Re: Add support for restrictive RLS policies
Alvaro Herrera <alvherre@2ndquadrant.com>
From: Alvaro Herrera <alvherre@2ndquadrant.com>
To: Stephen Frost <sfrost@snowman.net>
Cc: Robert Haas <robertmhaas@gmail.com>, Thom Brown <thom@linux.com>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2016-09-08T19:21:57Z
Lists: pgsql-hackers
Stephen Frost wrote: > Greetings! > > * Stephen Frost (sfrost@snowman.net) wrote: > > Based on Robert's suggestion and using Thom's verbiage, I've tested this > > out: > > > > CREATE POLICY pol ON tab AS [PERMISSIVE|RESTRICTIVE] ... Can't you keep those words as Sconst or something (DefElems?) until the execution phase, so that they don't need to be keywords at all? I'm fairly sure we do that kind of thing elsewhere. Besides, that let you throw errors such as "keyword 'foobarive' not recognized" instead of a generic "syntax error" if the user enters a bogus permissivity (?) keyword. Is the permissive/restrictive dichotomy enough to support all interesting use cases? What I think is the equivalent concept in PAM uses required/requisite/sufficient/optional as possibilities, which allows for finer grained control. Even there that's just the historical interface, and the replacement syntax has more gadgets. -- Álvaro Herrera http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Commits
-
Add support for restrictive RLS policies
- 093129c9d9fc 10.0 landed
-
Include <sys/select.h> where needed
- 51c3e9fade76 10.0 cited
-
Apply table and domain CHECK constraints in name order.
- e5f455f59fed 9.5.0 cited