2014-07-09 15:07 GMT+09:00 Stephen Frost <sfr...@snowman.net>:
> KaiGai,
> * Kohei KaiGai (kai...@kaigai.gr.jp) wrote:
>> What I'd like to implement is adjustment of query like:
>>   SELECT * FROM t1 WHERE (x like '%abc%') AND (quals by built-in RLS)
>>           AND (quals by extension-1) AND ... AND (quals by extension-N);
>> I never mind even if qualifiers in the second block are connected with OR'd
>> manner, however, I want RLS infrastructure to accept additional security
>> models provided by extensions.
> Would having a table-level 'AND'-vs-'OR' modifier for the RLS policies
> on that table be sufficient for what you're looking for?  That seems a
> simple enough addition which would still allow more complex groups to be
> developed later on...
Probably, things I'm considering is more simple.
If a table has multiple built-in RLS policies, its expression node will be
represented as a BoolExpr with OR_EXPR and every policies are linked
to its args field, isn't it? We assume the built-in RLS model merges
multiple policies by OR manner.
In case when an extension want to apply additional security model on
top of RLS infrastructure, a straightforward way is to add its own rules
in addition to the built-in rules. If extension can get control to modify
the above expression node and RLS infrastructure works well on the
modified expression node, I think it's sufficient to implement multiple
security models on the RLS infrastructure.

KaiGai Kohei <kai...@kaigai.gr.jp>

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to