Re: [HACKERS] RLS Design

2014-09-25 Thread Thom Brown
On 19 September 2014 17:54, Stephen Frost sfr...@snowman.net wrote: Thom, * Thom Brown (t...@linux.com) wrote: On 19 September 2014 17:32, Stephen Frost sfr...@snowman.net wrote: * Thom Brown (t...@linux.com) wrote: On 14 September 2014 16:38, Stephen Frost sfr...@snowman.net wrote:

Re: [HACKERS] RLS Design

2014-09-25 Thread Stephen Frost
Thom, * Thom Brown (t...@linux.com) wrote: I find it a bit of a limitation that I can't specify both INSERT and UPDATE for a policy. I'd want to be able to specify something like this: CREATE POLICY no_greys_allowed ON colours FOR INSERT, UPDATE WITH CHECK (name NOT IN

Re: [HACKERS] RLS Design

2014-09-25 Thread Thom Brown
On 25 September 2014 15:26, Stephen Frost sfr...@snowman.net wrote: I expected this to still trigger an error due to the first policy. Am I to infer from this that the policy model is permissive rather than restrictive? That's correct and I believe pretty clear in the documentation- policies

Re: [HACKERS] RLS Design

2014-09-20 Thread Craig Ringer
On 09/20/2014 12:38 AM, Stephen Frost wrote: I would not (nor do I feel that I did..) have committed it over a specific request to not do so from another committer. I had been hoping that there would be another review coming from somewhere, but there is always a trade-off between waiting

Re: [HACKERS] RLS Design

2014-09-20 Thread Josh Berkus
On 09/20/2014 12:23 AM, Craig Ringer wrote: On 09/20/2014 12:38 AM, Stephen Frost wrote: I would not (nor do I feel that I did..) have committed it over a specific request to not do so from another committer. I had been hoping that there would be another review coming from somewhere, but

Re: [HACKERS] RLS Design

2014-09-19 Thread Robert Haas
On Sun, Sep 14, 2014 at 11:38 AM, Stephen Frost sfr...@snowman.net wrote: * Robert Haas (robertmh...@gmail.com) wrote: On Thu, Sep 11, 2014 at 3:08 PM, Stephen Frost sfr...@snowman.net wrote: If we want to be able to disable RLS w/o dropping the policies, then I think we have to completely

Re: [HACKERS] RLS Design

2014-09-19 Thread Andres Freund
On 2014-09-19 11:53:06 -0400, Robert Haas wrote: On Sun, Sep 14, 2014 at 11:38 AM, Stephen Frost sfr...@snowman.net wrote: * Robert Haas (robertmh...@gmail.com) wrote: On Thu, Sep 11, 2014 at 3:08 PM, Stephen Frost sfr...@snowman.net wrote: If we want to be able to disable RLS w/o dropping

Re: [HACKERS] RLS Design

2014-09-19 Thread Thom Brown
On 14 September 2014 16:38, Stephen Frost sfr...@snowman.net wrote: * Robert Haas (robertmh...@gmail.com) wrote: On Thu, Sep 11, 2014 at 3:08 PM, Stephen Frost sfr...@snowman.net wrote: If we want to be able to disable RLS w/o dropping the policies, then I think we have to completely

Re: [HACKERS] RLS Design

2014-09-19 Thread Stephen Frost
Thom, Thanks! * Thom Brown (t...@linux.com) wrote: On 14 September 2014 16:38, Stephen Frost sfr...@snowman.net wrote: # create policy visible_colours on colours for all to joe using (visible = true); CREATE POLICY [...] insert into colours (name, visible) values ('transparent',false);

Re: [HACKERS] RLS Design

2014-09-19 Thread Stephen Frost
Robert, * Robert Haas (robertmh...@gmail.com) wrote: On Sun, Sep 14, 2014 at 11:38 AM, Stephen Frost sfr...@snowman.net wrote: Alright, updated patch attached which does just that (thanks to Adam for the updates for this and testing pg_dump- I just reviewed it and added some documentation

Re: [HACKERS] RLS Design

2014-09-19 Thread Thom Brown
On 19 September 2014 17:32, Stephen Frost sfr...@snowman.net wrote: Thom, Thanks! * Thom Brown (t...@linux.com) wrote: On 14 September 2014 16:38, Stephen Frost sfr...@snowman.net wrote: # create policy visible_colours on colours for all to joe using (visible = true); CREATE POLICY

Re: [HACKERS] RLS Design

2014-09-19 Thread Andres Freund
On 2014-09-19 12:38:39 -0400, Stephen Frost wrote: I would not (nor do I feel that I did..) have committed it over a specific request to not do so from another committer. I had been hoping that there would be another review coming from somewhere, but there is always a trade-off between

Re: [HACKERS] RLS Design

2014-09-19 Thread Robert Haas
On Fri, Sep 19, 2014 at 12:38 PM, Stephen Frost sfr...@snowman.net wrote: This patch, on the other hand, was massively revised after the start of the CommitFest after many months of inactivity and committed with no thorough review by anyone who was truly independent of the development effort.

Re: [HACKERS] RLS Design

2014-09-19 Thread Stephen Frost
Thom, * Thom Brown (t...@linux.com) wrote: On 19 September 2014 17:32, Stephen Frost sfr...@snowman.net wrote: * Thom Brown (t...@linux.com) wrote: On 14 September 2014 16:38, Stephen Frost sfr...@snowman.net wrote: # create policy visible_colours on colours for all to joe using (visible

Re: [HACKERS] RLS Design

2014-09-19 Thread Brightwell, Adam
Thom, Also, I seem to get an error message with the following: # create policy nice_colours ON colours for all to joe using (visible = true) with check (name in ('blue','green','yellow')); CREATE POLICY \c - joe insert into colours (name, visible) values ('blue',false); ERROR: function

Re: [HACKERS] RLS Design

2014-09-19 Thread Andrew Gierth
Adam == Brightwell, Adam adam.brightw...@crunchydatasolutions.com writes: Adam At any rate, this appears to be a previously existing issue Adam with WITH CHECK OPTION. Thoughts? It's definitely an existing issue; you can reproduce it more simply, no need to mess with different users. The

Re: [HACKERS] RLS Design

2014-09-11 Thread Erik Rijkers
On Wed, September 10, 2014 23:50, Stephen Frost wrote: [rls_9-10-2014.patch] I can't get this to apply; I attach the complaints of patch. Erik Rijkers -- git clone git://git.postgresql.org/git/postgresql.git master Cloning into 'master'... -- git branch * master patching file

Re: [HACKERS] RLS Design

2014-09-11 Thread Stephen Frost
Erik, * Erik Rijkers (e...@xs4all.nl) wrote: On Wed, September 10, 2014 23:50, Stephen Frost wrote: [rls_9-10-2014.patch] I can't get this to apply; I attach the complaints of patch. Thanks for taking a look at this! [...] patching file src/include/catalog/catversion.h Hunk #1 FAILED

Re: [HACKERS] RLS Design

2014-09-11 Thread Robert Haas
On Sat, Sep 6, 2014 at 2:54 AM, Brightwell, Adam adam.brightw...@crunchydatasolutions.com wrote: * Add ALTER TABLE name { ENABLE | DISABLE } ROW LEVEL SECURITY - set flag on table to allow for a default-deny capability. If RLS is enabled on a table and has no policies, then a default-deny

Re: [HACKERS] RLS Design

2014-09-11 Thread Stephen Frost
Robert, * Robert Haas (robertmh...@gmail.com) wrote: On Sat, Sep 6, 2014 at 2:54 AM, Brightwell, Adam adam.brightw...@crunchydatasolutions.com wrote: * Add ALTER TABLE name { ENABLE | DISABLE } ROW LEVEL SECURITY - set flag on table to allow for a default-deny capability. If RLS is enabled

Re: [HACKERS] RLS Design

2014-09-11 Thread Robert Haas
On Thu, Sep 11, 2014 at 3:08 PM, Stephen Frost sfr...@snowman.net wrote: 2. Row level security policies can exist for a table with DISABLE ROW LEVEL SECURITY in effect, but they don't do anything until RLS is enabled. A possible advantage of this approach is that you could *temporarily* shut

Re: [HACKERS] RLS Design

2014-09-11 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Thu, Sep 11, 2014 at 3:08 PM, Stephen Frost sfr...@snowman.net wrote: The one thing I'm wondering about with this design is- what happens when a policy is initially added? Currently, we automatically turn on RLS for the table when that

Re: [HACKERS] RLS Design

2014-09-03 Thread Robert Haas
On Fri, Aug 29, 2014 at 8:16 PM, Brightwell, Adam adam.brightw...@crunchydatasolutions.com wrote: Attached is a patch for RLS that was create against master at 01363beae52700c7425cb2d2452177133dad3e93 and is ready for review. Overview: This patch provides the capability to create multiple

Re: [HACKERS] RLS Design

2014-09-03 Thread Stephen Frost
Hey Robert, On my phone at the moment but wanted to reply. I'm working through a few of these issues already actually (noticed as I've been going over it with Adam), but certainly appreciate the additional review. We've not posted another update quite yet but plan to shortly. Thanks! Stephen

Re: [HACKERS] RLS Design

2014-09-03 Thread Stephen Frost
Robert, Alright, I can't help it so I'll try and reply from my phone for a couple of these. :) On Wednesday, September 3, 2014, Robert Haas robertmh...@gmail.com wrote: On Fri, Aug 29, 2014 at 8:16 PM, Brightwell, Adam adam.brightw...@crunchydatasolutions.com javascript:; wrote: Attached is

Re: [HACKERS] RLS Design

2014-09-03 Thread Robert Haas
On Wed, Sep 3, 2014 at 10:40 AM, Stephen Frost sfr...@snowman.net wrote: This is not a full review of this patch; as we're mid-CommitFest, I assume this will get added to the next CommitFest. As per usual, the expectation is that the patch is reviewed and updated during the commitfest. Given

Re: [HACKERS] RLS Design

2014-08-31 Thread Stephen Frost
Adam, all, * Brightwell, Adam (adam.brightw...@crunchydatasolutions.com) wrote: Attached is a patch for RLS that was create against master at 01363beae52700c7425cb2d2452177133dad3e93 and is ready for review. Many thanks for posting this. As others may realize already, I've reviewed and

Re: [HACKERS] RLS Design

2014-07-21 Thread Robert Haas
On Fri, Jul 18, 2014 at 7:01 PM, Brightwell, Adam adam.brightw...@crunchydatasolutions.com wrote: I think we do want a way to modify policies. However, we tend to avoid syntax that involves unnatural word order, as this certainly does. Maybe it's better to follow the example of CREATE RULE

Re: [HACKERS] RLS Design

2014-07-18 Thread Robert Haas
On Wed, Jul 16, 2014 at 10:04 PM, Brightwell, Adam adam.brightw...@crunchydatasolutions.com wrote: Yes, I just tested it and the following would work from a grammar perspective: ALTER TABLE table_name POLICY ADD policy_name (policy_quals) ALTER TABLE table_name POLICY DROP policy_name

Re: [HACKERS] RLS Design

2014-07-18 Thread Brightwell, Adam
I think we do want a way to modify policies. However, we tend to avoid syntax that involves unnatural word order, as this certainly does. Maybe it's better to follow the example of CREATE RULE and CREATE TRIGGER and do something this instead: CREATE POLICY policy_name ON table_name USING

Re: [HACKERS] RLS Design

2014-07-17 Thread Alvaro Herrera
Tom Lane wrote: 20MB messages to the list aren't that friendly. Please don't do that again, unless asked to. FWIW the message was not distributed to the list. I got a note from Adam and dropped it from the moderation queue. -- Álvaro Herrerahttp://www.2ndQuadrant.com/

Re: [HACKERS] RLS Design

2014-07-16 Thread Tom Lane
Brightwell, Adam adam.brightw...@crunchydatasolutions.com writes: You could do: ALTER TABLE table_name ADD POLICY policy_name (quals); ALTER TABLE table_name POLICY FOR role_name IS policy_name; ALTER TABLE table_name DROP POLICY policy_name; I am attempting to modify the grammar to

Re: [HACKERS] RLS Design

2014-07-16 Thread Stephen Frost
Adam, * Tom Lane (t...@sss.pgh.pa.us) wrote: Brightwell, Adam adam.brightw...@crunchydatasolutions.com writes: ALTER TABLE table_name ADD POLICY policy_name (quals); ALTER TABLE table_name POLICY FOR role_name IS policy_name; ALTER TABLE table_name DROP POLICY policy_name; [...] This

Re: [HACKERS] RLS Design

2014-07-16 Thread Brightwell, Adam
Tom, Thanks for the feedback. 20MB messages to the list aren't that friendly. Please don't do that again, unless asked to. Apologies, I didn't realize it was so large until after it was sent. At any rate, it won't happen again. FWIW, the above syntax is a nonstarter, at least unless

Re: [HACKERS] RLS Design

2014-07-16 Thread Brightwell, Adam
Stephen, Yeah, now that we're trying to bake this into ALTER TABLE we need to be a bit more cautious. I'd think: ALTER TABLE tab POLICY ADD ... Would work though? (note: haven't looked/tested myself) Yes, I just tested it and the following would work from a grammar perspective: ALTER

Re: [HACKERS] RLS Design

2014-07-16 Thread Stephen Frost
Adam, * Brightwell, Adam (adam.brightw...@crunchydatasolutions.com) wrote: Yeah, now that we're trying to bake this into ALTER TABLE we need to be a bit more cautious. I'd think: ALTER TABLE tab POLICY ADD ... Would work though? (note: haven't looked/tested myself) Yes, I just

Re: [HACKERS] RLS Design

2014-07-11 Thread Stephen Frost
On Thursday, July 10, 2014, Robert Haas robertmh...@gmail.com wrote: On Wed, Jul 9, 2014 at 2:13 AM, Stephen Frost sfr...@snowman.net javascript:; wrote: Yes, this would be possible (and is nearly identical to the original patch, except that this includes per-role considerations), however,

Re: [HACKERS] RLS Design

2014-07-11 Thread Robert Haas
On Fri, Jul 11, 2014 at 4:55 AM, Stephen Frost sfr...@snowman.net wrote: On Thursday, July 10, 2014, Robert Haas robertmh...@gmail.com wrote: On Wed, Jul 9, 2014 at 2:13 AM, Stephen Frost sfr...@snowman.net wrote: Yes, this would be possible (and is nearly identical to the original patch,

Re: [HACKERS] RLS Design

2014-07-11 Thread Stephen Frost
Robert, On Friday, July 11, 2014, Robert Haas robertmh...@gmail.com wrote: On Fri, Jul 11, 2014 at 4:55 AM, Stephen Frost sfr...@snowman.net javascript:; wrote: My feeling at the moment is that having them be per-table makes sense and we'd still have flexibility to change later if we had

Re: [HACKERS] RLS Design

2014-07-10 Thread Robert Haas
On Wed, Jul 9, 2014 at 2:13 AM, Stephen Frost sfr...@snowman.net wrote: Robert, * Robert Haas (robertmh...@gmail.com) wrote: If you're going to have predicates be table-level and access grants be table-level, then what's the value in having policies? You could just do: ALTER TABLE

Re: [HACKERS] RLS Design

2014-07-09 Thread Stephen Frost
Craig, * Craig Ringer (cr...@2ndquadrant.com) wrote: I was jotting notes about this last sleepless night, and was really glad to see the suggestion of enabling RLS on a table being a requirement for OR-style quals suggested in the thread when I woke. Thanks for your thoughts and input! The

Re: [HACKERS] RLS Design

2014-07-09 Thread Stephen Frost
KaiGai, * Kohei KaiGai (kai...@kaigai.gr.jp) wrote: What I'd like to implement is adjustment of query like: SELECT * FROM t1 WHERE (x like '%abc%') AND (quals by built-in RLS) AND (quals by extension-1) AND ... AND (quals by extension-N); I never mind even if qualifiers in the

Re: [HACKERS] RLS Design

2014-07-09 Thread Stephen Frost
Robert, * Robert Haas (robertmh...@gmail.com) wrote: If you're going to have predicates be table-level and access grants be table-level, then what's the value in having policies? You could just do: ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING quals; Yes, this would be

Re: [HACKERS] RLS Design

2014-07-09 Thread Kohei KaiGai
2014-07-09 15:07 GMT+09:00 Stephen Frost sfr...@snowman.net: KaiGai, * Kohei KaiGai (kai...@kaigai.gr.jp) wrote: What I'd like to implement is adjustment of query like: SELECT * FROM t1 WHERE (x like '%abc%') AND (quals by built-in RLS) AND (quals by extension-1) AND ... AND

Re: [HACKERS] RLS Design

2014-07-09 Thread Stephen Frost
KaiGai, * Kohei KaiGai (kai...@kaigai.gr.jp) wrote: 2014-07-09 15:07 GMT+09:00 Stephen Frost sfr...@snowman.net: * Kohei KaiGai (kai...@kaigai.gr.jp) wrote: What I'd like to implement is adjustment of query like: SELECT * FROM t1 WHERE (x like '%abc%') AND (quals by built-in RLS)

Re: [HACKERS] RLS Design

2014-07-08 Thread Craig Ringer
Hi all I was jotting notes about this last sleepless night, and was really glad to see the suggestion of enabling RLS on a table being a requirement for OR-style quals suggested in the thread when I woke. The only sane way to do OR-ing of multiple rules is to require that tables be switched to

Re: [HACKERS] RLS Design

2014-07-08 Thread Kohei KaiGai
2014-07-06 14:19 GMT+09:00 Stephen Frost sfr...@snowman.net: Kaigai, * Kouhei Kaigai (kai...@ak.jp.nec.com) wrote: Can you clarify where this is coming from..? It sounds like you're referring to an existing implementation and, if so, it'd be good to get more information on how that works

Re: [HACKERS] RLS Design

2014-07-07 Thread Robert Haas
On Thu, Jul 3, 2014 at 1:14 AM, Stephen Frost sfr...@snowman.net wrote: Alright, apologies for it being a bit later than intended, but here's what I've come up with thus far. -- policies defined at a table scope -- allows using the same policy name for different tables -- with quals

Re: [HACKERS] RLS Design

2014-07-05 Thread Stephen Frost
Kaigai, * Kouhei Kaigai (kai...@ak.jp.nec.com) wrote: Can you clarify where this is coming from..? It sounds like you're referring to an existing implementation and, if so, it'd be good to get more information on how that works exactly. Oracle VPD - Multiple Policies for Each Table,

Re: [HACKERS] RLS Design

2014-07-04 Thread Kouhei Kaigai
Sorry for my late responding, now I'm catching up the discussion. * Robert Haas (robertmh...@gmail.com) wrote: On Tue, Jul 1, 2014 at 3:20 PM, Dean Rasheed dean.a.rash...@gmail.com wrote: If RLS quals are instead regarded as constraints on access, and multiple policies apply, then it

Re: [HACKERS] RLS Design

2014-07-04 Thread Stephen Frost
Kaigai, On Thursday, July 3, 2014, Kouhei Kaigai kai...@ak.jp.nec.com wrote: Sorry for my late responding, now I'm catching up the discussion. * Robert Haas (robertmh...@gmail.com javascript:;) wrote: On Tue, Jul 1, 2014 at 3:20 PM, Dean Rasheed dean.a.rash...@gmail.com javascript:;

Re: [HACKERS] RLS Design

2014-07-04 Thread Kouhei Kaigai
Kaigai, On Thursday, July 3, 2014, Kouhei Kaigai kai...@ak.jp.nec.com wrote: Sorry for my late responding, now I'm catching up the discussion. * Robert Haas (robertmh...@gmail.com javascript:; ) wrote: On Tue, Jul 1, 2014 at 3:20 PM, Dean Rasheed

Re: [HACKERS] RLS Design

2014-07-02 Thread Yeb Havinga
On 01/07/14 21:51, Robert Haas wrote: On Tue, Jul 1, 2014 at 3:20 PM, Dean Rasheed dean.a.rash...@gmail.com wrote: That seems like a pretty strong argument. If RLS quals are instead regarded as constraints on access, and multiple policies apply, then it seems that the quals should now be

Re: [HACKERS] RLS Design

2014-07-02 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Tue, Jul 1, 2014 at 3:20 PM, Dean Rasheed dean.a.rash...@gmail.com wrote: If RLS quals are instead regarded as constraints on access, and multiple policies apply, then it seems that the quals should now be combined with AND rather than OR,

Re: [HACKERS] RLS Design

2014-07-02 Thread Robert Haas
On Wed, Jul 2, 2014 at 9:47 AM, Stephen Frost sfr...@snowman.net wrote: But you could do it other ways. For example: ALTER TABLE table_name [ NO ] ROW LEVEL SECURITY; ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING qual; If a table is set to NO ROW LEVEL SECURITY then it behaves

Re: [HACKERS] RLS Design

2014-07-02 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Wed, Jul 2, 2014 at 9:47 AM, Stephen Frost sfr...@snowman.net wrote: But you could do it other ways. For example: ALTER TABLE table_name [ NO ] ROW LEVEL SECURITY; ALTER TABLE table_name GRANT ROW ACCESS TO role_name USING qual; If a

Re: [HACKERS] RLS Design

2014-07-02 Thread Robert Haas
On Wed, Jul 2, 2014 at 11:42 AM, Stephen Frost sfr...@snowman.net wrote: What if policies exist and they decide to 'turn off' RLS for the table- suddenly everyone can see all the rows? That'd be my vote. Sorta like disabling triggers. Hmm. Ok- how would you feel about at least spitting

Re: [HACKERS] RLS Design

2014-07-02 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Wed, Jul 2, 2014 at 11:42 AM, Stephen Frost sfr...@snowman.net wrote: What if policies exist and they decide to 'turn off' RLS for the table- suddenly everyone can see all the rows? That'd be my vote. Sorta like disabling triggers.

Re: [HACKERS] RLS Design

2014-07-02 Thread Stephen Frost
Robert, all, * Robert Haas (robertmh...@gmail.com) wrote: I think we're converging, but it might be a good idea to summarize a specific proposal before you start implementing. Alright, apologies for it being a bit later than intended, but here's what I've come up with thus far. -- policies

Re: [HACKERS] RLS Design

2014-07-01 Thread Dean Rasheed
On 29 June 2014 20:42, Stephen Frost sfr...@snowman.net wrote: To try and clarify what this distinction is- Dean's approach with GRANT allows specifying the policy to be used when a given role queries a given table. Through this mechanism, one role might have access to many different tables,

Re: [HACKERS] RLS Design

2014-07-01 Thread Robert Haas
On Tue, Jul 1, 2014 at 3:33 AM, Dean Rasheed dean.a.rash...@gmail.com wrote: An annoying complication, however, is how this interacts with column privileges. Right now GRANT SELECT(col1) ON t1 TO role1 gives role1 access to every row in col1, and I think that has to remain the case, since

Re: [HACKERS] RLS Design

2014-07-01 Thread Dean Rasheed
On 1 July 2014 17:42, Robert Haas robertmh...@gmail.com wrote: On Tue, Jul 1, 2014 at 3:33 AM, Dean Rasheed dean.a.rash...@gmail.com wrote: An annoying complication, however, is how this interacts with column privileges. Right now GRANT SELECT(col1) ON t1 TO role1 gives role1 access to every

Re: [HACKERS] RLS Design

2014-07-01 Thread Robert Haas
On Tue, Jul 1, 2014 at 3:20 PM, Dean Rasheed dean.a.rash...@gmail.com wrote: On 1 July 2014 17:42, Robert Haas robertmh...@gmail.com wrote: On Tue, Jul 1, 2014 at 3:33 AM, Dean Rasheed dean.a.rash...@gmail.com wrote: An annoying complication, however, is how this interacts with column

Re: [HACKERS] RLS Design

2014-06-30 Thread Robert Haas
On Sun, Jun 29, 2014 at 3:42 PM, Stephen Frost sfr...@snowman.net wrote: An interesting question we haven't much considered is: who can set up policies and add then to users? Maybe we should flip this around, and instead of adding users to policies, we should exempt users from policies.

Re: [HACKERS] RLS Design

2014-06-30 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Sun, Jun 29, 2014 at 3:42 PM, Stephen Frost sfr...@snowman.net wrote: An interesting question we haven't much considered is: who can set up policies and add then to users? Maybe we should flip this around, and instead of adding users to

Re: [HACKERS] RLS Design

2014-06-30 Thread Robert Haas
On Mon, Jun 30, 2014 at 9:42 AM, Stephen Frost sfr...@snowman.net wrote: I'm not a fan of the EXEMPT approach.. Just out of curiosity, why not? I don't see it as really solving the flexibility need and it feels quite a bit more complicated to reason about. Would someone who is EXEMPT from

Re: [HACKERS] RLS Design

2014-06-30 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Mon, Jun 30, 2014 at 9:42 AM, Stephen Frost sfr...@snowman.net wrote: I don't see it as really solving the flexibility need and it feels quite a bit more complicated to reason about. Would someone who is EXEMPT from one policy on a given

Re: [HACKERS] RLS Design

2014-06-29 Thread Stephen Frost
Robert, Dean, * Dean Rasheed (dean.a.rash...@gmail.com) wrote: On 26 June 2014 18:04, Robert Haas robertmh...@gmail.com wrote: ALTER TABLE t1 SET POLICY p1 ON SELECT TO t1_p1_sel_quals; GRANT SELECT ON TABLE t1 TO role1 USING p1; As I see it, the downside of this is that it gets a lot

Re: [HACKERS] RLS Design

2014-06-27 Thread Dean Rasheed
On 26 June 2014 18:04, Robert Haas robertmh...@gmail.com wrote: ALTER TABLE t1 SET POLICY p1 ON SELECT TO t1_p1_sel_quals; GRANT SELECT ON TABLE t1 TO role1 USING p1; As I see it, the downside of this is that it gets a lot more complex. We have to revise the ACL representation, which is

Re: [HACKERS] RLS Design

2014-06-26 Thread Robert Haas
On Wed, Jun 25, 2014 at 4:48 PM, Dean Rasheed dean.a.rash...@gmail.com wrote: Instead of doing it this way, we could instead do: ALTER ROLE role1 ADD POLICY p1; ALTER ROLE role2 ADD POLICY p2; We could possibly allow multiple policies to be set for the same user, but given an error (or OR

Re: [HACKERS] RLS Design

2014-06-25 Thread Dean Rasheed
On 25 June 2014 01:49, Stephen Frost sfr...@snowman.net wrote: Dean, all, Changing the subject of this thread (though keeping it threaded) as we've really moved on to a much broader discussion. * Dean Rasheed (dean.a.rash...@gmail.com) wrote: On 24 June 2014 17:27, Stephen Frost

Re: [HACKERS] RLS Design

2014-06-25 Thread Stephen Frost
* Dean Rasheed (dean.a.rash...@gmail.com) wrote: On 25 June 2014 01:49, Stephen Frost sfr...@snowman.net wrote: I can't recall a system where managers have to request access to their manager role. Having another way of changing the permissions which are applied to a session (the existing

Re: [HACKERS] RLS Design the rewriter into the planner?

2014-06-25 Thread Stephen Frost
Robert, all, Changing the thread topic to match the other one, and adding Dean in explicitly since we're talking about the design discussed with him. * Robert Haas (robertmh...@gmail.com) wrote: I think role is good enough. That's the primary identifier for all access-control related

Re: [HACKERS] RLS Design

2014-06-25 Thread Robert Haas
On Tue, Jun 24, 2014 at 8:49 PM, Stephen Frost sfr...@snowman.net wrote: Let's try to outline what this would look like then. Taking your approach, we'd have: CREATE POLICY p1; CREATE POLICY p2; ALTER TABLE t1 SET POLICY p1 TO t1_p1_quals; ALTER TABLE t1 SET POLICY p2 TO t1_p2_quals;

Re: [HACKERS] RLS Design

2014-06-25 Thread Stephen Frost
* Robert Haas (robertmh...@gmail.com) wrote: On Tue, Jun 24, 2014 at 8:49 PM, Stephen Frost sfr...@snowman.net wrote: Let's try to outline what this would look like then. Taking your approach, we'd have: CREATE POLICY p1; CREATE POLICY p2; ALTER TABLE t1 SET POLICY p1 TO

Re: [HACKERS] RLS Design

2014-06-25 Thread Dean Rasheed
On 25 June 2014 16:44, Robert Haas robertmh...@gmail.com wrote: On Tue, Jun 24, 2014 at 8:49 PM, Stephen Frost sfr...@snowman.net wrote: Let's try to outline what this would look like then. Taking your approach, we'd have: CREATE POLICY p1; CREATE POLICY p2; ALTER TABLE t1 SET POLICY p1