| From: | Thom Brown <thom(at)linux(dot)com> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, "Brightwell, Adam" <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Yeb Havinga <yeb(dot)havinga(at)portavita(dot)nl> |
| Subject: | Re: RLS Design |
| Date: | 2014-09-25 16:04:15 |
| Message-ID: | CAA-aLv7phXW+AvFN0q0pqHR_iG-b1642Y9ZdX-P_x+_uxWqYAA@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 25 September 2014 15:26, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> I expected this to still trigger an error due to the first policy. Am
>> I to infer from this that the policy model is permissive rather than
>> restrictive?
>
> That's correct and I believe pretty clear in the documentation- policies
> are OR'd together, just the same as how roles are handled. As a
> logged-in user, you have the rights of all of the roles you are a member
> of (subject to inheiritance rules, of course), and similairly, you are
> able to view and add all rows which match any policy which applies to
> you (either through role membership or through different policies).
Okay, I see now. This is a mindset issue for me as I'm looking at
them like constraints rather than permissions. Thanks for the
explanation.
Thom
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2014-09-25 16:09:15 | Re: Immediate standby promotion |
| Previous Message | Andres Freund | 2014-09-25 16:01:08 | Re: jsonb format is pessimal for toast compression |