Re: Review of Row Level Security
Kohei KaiGai <kaigai@kaigai.gr.jp>
From: Kohei KaiGai <kaigai@kaigai.gr.jp>
To: Simon Riggs <simon@2ndquadrant.com>
Cc: PostgreSQL-development <pgsql-hackers@postgresql.org>, Robert Haas <robertmhaas@gmail.com>
Date: 2012-12-09T06:08:31Z
Lists: pgsql-hackers
2012/12/7 Simon Riggs <simon@2ndquadrant.com>: > On 5 December 2012 11:16, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote: > >>> * TRUNCATE works, and allows you to remove all rows of a table, even >>> ones you can't see to run a DELETE on. Er... >>> >> It was my oversight. My preference is to rewrite TRUNCATE command >> with DELETE statement in case when row-security policy is active on >> the target table. >> In this case, a NOTICE message may be helpful for users not to assume >> the table is always empty after the command. > > I think the default must be to throw an ERROR, since part of the > contract with TRUNCATE is that it is fast and removes storage. > OK. Does the default imply you are suggesting configurable behavior using GUC or something? I think both of the behaviors are reasonable from security point of view, as long as user cannot remove unprivileged rows. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>