On Tue, May 29, 2012 at 10:57 AM, Kohei KaiGai <[email protected]> wrote: > 2012/5/29 Robert Haas <[email protected]>: >> One idea might be to have a grantable permission that permits the RLS >> policy to be bypassed. So, if a user has only SELECT permission, they >> can select from the table, but the RLS policy will apply. If they >> have both SELECT and RLSBYPASS (probably not what we really want to >> call it) permission, then they can select from the table and the RLS >> policy will be skipped. This means that superusers automatically skip >> all RLS policies (which seems right) and table owners skip them by >> default (but could revoke their own privileges) and other people can >> skip them if the table owner (or the superuser) grants them the >> appropriate privilege on the table involved. >> > Isn't it unavailable to describe using RLS policy? > In case when 'alice' and 'bob' should bypass RLS policy on a certain table, > we will be able to describe it as follows: > (current_user in ('alice', 'bob') OR rls_policy_this_table(X, Y, Z)) > > I have one concern the "current_user in (...)" is not wiped out at the planner > stage, although its evaluation result is obvious prior to execution.
Yes, that's one problem with doing it that way. The fact that the superuser is not guaranteed-excluded is another; that can of course be fixed by adding a special-case hack for superusers, but IMHO this is more elegant. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
