On Mon, Jan 4, 2016 at 8:34 PM, Amit Langote <langote_amit...@lab.ntt.co.jp> wrote: > On 2016/01/04 14:43, Haribabu Kommi wrote: >>> >>> Here I attached new series of patches with a slightly different approach. >>> Instead of creating the policies on the system catalog tables whenever >>> the catalog security command is executed, just enable row level security >>> on the system catalog tables. During the relation build, in >>> RelationBuildRowSecurity function, if it is a system relation, frame the >>> policy using the policy query which we earlier used to create by parsing it. >>> >>> With the above approach, in case of any problems in the policy, to use >>> the corrected policy, user just needs to replace the binaries. whereas in >>> earlier approach, either pg_upgrade or disabling and enabling of catalog >>> security is required. >>> >>> Currently it is changed only for shared system catalog tables and also the >>> way of enabling catalog security on shared system catalog tables is through >>> initdb only. This also can be changed later. I will do similar changes for >>> remaining catalog tables. >>> >>> Any comments on the approach? >> >> Instead of creating policies during the "alter database" command for database >> catalog tables, generating at relation building is leading to an >> infinite recursion >> loop because of transformExpr call for the qual. Any ideas to handle the >> same? > > I tried your latest patch to see what may have caused the infinite > recursion. The recursion occurs during backend startup itself, right? > > ISTM, doing transformWhereClause during RelationCacheInitializePhase3() > would not work. Things like operators, functions within the policy qual > require namespace lookup which down the line would call > RelationBuildRowSecurity for pg_namespace build and so on thus causing the > infinite recursion. Perhaps, it would have to be done in a separate phase > after the phase 3 but I'm not sure.
Thanks for the test. Yes, the issue happens at backend startup itself. I will give a try by separating the initialization of security policies after init phase 3. > I wonder why do the policy quals need to be built from scratch every time > in RelationBuildRowSecurity for system tables (shared or otherwise)? Why > not just read from the pg_policy catalog like regular relations if ALTER > DATABASE CATALOG SECURITY TRUE already created those entries? Maybe I > missing something though. Yes, creating policies at start and using them every time when relation is building works until there is no problem is found in the policies. The row level security policies on catalog tables are created automatically when user enables catalog security, so user don't have any control on these policies. In case if we found any problem in these policies, later if we want to correct them, for shared system catalog tables policies user needs to do a pg_upgrade to correct them. And for the other catalog tables, user needs to disable and enable the catalog security on all databases. Instead of the above, if we built the policy at run time always for catalog tables, user can just replace binaries with latest works. Currently it is working fine for shared system catalog tables. I will give a try by separating RelationBuildRowSecurity from init phase 3. Regards, Hari Babu Fujitsu Australia -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
