Stephen Frost <sfr...@snowman.net> writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> However, by "not that much trouble" I only mean getting an implementation >> that works and doesn't create more security problems than it fixes. >> Usability is still likely to be a huge problem. In particular it seems >> likely that any attempt to actually put RLS policies on the catalogs would >> completely destroy the ability to run pg_dump except as a BYPASSRLS role. >> That would be an unpleasant consequence.
> I don't follow how this would destroy the ability to run pg_dump. > Ideally, we'd have a result where a user could run pg_dump without > having to apply any filters of their own and they'd get a dump of all > objects they're allowed to see. You mean, other than the fact that pg_dump sets row_security = off to ensure that what it's seeing *isn't* filtered. The bigger picture here is that I do not think that you can just arbitrarily exclude non-owned objects from its view and still expect to get a valid dump; that will break dependency chains for example, possibly leading to stuff getting output in an order that doesn't restore. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers