Re: Improving RLS planning
| От | Robert Haas |
|---|---|
| Тема | Re: Improving RLS planning |
| Дата | |
| Msg-id | CA+TgmobnmekW5f=RQhO9ZFn9vOWYC24dmZFamj8bZLpn9xW69Q@mail.gmail.com обсуждение исходный текст |
| Ответ на | Improving RLS planning (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: Improving RLS planning
|
| Список | pgsql-hackers |
On Tue, Oct 25, 2016 at 5:58 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote: > The alternative I'm now thinking about pursuing is to get rid of the > conversion of RLS quals to subqueries. Instead, we can label individual > qual clauses with security precedence markings. Concretely, suppose we > add an "int security_level" field to struct RestrictInfo. The semantics > of this would be that a qual with a lower security_level value must be > evaluated before a qual with a higher security_level value, unless the > latter qual is leakproof. (It would likely also behoove us to add a > "leakproof" bool field to struct RestrictInfo, to avoid duplicate > leakproof-ness checks on quals. But that's just an optimization.) > > In the initial implementation, quals coming from a RangeTblEntry's > securityQuals field would have security_level 0, quals coming from > anywhere else would have security_level 1; except that if we know > there are no security quals anywhere (ie not Query->hasRowSecurity), > we could give all quals security_level 0. (I think this exception > may be worth making because there's no need to test leakproofness > for a qual with security level 0; it could never be a candidate > for security delay anyway.) > > Having done that much, I think all we need in order to get rid of > RLS subqueries, and just stick RLS quals into their relation's > baserestrictinfo list, are two rules: > > 1. When selecting potential indexquals, a RestrictInfo can be considered > for indexqual use only if it is leakproof or has security_level <= the > minimum among the table's baserestrictinfo clauses. > > 2. In order_qual_clauses, sort first by security_level and second by cost. This might work for RLS policies, if they can only reference a single table, but I can't see how it's going to work for security barrier views. For example, consider CREATE VIEW v WITH (security_barrier) AS SELECT * FROM x, y WHERE x.a = y.a followed by SELECT * FROM v WHERE leak(somefield). somefield is necessarily coming from either x or y, and you can't let it be passed to leak() except for rows where the join qual has been satisfied. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
В списке pgsql-hackers по дате отправления: