Re: leaky views, yet again

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Itagaki Takahiro <itagaki(dot)takahiro(at)gmail(dot)com>, Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: leaky views, yet again
Date: 2010-10-05 15:28:57
Message-ID: AANLkTi=Aumy8CvJaoZ8vJsgVz8NsgWq7xCgzXDmvYrtf@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Oct 5, 2010 at 10:56 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> Personally I think this is a dead end that we shouldn't be wasting
> any more time on.

But you haven't proposed a reasonable alternative.

As far as I can see, there are only two ways to go here.

Option #1: Remove all mention from the documentation of using views
for security purposes. Don't allow views to have explicit permissions
attached to them; they are merely shorthand for a SELECT, for which
you either do or do not have privileges.

Option #2: Define a standard for what constitutes acceptable
information leakage and what does not. Then write the code to try to
meet that standard.

The status quo, whereby we advise people to security their data by
doing something that doesn't actually work, is, to use the
non-technical term, dumb. We need to decide what we're going to do
about it, not whether we're going to do anything about it.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Marko Tiikkaja 2010-10-05 15:29:31 Re: top-level DML under CTEs
Previous Message Tom Lane 2010-10-05 15:25:13 Re: patch: SQL/MED(FDW) DDL