Re: Multi-tenancy with RLS

On 02/09/2016 11:47 AM, Robert Haas wrote:
> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfrost@snowman.net> wrote:
>>> Whereupon you'd have no certainty that what you got represented a
>>> complete dump of your own data.
>>
>> It would be a dump of what you're allowed to see, rather than an error
>> saying you couldn't dump something you couldn't see, which is the
>> alternative we're talking about here.  Even if you've got a dependency
>> to something-or-other, if you don't have access to it, then you're
>> going to get an error.
>
> I think you're dismissing Tom's concerns far too lightly.  The
> row_security=off mode, which is the default, becomes unusable for
> non-superusers under this proposal.  That's bad.  And if you switch to
> the other mode, then you might accidentally fail to get all of the
> data in some table you're trying to back up.  That's bad too: that's
> why it isn't the default.  There's a big difference between saying
> "I'm OK with not dumping the tables I can't see" and "I'm OK with not
> dumping all of the data in some table I *can* see".

I don't grok what you're saying here. If I, as a non-superuser could
somehow see all the rows in a table just by running pg_dump, including
rows that I could not normally see due to RLS policies, *that* would be
bad. I should have no expectation of being able to dump rows I can't
normally see.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development