Request a Demo
Home   >   mailing lists

Re: Per-role disabling of LEAKPROOF requirements for row-level security? - Mailing list pgsql-hackers

From Tom Lane
Subject Re: Per-role disabling of LEAKPROOF requirements for row-level security?
Date
Msg-id 531502.1750089546@sss.pgh.pa.us
Whole thread Raw
In response to Re: Per-role disabling of LEAKPROOF requirements for row-level security?  (Yugo Nagata <nagata@sraoss.co.jp>)
Responses Re: Per-role disabling of LEAKPROOF requirements for row-level security?
List pgsql-hackers
Tree view 
Yugo Nagata <nagata@sraoss.co.jp> writes:
> Andreas Lind <andreaslindpetersen@gmail.com> wrote:
>> I dug into the code and noticed that restrictinfo->leakproof is only
>> being checked in two places (createplan.c and equivclass.c), so it seems
>> fairly easy to only selectively enforce it. Then there's the question of
>> how to configure it. I can think of a few possible ways:
>>
>> 1) Add a BYPASSLEAKPROOF role attribute that can only be granted by a
>> superuser, similar to the BYPASSRLS flag.
>> 2) Add a session variable, eg. enable_security_leakproof, that can only
>> be set or granted to another role by a superuser.
>> 3) Make it a property of the individual POLICY that grants access to the
>> table. This would be a bit more granular than a global switch, but
>> there'd be some ambiguity when multiple policies are involved.

> I'm not sure whether multi-tenant applications fall into the category where
> LEAKPROOFness isn't considered important, since security is typically a key
> concern for users of such systems.

Yeah, ISTM that you might as well just disable the RLS policy as
ignore leakproofness, because it is completely trivial to examine
supposedly-hidden data if you can apply a non-leakproof function
to it.

So I like #3 the best.  We already have the ability to specify that
particular policies apply to just specific users, but it seems like
what you want here is the inverse: to be able to name specific users
that are exempt from a given policy.  (While that's not absolutely
essential, without it you might need very long and hard-to-maintain
lists of every-role-but-that-one.)  It doesn't seem to me to be
unreasonable to extend CREATE/ALTER POLICY in that direction.
Perhaps like

 CREATE POLICY name ON table_name
    [ AS { PERMISSIVE | RESTRICTIVE } ]
    [ FOR { ALL | SELECT | INSERT | UPDATE | DELETE } ]
    [ TO { role_name | PUBLIC | CURRENT_ROLE | CURRENT_USER | SESSION_USER } [, ...] ]
+   [ EXCEPT { role_name | PUBLIC | CURRENT_ROLE | CURRENT_USER | SESSION_USER } [, ...] ]
    [ USING ( using_expression ) ]
    [ WITH CHECK ( check_expression ) ]

(Not sure that EXCEPT PUBLIC is sensible; also we'd need a decision
about what to do if same role appears in both lists.)

            regards, tom lane

pgsql-hackers by date:

Previous
From: Konstantin Knizhnik
Date:
Subject: Re: Non-reproducible AIO failure
Next
From: Sergey Sargsyan
Date:
Subject: Re: Revisiting {CREATE INDEX, REINDEX} CONCURRENTLY improvements