* Craig Ringer (cr...@2ndquadrant.com) wrote: > On 06/11/2014 02:19 AM, Tom Lane wrote: > > Hm ... I'm not following why we'd need a special case for superusers and > > not anyone else? Seems like any useful RLS scheme is going to require > > more privilege levels than just superuser and not-superuser. > > What it really needs is to invalidate plans when switching between > RLS-enabled and RLS-exempt users, yes. I'm sure we'll want an "RLS > exempt" right or mode sooner rather than later, so I'm against tying > this explicitly to superuser as such.
That certainly sounds reasonable to me, but the point is we're just looking to see if the current role executing the plan should or should not have RLS applied and, if it's changing, we need to re-plan. We don't need to actually track an independent plan for each and every user executing the plan, which means that the plan cache can be largely left alone. > I wouldn't be surprised to see > > SET ROW SECURITY ON|OFF > > down the track, with a right controlling whether you can or not. Or at > least, a right that directly exempts a user from row security. Agreed, but doing a re-planning in that case seems reasonable to me. I find it pretty unlikely that there will be a lot of critical path cases of the same plan flipping back and forth between a role for which RLS is applied and a role where it shouldn't be. > > Could we put the "if superuser then ok" test into the RLS condition test > > and thereby not need more than one plan at all? > > Only if we put it in another level of security barrier subquery, because > otherwise the planner might execute the other quals (including possible > user defined functions) before the superuser test. Which was the whole > reason for the superuser test in the first place. Yeah, I'm not a big fan of this and it certainly seems a simpler approach to just force a re-plan. We're talking about a query which has been prepared and then is being executed by different roles, some of which are RLS enabled and some which are RLS exempt. That just strikes me as pretty unlikely to happen and if it does become an issue, a user could work around it by having two different plans prepared and making sure that they are called from the appropriate roles to avoid the replanning. Thanks, Stephen
Description: Digital signature