On 9 February 2016 at 19:47, Robert Haas <robertmh...@gmail.com> wrote: > I think you're dismissing Tom's concerns far too lightly. The > row_security=off mode, which is the default, becomes unusable for > non-superusers under this proposal. That's bad. And if you switch to > the other mode, then you might accidentally fail to get all of the > data in some table you're trying to back up. That's bad too: that's > why it isn't the default. There's a big difference between saying > "I'm OK with not dumping the tables I can't see" and "I'm OK with not > dumping all of the data in some table I *can* see". > > It seems to me that there's a big difference between policies we ship > out of the box and policies that are created be users: specifically, > the former can be assumed benign, while the latter can't. I think > that difference matters here, although I'm not sure exactly where to > go with it. >
It sounds like there needs to be a separate system_row_security setting that controls RLS on the system catalogs, and that it should be on by default in pg_dump. Regards, Dean -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
