For easier reviewing, the most fundamental patch to implement PGACE (PostgreSQL Access Control Extension) was separated into thress parts.
I want to start discussion about PGACE security framework at first. Any comments are welcome. [1/3] PGACE core features http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-1-core.r713.patch It adds the following new files: - src/include/security/pgace.h declares all of PGACE related hooks and functions. - src/backend/security/pgaceHooks.c provides dummy functions to be invoked when no security modules are enabled. They don't affect anything in access control. - src/backend/security/pgaceCommon.c provides common feature for every security modules, including security-attribute system column support, SQL extention, functions to manage security-attribute of large object. [2/3] Security attribute system column http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-2-security-attr.r713.patch Guest modules of PGACE can associate a security attribute with a tuple. The guest module can utilize this to make its decision in access control. (Unclassified users cannot access 'Secret' tuples, for example) This attribute is stored in the padding field of HeapTupleHeaderData, as oid doing. It requires additional "sizeof(Oid)" bytes to store it. Users can refer this attribute via system column. The name of new system column is defined as SECURITY_SYSATTR_NAME at include/pg_config.h.in, and the guest module decide its name. In SE-PostgreSQL, it is named as "security_context". EXAMPLE of security attribute) postgres=# SELECT security_context, * FROM drink; security_context | id | name | price | alcohol ------------------------------------------+----+-------+-------+--------- unconfined_u:object_r:sepgsql_table_t:s0 | 1 | water | 100 | f unconfined_u:object_r:sepgsql_table_t:s0 | 2 | coke | 120 | f unconfined_u:object_r:sepgsql_table_t:s0 | 3 | juice | 130 | f system_u:object_r:sepgsql_table_t:s0:c0 | 4 | cofee | 180 | f system_u:object_r:sepgsql_table_t:s0:c0 | 5 | beer | 240 | t system_u:object_r:sepgsql_table_t:s0:c0 | 6 | sake | 320 | t (6 rows) We can use this security attribute as a target of UPDATE or INSERT statement. It enables DBA to manage security attribute with normal SQL operation. [3/3] PGACE security hooks http://sepgsql.googlecode.com/files/sepostgresql-8.4devel-pgace-3-security-hooks.r713.patch This patch deploys several PGACE hooks on strategic points in PostgreSQL. These hooks invoke a security module mounted on PGACE, and it can make its decision whether this action should be allowed, or not. The list of PGACE hooks at: http://code.google.com/p/sepgsql/wiki/WhatIsPGACE It shouws us more comprehensive specification about what kind of hooks are provided, what informations are given and what value should be returned. NOTE: I categorized patched files into three parts. However, some of them contains security attribute system column facilities and PGACE hooks facilities. In this case, I categorized these files into part 2. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <[EMAIL PROTECTED]> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
