Re: [RFC] PostgreSQL Access Control Extension (PGACE)

Tom, Andrew, KaiGai,

> "Andrew Dunstan" <andrew@dunslane.net> writes:
>> What's more, we have a SoC project for column level access controls.

I don't see the SE stuff as a replacement for that, since it apparently 
exists outside the standard SQL security model.

> ... which presumably wouldn't involve any added dependency on outside code.
> For people who are already using SELinux or Trusted Solaris, making the
> database dependent on that infrastructure might be seen as a plus, but
> I'm not sure the rest of the world would be pleased.  

Yes, I was thinking that this should be a compile-time option with a lot 
of warnings in the Docs.

Give the team some credit, though; they've managed to come up with a 
system that integrates OS-level ACLs for both SElinux and TxSol, are not 
asking us to incorporate two different sets, and are coming to us with a 
serious proposal that has a lot of work behind it.  Please don't blow 
them off like they were undergrads submitting a semester project.  If 
they need to come back after 8.3 beta so we can properly pay attention 
to the proposal, then say so.

There are also
> some interesting questions about SQL spec compliance and whether a
> database that silently hides some rows from you will give semantically
> consistent results.

Yeah -- that's a potentially serious issue; KaiGai, have you looked into it?

--Josh Berkus