| From: | Thom Brown <thom(at)linux(dot)com> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | RLS - permissive vs restrictive |
| Date: | 2014-10-07 10:44:21 |
| Message-ID: | CAA-aLv691PYv2cwT6-aiDbBaRo0+3fpAcktK2VCM4iPX1hAobw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hi,
It appears that I'm not the only person who finds it somewhat
unintuitive for overlapping RLS policies to be permissive rather than
restrictive (OR vs AND) (at least 3 others seem to expect AND
behaviour), although I understand the reasoning behind
it. And I've since discovered that the same feature in another
database system uses the latter rather than the former.
I posted a brain coredump of my thoughts on the matter on Depesz's
blog (http://www.depesz.com/2014/10/02/waiting-for-9-5-row-level-security-policies-rls/#comment-187800)
and I was wondering if there's a future in allowing both systems. The
syntax is less important than the functionality, where restrictive
policies would be AND'd, permissive policies would (like they
currently do) be OR'd, and a combination would involve all restrictive
plus at least one permissive (i.e. restr1 AND restr2 AND (perm3 OR
perm4)).
I'm just interested to know what others' thoughts on the matter are.
Thom
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marti Raudsepp | 2014-10-07 11:27:45 | Re: INSERT ... ON CONFLICT {UPDATE | IGNORE} |
| Previous Message | Craig Ringer | 2014-10-07 09:42:39 | Re: Feasibility of supporting bind params for all command types |