Re: Multi-tenancy with RLS
| От | Robert Haas |
|---|---|
| Тема | Re: Multi-tenancy with RLS |
| Дата | |
| Msg-id | CA+TgmobNPEmYTyX4JKDEfu7fxnuGz0=pqgagmDSB3CGD91aeZA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: Multi-tenancy with RLS (Joe Conway <mail@joeconway.com>) |
| Ответы |
Re: Multi-tenancy with RLS
Re: Multi-tenancy with RLS |
| Список | pgsql-hackers |
On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway <mail@joeconway.com> wrote: > On 02/09/2016 11:47 AM, Robert Haas wrote: >> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfrost@snowman.net> wrote: >>>> Whereupon you'd have no certainty that what you got represented a >>>> complete dump of your own data. >>> >>> It would be a dump of what you're allowed to see, rather than an error >>> saying you couldn't dump something you couldn't see, which is the >>> alternative we're talking about here. Even if you've got a dependency >>> to something-or-other, if you don't have access to it, then you're >>> going to get an error. >> >> I think you're dismissing Tom's concerns far too lightly. The >> row_security=off mode, which is the default, becomes unusable for >> non-superusers under this proposal. That's bad. And if you switch to >> the other mode, then you might accidentally fail to get all of the >> data in some table you're trying to back up. That's bad too: that's >> why it isn't the default. There's a big difference between saying >> "I'm OK with not dumping the tables I can't see" and "I'm OK with not >> dumping all of the data in some table I *can* see". > > I don't grok what you're saying here. If I, as a non-superuser could > somehow see all the rows in a table just by running pg_dump, including > rows that I could not normally see due to RLS policies, *that* would be > bad. I should have no expectation of being able to dump rows I can't > normally see. That's true. But I should also have an expectation that running pg_dump won't trigger arbitrary code execution, which is why by default, pg_dump sets row_security to OFF. That way, if a row security policy applies, I get an error rather than an incomplete, possibly-invalid dump (and arbitrary code execution on the server side). If I'm OK with doing the dump subject to row security, I can rerun with --enable-row-security. But this proposal would force non-superusers to always use that option, and that's not a good idea. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: