and handling method used is "elog(ERROR,...". 
That seems a bit heavy handed for something that can be expected to happen 
all the time.

If I understand this correctly, when you're scanning a table with 1000 
rows where you're only allowed to see 50% of them, that's going to be 500 
call to elog(), one for each tuple you can't see.  Having a tuple get 
screened out isn't really an error per se, and while I can see how 
sensitive installs would want those all reported there are others where 
this volume of log activity would be too much.  Just because someone with 
classified clearance is looking at a big table that also has a lot of 
secret info in it, not all installs will want a million errors reported 
just because there's data that person can't see available.

At a minimum, this needs some finer log control, and maybe a rethinking 
altogether of how to handle error cases.

* Greg Smith gsmith(at)gregsmith(dot)com Baltimore, MD

In response to


pgsql-hackers by date

Next:From: Gregory StarkDate: 2008-05-01 10:52:20
Subject: Re: [0/4] Proposal of SE-PostgreSQL patches
Previous:From: Greg SmithDate: 2008-05-01 03:24:26
Subject: Re: [0/4] Proposal of SE-PostgreSQL patches

pgsql-patches by date

Next:From: H.HaradaDate: 2008-05-01 07:36:15
Subject: Re: temporal version of generate_series()
Previous:From: Pavel StehuleDate: 2008-05-01 05:02:39
Subject: Re: temporal version of generate_series()

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group