Re: Review of Row Level Security

Kohei KaiGai <kaigai@kaigai.gr.jp>

From: Kohei KaiGai <kaigai@kaigai.gr.jp>
To: Simon Riggs <simon@2ndquadrant.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Robert Haas <robertmhaas@gmail.com>
Date: 2012-12-09T06:08:31Z
Lists: pgsql-hackers
2012/12/7 Simon Riggs <simon@2ndquadrant.com>:
> On 5 December 2012 11:16, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
>
>>> * TRUNCATE works, and allows you to remove all rows of a table, even
>>> ones you can't see to run a DELETE on. Er...
>>>
>> It was my oversight. My preference is to rewrite TRUNCATE command
>> with DELETE statement in case when row-security policy is active on
>> the target table.
>> In this case, a NOTICE message may be helpful for users not to assume
>> the table is always empty after the command.
>
> I think the default must be to throw an ERROR, since part of the
> contract with TRUNCATE is that it is fast and removes storage.
>
OK. Does the default imply you are suggesting configurable
behavior using GUC or something?
I think both of the behaviors are reasonable from security point
of view, as long as user cannot remove unprivileged rows.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>