Re: Using views for row-level access control is leaky

Simon Riggs wrote:
> On Fri, 2009-10-23 at 10:04 -0400, Tom Lane wrote:
> > Simon Riggs <simon@2ndQuadrant.com> writes:
> > > On Fri, 2009-10-23 at 19:38 +0900, KaiGai Kohei wrote:
> > >> Sorry, what is happen if function is marked as "plan security"?
> > 
> > > I was suggesting an intelligent default by which we could determine
> > > function marking implicitly, if it was not explicitly stated on the
> > > CREATE FUNCTION.
> > 
> > The thought that's been in the back of my mind is that you could solve
> > 99% of the performance problem if you trusted all builtin functions and
> > nothing else.  This avoids the question of who gets to mark functions
> > as trustable.
> 
> That is a very good default. My experience is that those 1% of cases are
> responsible for 99% of wasted time, so the ability to specify things for
> user functions is critical. If we make user extensibility second rate we
> will force solutions to be second rate also. (e.g. where would PostGIS
> be without type-specific analyze functions?).

Added to TODO:
Prevent low-cost functions from seeing unauthorized view rows

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.comPG East:  http://www.enterprisedb.com/community/nav-pg-east-2010.do + If your life is a hard
drive,Christ can be your backup. +