On 14.01.2020 17:40, Tom Lane wrote:
Konstantin Knizhnik <k.knizh...@postgrespro.ru> writes:
Right now changing policies (create/alter policy statements) requires
exclusive lock of target table:

I wonder why do we really need exclusive lock here?
Because it affects the behavior of a SELECT.

May be I missed something, but why we can not rely on standard MVCC
visibility rules for pg_policy table?
We cannot have a situation where the schema details of a table might
change midway through planning/execution of a statement.  The results
are unlikely to be as clean as "you get either the old behavior or the
new one", because that sequence might examine the details more than
once.  Also, even if you cleanly get the old behavior, that's hardly
satisfactory.  Consider

Session 1                        Session 2

alter policy ... on t1 ...;
insert new data into t1;

                                  begin planning SELECT on t1;


                                  begin executing SELECT on t1;

With your proposal, session 2 would see the new data in t1
(because the executor takes a fresh snapshot) but it would not
be affected by the new policy.  That's a security failure,
and it's one that does not happen today.

Thank you for explanation.
But let me ask you one more question: why do we obtaining snapshot twice in exec_simple_query: first for analyze (pg_analyze_and_rewrite) and one for execution (PortalStart)? GetSnapshotData is quite expensive operation and the fact that we are calling it twice for each query execution (with read committed isolation level) seems to be strange. Also the problem in scenario you have described above is caused by using different snapshots by planner and executor. If them will share the same snapshot,
then there should be no security violation, right?

Konstantin Knizhnik
Postgres Professional: http://www.postgrespro.com
The Russian Postgres Company

Reply via email to