Thread: RLS on catalog tables would be helpful
I have removed SELECT rights from the pg_proc.prosrc column so that I can hide the source code of stored functions. This is working OK, however I would really like to just hide certain functions via RLS. I understand that great damage could be done to the system catalog by allowing users to mess with them, however RLS seems to be a great idea in this case. Has this been thought about? Any plans to change in the future? I know that we could write certain functions in "c", and that their implementation source would be hidden....however that is not an option yet. We would desire the PL/pgSQL code of certain functions to be hidden ideally using RLS. Thanks.
On 03/02/2016 11:29 AM, Alan Droege wrote: > I have removed SELECT rights from the pg_proc.prosrc column so that > I can hide the source code of stored functions. This is working OK, > however I would really like to just hide certain functions via RLS. > I understand that great damage could be done to the system catalog by > allowing users to mess with them, however RLS seems to be a great > idea in this case. > > Has this been thought about? Any plans to change in the future? It has been discussed at some length and there is a specific implementation patch that has been proposed. See: http://www.postgresql.org/message-id/flat/CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com#CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com It would be good for you to add your thoughts on your use case and specific functionality you would require to that thread. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Attachment
On 03/02/2016 11:37 AM, Joe Conway wrote: > http://www.postgresql.org/message-id/flat/CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com#CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com > > It would be good for you to add your thoughts on your use case and > specific functionality you would require to that thread. > > Joe > And how would one do that? (Not trying to be difficult, I really have no idea how to join a thread that I have no email archive for). JD -- Command Prompt, Inc. http://the.postgres.company/ +1-503-667-4564 PostgreSQL Centered full stack support, consulting and development. Everyone appreciates your honesty, until you are honest with them.
On 03/02/2016 11:53 AM, Joshua D. Drake wrote: > On 03/02/2016 11:37 AM, Joe Conway wrote: > >> http://www.postgresql.org/message-id/flat/CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com#CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com >> >> It would be good for you to add your thoughts on your use case and >> specific functionality you would require to that thread. > > And how would one do that? (Not trying to be difficult, I really have no > idea how to join a thread that I have no email archive for). I thought there was once a link somewhere on the mail archives to get a specific email resent, but for the life of me I cannot find it today :-/ However, if you view the raw message (there is a link for that on the archives), save it locally, and then open it in your email client, you can then hit "reply-all". HTH, Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Attachment
On 03/02/2016 11:56 AM, Joe Conway wrote: > On 03/02/2016 11:53 AM, Joshua D. Drake wrote: >> On 03/02/2016 11:37 AM, Joe Conway wrote: >> >>> http://www.postgresql.org/message-id/flat/CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com#CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com >>> >>> It would be good for you to add your thoughts on your use case and >>> specific functionality you would require to that thread. >> >> And how would one do that? (Not trying to be difficult, I really have no >> idea how to join a thread that I have no email archive for). > > I thought there was once a link somewhere on the mail archives to get a > specific email resent, but for the life of me I cannot find it today :-/ If you go to a specific message in the archive there is a 'Mail this message' link at the bottom of the message that will mail to the user. I just tried it and it said it sent the message, though I have not received it. > > However, if you view the raw message (there is a link for that on the > archives), save it locally, and then open it in your email client, you > can then hit "reply-all". > > HTH, > > Joe > -- Adrian Klaver adrian.klaver@aklaver.com
Hi
2016-03-02 20:56 GMT+01:00 Joe Conway <mail@joeconway.com>:
On 03/02/2016 11:53 AM, Joshua D. Drake wrote:
> On 03/02/2016 11:37 AM, Joe Conway wrote:
>
>> http://www.postgresql.org/message-id/flat/CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com#CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com
>>
>> It would be good for you to add your thoughts on your use case and
>> specific functionality you would require to that thread.
>
> And how would one do that? (Not trying to be difficult, I really have no
> idea how to join a thread that I have no email archive for).
I thought there was once a link somewhere on the mail archives to get a
specific email resent, but for the life of me I cannot find it today :-/
Regards
Pavel
However, if you view the raw message (there is a link for that on the
archives), save it locally, and then open it in your email client, you
can then hit "reply-all".
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
On 02/03/2016 20:56, Joe Conway wrote: > On 03/02/2016 11:53 AM, Joshua D. Drake wrote: >> On 03/02/2016 11:37 AM, Joe Conway wrote: >> >>> http://www.postgresql.org/message-id/flat/CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com#CA+Tgmoa=4vTi1Hb1HTA0+QbZLOjkpJBd5dKVw3zmP-kdWJER3w@mail.gmail.com >>> >>> It would be good for you to add your thoughts on your use case and >>> specific functionality you would require to that thread. >> >> And how would one do that? (Not trying to be difficult, I really have no >> idea how to join a thread that I have no email archive for). > > I thought there was once a link somewhere on the mail archives to get a > specific email resent, but for the life of me I cannot find it today :-/ > It's only available in majordomo AFAIK. For instance https://lists.postgresql.org/mj/mj_wwwusr?list=pgsql-hackers&brief=on&func=archive-get-part&extra=201602/753 once you log in you'll find the "Mail this message to..." link at bottom of the page. > However, if you view the raw message (there is a link for that on the > archives), save it locally, and then open it in your email client, you > can then hit "reply-all". > > HTH, > > Joe > -- Julien Rouhaud http://dalibo.com - http://dalibo.org
On 03/02/2016 12:14 PM, Julien Rouhaud wrote: > On 02/03/2016 20:56, Joe Conway wrote: >> I thought there was once a link somewhere on the mail archives to get a >> specific email resent, but for the life of me I cannot find it today :-/ >> > > It's only available in majordomo AFAIK. For instance > https://lists.postgresql.org/mj/mj_wwwusr?list=pgsql-hackers&brief=on&func=archive-get-part&extra=201602/753 > > once you log in you'll find the "Mail this message to..." link at bottom > of the page. > >> However, if you view the raw message (there is a link for that on the >> archives), save it locally, and then open it in your email client, you >> can then hit "reply-all". Ah, thanks to all the folks who answered with that -- I knew I had seen it somewhere. But in any case the raw message method I mentioned works too. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development