Re: [v9.3] Row-Level Security
Kohei KaiGai <kaigai@kaigai.gr.jp>
From: Kohei KaiGai <kaigai@kaigai.gr.jp>
To: Florian Pflug <fgp@phlo.org>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, PgHacker <pgsql-hackers@postgresql.org>
Date: 2012-06-27T12:23:12Z
Lists: pgsql-hackers
2012/6/27 Florian Pflug <fgp@phlo.org>: > On Jun27, 2012, at 07:18 , Kohei KaiGai wrote: >> The problem is the way to implement it. >> If we would have permission checks on planner stage, it cannot handle >> a case when user-id would be switched prior to executor stage, thus >> it needs something remedy to handle the scenario correctly. >> Instead of a unique plan per query, it might be a solution to generate >> multiple plans depending on user-id, and choose a proper one in >> executor stage. >> >> Which type of implementation is what everybody is asking for? > > I think you need to > > a) Determine the user-id at planning time, and insert the matching > RLS clause > > b1) Either re-plan the query if the user-id changes between planning > and execution time, which means making the user-id a part of the > plan-cache key. > > b2) Or decree that for RLS purposes, it's the user-id at planning time, > not execution time, that counts. > My preference is b1, because b2 approach takes user visible changes in concepts of permission checks. Probably, plan-cache should be also invalidated when user's property was modified or grant/revoke is issued, in addition to the table itself. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>