Re: Updates of SE-PostgreSQL 8.4devel patches (r1324)
| От | KaiGai Kohei |
|---|---|
| Тема | Re: Updates of SE-PostgreSQL 8.4devel patches (r1324) |
| Дата | |
| Msg-id | 494C33F3.40709@kaigai.gr.jp обсуждение исходный текст |
| Ответ на | Re: Updates of SE-PostgreSQL 8.4devel patches (r1324) (Bruce Momjian <bruce@momjian.us>) |
| Ответы |
Re: Updates of SE-PostgreSQL 8.4devel patches (r1324)
Re: Updates of SE-PostgreSQL 8.4devel patches (r1324) Re: Updates of SE-PostgreSQL 8.4devel patches (r1324) |
| Список | pgsql-hackers |
> but the auto-creation of pg_security rows does make this problematic. > regproc works because it only supports pre-created pg_proc rows. Yes, the security label has a different characteristic at the point. > Can we support two data types, one for read-only and another for > possible creation? That is not going to work for a query like > > SELECT * FROM x WHERE col != 'valid_but_new_security_label'::regseclabel; > > because the cast would fail if the pg_security row doesn't exist, but > the query itself perhaps might succeed and return rows. It has a same matter. If user cast a text into the type of possible creation, it can cause an unnecessary insertion. > Can we require joins to use pg_security directly? I wish I could think > of some magic that indicated the pg_security row should be created. We should not allow users to join them directly, and should not expose what identifier is used internally, because some of ISO/IEC15408 has requirements to export/import user data with meaningful security labels. The numeric security identifier is just an internal usage. Here is one another idea. How do you think asymmetric input/output handlers? At first, I have to introduce the current implementation. It can receives user input values as TEXT or ACLITEM[], ant these are fetched at fetchWritableSystemAttribute() on execMain.c. Please note that they have no side-effect on the prior stage. Then, it invokes rowaclSecurityAclToSid() or pgaceSecurityLabelToSid() to translate the values into security identifier. These functions can insert a new tuple into pg_security, if not found. Then, the translated security identifiers are set on the HeapTupleHeader using HeapTupleSetRowAcl() or HeapTupleSetSecLabel(). If the input handler is asymmetric, it can handle the given user input as a TEXT or ACLITEM[], and can deliver them fetchWritableSystemAttribute() as is. But asymmetric output handler can translate given security identifier into proper user visible data. However, I don't think it is a fair enough solution. :( The current implementation seems to me better. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
В списке pgsql-hackers по дате отправления: