Re: RLS Design

On Mon, Jun 30, 2014 at 9:42 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> > I'm not a fan of the EXEMPT approach..
>>
>> Just out of curiosity, why not?
>
> I don't see it as really solving the flexibility need and it feels quite
> a bit more complicated to reason about. Would someone who is EXEMPT
> from one policy on a given table still have other policies on that table
> applied to them?

Yes; otherwise, EXEMPT couldn't be granted by non-superusers, and the
whole point of that proposal was to come up with something that would
be clearly safe for ordinary users to use.

> Would a user be able to be EXEMPT from multiple
> policies?

Yes, clearly. It would be a privilege on the policy object, so
different objects can have different privileges.

> I feel like that's what you're suggesting with this approach,
> otherwise I don't see it as really different from the 'DIRECT SELECT'
> privilege discussed previously..

Right. If you took that away, it wouldn't be different.

The number of possible approaches here has expanded beyond what I can
keep in my head; I'm assuming you are planning to think this over and
propose something comprehensive, or maybe Dean or someone else will do
that. But I'm not sure that all the approaches proposed would make it
safe for non-superusers to use RLS, and I think it would be good if
they could.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company