Re: [v9.2] SECURITY LABEL on shared database object
| От | Robert Haas |
|---|---|
| Тема | Re: [v9.2] SECURITY LABEL on shared database object |
| Дата | |
| Msg-id | BANLkTinPT2i0kQcmcOzpgRQ5=4UKK6Hpjw@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [v9.2] SECURITY LABEL on shared database object (Kohei KaiGai <kaigai@kaigai.gr.jp>) |
| Ответы |
Re: [v9.2] SECURITY LABEL on shared database object
|
| Список | pgsql-hackers |
On Mon, Jun 13, 2011 at 1:40 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote: > 2011/6/13 Robert Haas <robertmhaas@gmail.com>: >> On Mon, Jun 13, 2011 at 12:24 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote: >>> The attached patch is an update revision of security label support >>> for shared database objects. >> >> I'm kind of unexcited about this whole idea. Adding a shared catalog >> for a feature that's only of interest to a small percentage of our >> user population seems unfortunate. >> >> Are there any other possible approaches to this problem? >> > If unexcited about the new shared catalog, one possible idea > is to add a new field to pg_database, pg_tablespace and > pg_authid to store security labels? > > The reason why we had pg_seclabel is to avoid massive amount > of modifications to system catalog. But only 3 catalogs to be > modified to support security label on shared object. I guess maybe my real question here is - what do you plan to do with those security labels, from a security perspective? For example: roles. The user's security contect AIUI is passed over from the remote side; his DAC role doesn't even enter into it from a MAC perspective. Or does it? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: