| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Craig Ringer <craig(at)2ndquadrant(dot)com> |
| Cc: | Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Yeb Havinga <yeb(dot)havinga(at)portavita(dot)nl> |
| Subject: | Re: API change advice: Passing plan invalidation info from the rewriter into the planner? |
| Date: | 2014-06-10 23:24:11 |
| Message-ID: | 7872.1402442651@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Craig Ringer <craig(at)2ndquadrant(dot)com> writes:
> On 06/11/2014 02:19 AM, Tom Lane wrote:
>> Could we put the "if superuser then ok" test into the RLS condition test
>> and thereby not need more than one plan at all?
> Only if we put it in another level of security barrier subquery, because
> otherwise the planner might execute the other quals (including possible
> user defined functions) before the superuser test. Which was the whole
> reason for the superuser test in the first place.
Is the point of that that the table owner might have put trojan-horse
functions into the RLS qual? If so, why are we only concerned about
defending the superuser and not other users? Seems like the right fix
would be to insist that functions in the RLS qual run as the table owner.
Granted, that might be painful to do. But it still seems like "we only
need to do this for superusers" is designing with blinkers on.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2014-06-10 23:26:15 | Re: API change advice: Passing plan invalidation info from the rewriter into the planner? |
| Previous Message | Tom Lane | 2014-06-10 23:19:36 | Re: [GENERAL] Question about partial functional indexes and the query planner |