Re: Multi-tenancy with RLS

Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> However, by "not that much trouble" I only mean getting an implementation
>> that works and doesn't create more security problems than it fixes.
>> Usability is still likely to be a huge problem.  In particular it seems
>> likely that any attempt to actually put RLS policies on the catalogs would
>> completely destroy the ability to run pg_dump except as a BYPASSRLS role.
>> That would be an unpleasant consequence.

> I don't follow how this would destroy the ability to run pg_dump.
> Ideally, we'd have a result where a user could run pg_dump without
> having to apply any filters of their own and they'd get a dump of all
> objects they're allowed to see.

You mean, other than the fact that pg_dump sets row_security = off
to ensure that what it's seeing *isn't* filtered.

The bigger picture here is that I do not think that you can just
arbitrarily exclude non-owned objects from its view and still expect to
get a valid dump; that will break dependency chains for example, possibly
leading to stuff getting output in an order that doesn't restore.
        regards, tom lane