Re: Prohibit row-security + inheritance in 9.4?
| От | Yeb Havinga |
|---|---|
| Тема | Re: Prohibit row-security + inheritance in 9.4? |
| Дата | |
| Msg-id | 52EBB9AC.8020604@mgrid.net обсуждение исходный текст |
| Ответ на | Re: Prohibit row-security + inheritance in 9.4? (Stephen Frost <sfrost@snowman.net>) |
| Список | pgsql-hackers |
On 2014-01-31 15:10, Stephen Frost wrote: > * Craig Ringer (craig@2ndquadrant.com) wrote: >> On 01/31/2014 09:01 AM, Stephen Frost wrote: >> The only case prevented is one where access to the child via the parent >> shows rows that the parent's row-security qual would hide, because the >> child's qual doesn't. > It makes absolutely zero sense, in my head anyway, to have rows returned > when querying the parent which should NOT be returned based on the quals > of the parent. IMHO, there is another way to implement this, other than the procedure to override the child-rel-quals with the ones from the parent. At DDL time, synchronize quals on the parent with rls quals of the childs. Isn't this also what happens with constraints? Then during expansion of the range table, no code is needed to ignore child rls quals and copy parent rels to child rels. Also, the security policy applied would be invariant to the route through which the rows were accessed: - directly to the child row: child rls quals and parent quals (by propagate at ddl) are applied. - through the parent: child rls quals and parent quals applied. regards, Yeb Havinga
В списке pgsql-hackers по дате отправления: