Re: leaky views, yet again
Greg Stark <gsstark@mit.edu>
From: Greg Stark <gsstark@mit.edu>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, KaiGai Kohei <kaigai@kaigai.gr.jp>, KaiGai Kohei <kaigai@ak.jp.nec.com>, Itagaki Takahiro <itagaki.takahiro@gmail.com>, Heikki Linnakangas <heikki.linnakangas@enterprisedb.com>, pgsql-hackers@postgresql.org
Date: 2010-10-05T18:08:15Z
Lists: pgsql-hackers
On Tue, Oct 5, 2010 at 11:01 AM, Robert Haas <robertmhaas@gmail.com> wrote: > Well, the only thing I've ever wanted to do this for was to allow > sales reps to see their own customers but not the customers of other > sales reps (because if they could pull our complete customer list, > then once they left and went to work for $COMPETITOR they'd start > trying to pick off our customers; of course, we couldn't prevent them > from maintaining a list of their own customers, and no doubt they knew > who some of the other customers were, but they couldn't just dump out > the complete list from the database). I agree it's hopeless to > prevent all side-channel leaks, but I'd describe the goal like this: > > Prevent access to the actual tuple contents of the hidden rows. Though I find it unlikely the sales people would have direct access to run arbitrary SQL -- let alone create custom functions. If the users that have select access on the view don't have DDL access doesn't that make them leak-proof for those users? -- greg