Re: [HACKERS] Multi-tenancy with RLS

2017-01-30 Thread Haribabu Kommi
On Mon, Dec 5, 2016 at 4:31 PM, Haribabu Kommi wrote: > > > On Mon, Oct 3, 2016 at 3:11 PM, Michael Paquier > wrote: > >> On Tue, Jul 19, 2016 at 3:42 PM, Haribabu Kommi >> wrote: >> > The above changes are based

Re: [HACKERS] Multi-tenancy with RLS

2016-12-04 Thread Haribabu Kommi
On Mon, Oct 3, 2016 at 3:11 PM, Michael Paquier wrote: > On Tue, Jul 19, 2016 at 3:42 PM, Haribabu Kommi > wrote: > > The above changes are based on my understanding to the discussion > occurred in > > this mail. In case if I miss anything,

Re: [HACKERS] Multi-tenancy with RLS

2016-10-02 Thread Michael Paquier
On Tue, Jul 19, 2016 at 3:42 PM, Haribabu Kommi wrote: > The above changes are based on my understanding to the discussion occurred in > this mail. In case if I miss anything, please let me know, i will > correct the same. The patch series still apply. +

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
JD, * Joshua D. Drake (j...@commandprompt.com) wrote: > pg_dump -U $non-super_user > > Should just work, period. That ship has sailed already, where you're running a pg_dump against objects you don't own and which have RLS enabled on them. Thanks! Stephen signature.asc Description: Digital

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Joshua D. Drake
On 02/09/2016 12:05 PM, Robert Haas wrote: That's true. But I should also have an expectation that running pg_dump won't trigger arbitrary code execution, which is why by default, pg_dump sets row_security to OFF. That way, if a row security policy applies, I get an error rather than an

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Robert Haas
On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost wrote: >> Whereupon you'd have no certainty that what you got represented a >> complete dump of your own data. > > It would be a dump of what you're allowed to see, rather than an error > saying you couldn't dump something you

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Robert Haas
On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway wrote: > On 02/09/2016 11:47 AM, Robert Haas wrote: >> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost wrote: Whereupon you'd have no certainty that what you got represented a complete dump of your own

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
Robert, * Robert Haas (robertmh...@gmail.com) wrote: > On Tue, Feb 9, 2016 at 3:01 PM, Joe Conway wrote: > > On 02/09/2016 11:47 AM, Robert Haas wrote: > >> On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost wrote: > Whereupon you'd have no certainty

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Dean Rasheed
On 9 February 2016 at 19:47, Robert Haas wrote: > I think you're dismissing Tom's concerns far too lightly. The > row_security=off mode, which is the default, becomes unusable for > non-superusers under this proposal. That's bad. And if you switch to > the other mode,

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Robert Haas
On Tue, Feb 9, 2016 at 3:26 PM, Stephen Frost wrote: > Arbitrary code execution is quite a different concern from the prior > concern regarding incomplete dumps. I've had both concerns all along, and I think I've mentioned them before. > To the extent that untrusted code

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: > On Tue, Feb 9, 2016 at 3:26 PM, Stephen Frost wrote: > > To the extent that untrusted code execution is an issue (and my > > experience with environments which would deploy RLS tells me that it > > isn't a practical concern), an

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Joshua D. Drake
On 02/09/2016 12:28 PM, Stephen Frost wrote: JD, * Joshua D. Drake (j...@commandprompt.com) wrote: pg_dump -U $non-super_user Should just work, period. That ship has sailed already, where you're running a pg_dump against objects you don't own and which have RLS enabled on them. Just to be

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Joe Conway
On 02/09/2016 01:22 PM, Tom Lane wrote: > Maybe we need to restrict that somehow, or maybe some better solution > exists that we've not thought of yet. But in its current state, RLS > is at least as much a security hazard as it is a security aid. > I do not want to see it extended in ways that

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
* Dean Rasheed (dean.a.rash...@gmail.com) wrote: > On 9 February 2016 at 19:47, Robert Haas wrote: > > I think you're dismissing Tom's concerns far too lightly. The > > row_security=off mode, which is the default, becomes unusable for > > non-superusers under this

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Joe Conway
On 02/09/2016 12:47 PM, Robert Haas wrote: > On Tue, Feb 9, 2016 at 3:28 PM, Stephen Frost wrote: >> JD, >> >> * Joshua D. Drake (j...@commandprompt.com) wrote: >>> pg_dump -U $non-super_user >>> >>> Should just work, period. >> >> That ship has sailed already, where you're

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Robert Haas
On Tue, Feb 9, 2016 at 4:22 PM, Tom Lane wrote: > Part of the problem here is that we have *not* created any hard and fast > distinction between "privileged" and "unprivileged" users; I think that > even speaking in those terms about RLS risks errors in your thinking. +1. >

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Robert Haas
On Tue, Feb 9, 2016 at 3:28 PM, Stephen Frost wrote: > JD, > > * Joshua D. Drake (j...@commandprompt.com) wrote: >> pg_dump -U $non-super_user >> >> Should just work, period. > > That ship has sailed already, where you're running a pg_dump against > objects you don't own and

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
JD, * Joshua D. Drake (j...@commandprompt.com) wrote: > On 02/09/2016 12:28 PM, Stephen Frost wrote: > >* Joshua D. Drake (j...@commandprompt.com) wrote: > >>pg_dump -U $non-super_user > >> > >>Should just work, period. > > > >That ship has sailed already, where you're running a pg_dump against >

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Tom Lane
Joe Conway writes: > Personally I don't buy that the current situation is a good thing. I > know that the "ship has sailed" and regret not having participated in > the earlier discussions, but I agree with JD here -- the unprivileged > user should not have to even think about

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
Tom, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Joe Conway writes: > > Personally I don't buy that the current situation is a good thing. I > > know that the "ship has sailed" and regret not having participated in > > the earlier discussions, but I agree with JD here -- the

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Stephen Frost
* Joe Conway (m...@joeconway.com) wrote: > On 02/09/2016 01:22 PM, Tom Lane wrote: > > Maybe we need to restrict that somehow, or maybe some better solution > > exists that we've not thought of yet. But in its current state, RLS > > is at least as much a security hazard as it is a security aid. >

Re: [HACKERS] Multi-tenancy with RLS

2016-02-09 Thread Joe Conway
On 02/09/2016 11:47 AM, Robert Haas wrote: > On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost wrote: >>> Whereupon you'd have no certainty that what you got represented a >>> complete dump of your own data. >> >> It would be a dump of what you're allowed to see, rather than an

Re: [HACKERS] Multi-tenancy with RLS

2016-02-08 Thread Alvaro Herrera
I've closed this as returned-with-feedback. -- Álvaro Herrerahttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription:

Re: [HACKERS] Multi-tenancy with RLS

2016-01-15 Thread Stephen Frost
* Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost writes: > > * Tom Lane (t...@sss.pgh.pa.us) wrote: > >> Stephen Frost writes: > >>> I don't follow how this would destroy the ability to run pg_dump. > >>> Ideally, we'd have a result where a user

Re: [HACKERS] Multi-tenancy with RLS

2016-01-15 Thread Stephen Frost
* Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost writes: > > * Tom Lane (t...@sss.pgh.pa.us) wrote: > >> However, by "not that much trouble" I only mean getting an implementation > >> that works and doesn't create more security problems than it fixes. > >> Usability is

Re: [HACKERS] Multi-tenancy with RLS

2016-01-15 Thread Stephen Frost
* Tom Lane (t...@sss.pgh.pa.us) wrote: > Joe Conway writes: > > As Stephen mentioned, yes, I am very interested in at least some aspects > > of this patch. The ability to apply RLS to system tables could be useful > > to solve a number of problems we don't have a good story

Re: [HACKERS] Multi-tenancy with RLS

2016-01-15 Thread Tom Lane
Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> However, by "not that much trouble" I only mean getting an implementation >> that works and doesn't create more security problems than it fixes. >> Usability is still likely to be a huge problem. In particular

Re: [HACKERS] Multi-tenancy with RLS

2016-01-15 Thread Tom Lane
Stephen Frost writes: > * Tom Lane (t...@sss.pgh.pa.us) wrote: >> Stephen Frost writes: >>> I don't follow how this would destroy the ability to run pg_dump. >>> Ideally, we'd have a result where a user could run pg_dump without >>> having to apply any

Re: [HACKERS] Multi-tenancy with RLS

2016-01-07 Thread Tom Lane
Joe Conway writes: > On 01/06/2016 12:15 PM, Robert Haas wrote: >> Is any committer thinking about taking a serious look at this patch series? >> >> I ask because (1) it seems like it could be nice to have but (2) it >> frightens me terribly. We are generally very sparing

Re: [HACKERS] Multi-tenancy with RLS

2016-01-07 Thread Joe Conway
On 01/06/2016 12:15 PM, Robert Haas wrote: > On Tue, Jan 5, 2016 at 11:07 PM, Haribabu Kommi > wrote: >> May be you missed to apply the 3_shared_catalog_tenancy_v4 path, >> because 4_database_catalog_tenancy_v5 patch depends on it. >> >> Here I attached all the patches

Re: [HACKERS] Multi-tenancy with RLS

2016-01-06 Thread Stephen Frost
Robert, * Robert Haas (robertmh...@gmail.com) wrote: > On Tue, Jan 5, 2016 at 11:07 PM, Haribabu Kommi > wrote: > > May be you missed to apply the 3_shared_catalog_tenancy_v4 path, > > because 4_database_catalog_tenancy_v5 patch depends on it. > > > > Here I attached

Re: [HACKERS] Multi-tenancy with RLS

2016-01-06 Thread Amit Langote
On 2016/01/06 13:07, Haribabu Kommi wrote: > On Wed, Jan 6, 2016 at 1:43 PM, Amit Langote >> >> Patch 4_database_catalog_tenancy_v5 fails to apply: > > May be you missed to apply the 3_shared_catalog_tenancy_v4 path, > because 4_database_catalog_tenancy_v5 patch depends on it. Oops, I even

Re: [HACKERS] Multi-tenancy with RLS

2016-01-06 Thread Haribabu Kommi
On Thu, Jan 7, 2016 at 2:29 PM, Stephen Frost wrote: > Robert, > > * Robert Haas (robertmh...@gmail.com) wrote: > >> Apart from the issue of whether this is doomed for some architectural >> reason, it is not entirely clear to me that there's any consensus that >> we want this.

Re: [HACKERS] Multi-tenancy with RLS

2016-01-06 Thread Robert Haas
On Tue, Jan 5, 2016 at 11:07 PM, Haribabu Kommi wrote: > May be you missed to apply the 3_shared_catalog_tenancy_v4 path, > because 4_database_catalog_tenancy_v5 patch depends on it. > > Here I attached all the patches for your convenience, I am able to > apply all

Re: [HACKERS] Multi-tenancy with RLS

2016-01-05 Thread Amit Langote
On 2016/01/06 10:17, Haribabu Kommi wrote: > On Mon, Jan 4, 2016 at 10:43 PM, Haribabu Kommi >> >> Thanks for the test. Yes, the issue happens at backend startup itself. >> I will give a try by separating the initialization of security >> policies after init phase 3. > > Here I attached updated

Re: [HACKERS] Multi-tenancy with RLS

2016-01-04 Thread Haribabu Kommi
On Mon, Jan 4, 2016 at 8:34 PM, Amit Langote wrote: > On 2016/01/04 14:43, Haribabu Kommi wrote: >>> >>> Here I attached new series of patches with a slightly different approach. >>> Instead of creating the policies on the system catalog tables whenever >>> the

Re: [HACKERS] Multi-tenancy with RLS

2016-01-04 Thread Amit Langote
On 2016/01/04 14:43, Haribabu Kommi wrote: >> >> Here I attached new series of patches with a slightly different approach. >> Instead of creating the policies on the system catalog tables whenever >> the catalog security command is executed, just enable row level security >> on the system catalog

Re: [HACKERS] Multi-tenancy with RLS

2015-12-29 Thread Haribabu Kommi
On Thu, Dec 17, 2015 at 12:46 PM, Haribabu Kommi wrote: > Rebased patch is attached as it is having an OID conflict with the > latest set of changes > in the master branch. Here I attached new series of patches with a slightly different approach. Instead of creating the

Re: [HACKERS] Multi-tenancy with RLS

2015-12-16 Thread Haribabu Kommi
Rebased patch is attached as it is having an OID conflict with the latest set of changes in the master branch. Regards, Hari Babu Fujitsu Australia 4_database_catalog_tenancy_v3.patch Description: Binary data -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make

Re: [HACKERS] Multi-tenancy with RLS

2015-10-26 Thread Haribabu Kommi
On Wed, Oct 21, 2015 at 2:42 PM, Haribabu Kommi wrote: > Pending items: > 1. Need to add some more tests to verify all database catalog tables. > 2. Documentation changes for database catalog tenancy. Here I attached the updated database-catalog-security with more tests

Re: [HACKERS] Multi-tenancy with RLS

2015-10-20 Thread Haribabu Kommi
On Sat, Oct 10, 2015 at 1:54 AM, Stephen Frost wrote: > * Haribabu Kommi (kommi.harib...@gmail.com) wrote: >> On Fri, Oct 9, 2015 at 2:04 PM, Stephen Frost wrote: >> > * Robert Haas (robertmh...@gmail.com) wrote: >> >> We've got one reloption for views

Re: [HACKERS] Multi-tenancy with RLS

2015-10-09 Thread Joe Conway
On 10/08/2015 11:04 PM, Stephen Frost wrote: > * Robert Haas (robertmh...@gmail.com) wrote: >> We've got one reloption for views already - security_barrier. Maybe >> we could have another one that effectively changes a particular view >> from "security definer" as it is today to "security

Re: [HACKERS] Multi-tenancy with RLS

2015-10-09 Thread Stephen Frost
* Haribabu Kommi (kommi.harib...@gmail.com) wrote: > On Fri, Oct 9, 2015 at 2:04 PM, Stephen Frost wrote: > > * Robert Haas (robertmh...@gmail.com) wrote: > >> We've got one reloption for views already - security_barrier. Maybe > >> we could have another one that effectively

Re: [HACKERS] Multi-tenancy with RLS

2015-10-08 Thread Robert Haas
On Tue, Oct 6, 2015 at 7:29 AM, Stephen Frost wrote: > * Haribabu Kommi (kommi.harib...@gmail.com) wrote: >> On Tue, Oct 6, 2015 at 10:56 AM, Haribabu Kommi >> wrote: >> > Here I attached an updated version of the patch with the following changes. >>

Re: [HACKERS] Multi-tenancy with RLS

2015-10-08 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: > We've got one reloption for views already - security_barrier. Maybe > we could have another one that effectively changes a particular view > from "security definer" as it is today to "security invoker". As I recall, there was a previous suggestion

Re: [HACKERS] Multi-tenancy with RLS

2015-10-08 Thread Haribabu Kommi
On Fri, Oct 9, 2015 at 2:04 PM, Stephen Frost wrote: > * Robert Haas (robertmh...@gmail.com) wrote: >> We've got one reloption for views already - security_barrier. Maybe >> we could have another one that effectively changes a particular view >> from "security definer" as it

Re: [HACKERS] Multi-tenancy with RLS

2015-10-06 Thread Haribabu Kommi
On Tue, Oct 6, 2015 at 10:56 AM, Haribabu Kommi wrote: > Here I attached an updated version of the patch with the following changes. I found some problems related to providing multi-tenancy on a system catalog view. This is because, system catalog view uses the owner

Re: [HACKERS] Multi-tenancy with RLS

2015-10-06 Thread Haribabu Kommi
On Tue, Oct 6, 2015 at 10:29 PM, Stephen Frost wrote: > * Haribabu Kommi (kommi.harib...@gmail.com) wrote: >> On Tue, Oct 6, 2015 at 10:56 AM, Haribabu Kommi >> wrote: >> > Here I attached an updated version of the patch with the following changes.

Re: [HACKERS] Multi-tenancy with RLS

2015-10-06 Thread Stephen Frost
* Haribabu Kommi (kommi.harib...@gmail.com) wrote: > On Tue, Oct 6, 2015 at 10:56 AM, Haribabu Kommi > wrote: > > Here I attached an updated version of the patch with the following changes. > > I found some problems related to providing multi-tenancy on a system >

Re: [HACKERS] Multi-tenancy with RLS

2015-10-05 Thread Haribabu Kommi
On Fri, Sep 11, 2015 at 7:50 AM, Joe Conway wrote: > On 09/01/2015 11:25 PM, Haribabu Kommi wrote: >> If any user is granted any permissions on that object then that user >> can view it's meta data of that object from the catalog tables. >> To check the permissions of the user

Re: [HACKERS] Multi-tenancy with RLS

2015-09-15 Thread Robert Haas
On Tue, Sep 15, 2015 at 9:18 AM, Jim Nasby wrote: > Also, we've faced issues in the past with making catalog changes due to fear > of breaking user scripts. Instead of doubling down on that with RLS on top > of catalog tables, would it be better to move the tables to a

Re: [HACKERS] Multi-tenancy with RLS

2015-09-15 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: > On Tue, Sep 15, 2015 at 9:18 AM, Jim Nasby wrote: > > Also, we've faced issues in the past with making catalog changes due to fear > > of breaking user scripts. Instead of doubling down on that with RLS on top > > of catalog

Re: [HACKERS] Multi-tenancy with RLS

2015-09-15 Thread Jim Nasby
On 9/14/15 7:38 PM, Haribabu Kommi wrote: On Fri, Sep 11, 2015 at 7:50 AM, Joe Conway wrote: On 09/01/2015 11:25 PM, Haribabu Kommi wrote: If any user is granted any permissions on that object then that user can view it's meta data of that object from the catalog tables.

Re: [HACKERS] Multi-tenancy with RLS

2015-09-14 Thread Haribabu Kommi
On Fri, Sep 11, 2015 at 7:50 AM, Joe Conway wrote: > On 09/01/2015 11:25 PM, Haribabu Kommi wrote: >> If any user is granted any permissions on that object then that user >> can view it's meta data of that object from the catalog tables. >> To check the permissions of the user

Re: [HACKERS] Multi-tenancy with RLS

2015-09-10 Thread Joe Conway
On 09/01/2015 11:25 PM, Haribabu Kommi wrote: > If any user is granted any permissions on that object then that user > can view it's meta data of that object from the catalog tables. > To check the permissions of the user on the object, instead of > checking each and every available option, I just

Re: [HACKERS] Multi-tenancy with RLS

2015-09-02 Thread Haribabu Kommi
On Fri, Aug 14, 2015 at 12:00 PM, Haribabu Kommi wrote: > > Here I attached the proof concept patch. Here I attached an updated patch by adding policies to the most of the system catalog tables, except the following. AggregateRelationId AccessMethodRelationId