Re: RLS - permissive vs restrictive

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> The key point from my angle is that if you grant user alice the right
> to see records where a = 1 and user bob the right to see records where
> a = 2, the multiple-policy approach allows those quals to be
> implemented as index-scans. If you had a single policy granting all
> users the right to see records where policyfunc() returns true, it
> would never be indexable.

Right, that is certainly an important aspect also.

> I think that Thom's idea of having some policies that are additional
> filter conditions on top of everything else is a pretty good one.
> It's probably possible to construct a case where you need multiple
> levels of AND and OR logic, which Thom's proposal does not provide
> for. But are there really cases like that which anyone cares about?

I keep coming back to the feeling that we'd need some kind of exception
capability (more than just excluding the owner), without which this
feature wouldn't end up being practical.

> I think we're going to be tempted to think about that question for
> about 60 seconds and say "nope", and that's probably not enough
> thought. It deserves serious reflection, because I think Thom's
> proposal is terminal: if we do what he's proposing, it'll be hard to
> extend the idea any further if we later discover that it isn't general
> enough. That having been said, what he's proposing is simple and
> covers a fair amount of ground, and is thus worthy of serious
> consideration, at least IMHO.

Even given the above, I do like the idea in general and have been
thinking we need to provide something along these lines. I've been
trying to work out if we could provide a way to get to a generalized
CNF capability for policies, but I agree that it's unclear if there's
a real-world need for such.

Thanks,

Stephen