On Wed, 10 Apr 2024 at 23:51, Tom Lane <t...@sss.pgh.pa.us> wrote: > Is it really necessary for Citus' filter to be a security qual rather > than a plain ol' filter condition?
No, it's not. I think using security quals simply required the least amount of code (and it worked just fine if you didn't have lots of tables). I created a PR for Citus to address this issue[1] by changing to a normal filter condition. Thanks a lot for pointing me in the right direction to fix this. > That is, as long as the derived condition is leakproof, there's no > reason not to let it go before the security qual. We're probably > failing to consider generating derived quals for anything that isn't > qualified to become an indexqual, and this example shows that that's > leaving money on the table. I think even though my immediate is fixed, I think this would be a good improvement anyway. [1]: https://github.com/citusdata/citus/pull/7577
