On 8/2/24 11:07, Tom Lane wrote:
Joe Conway <m...@joeconway.com> writes:
<dons flameproof suit>
Hmmm, and then have "leakproof_mode" = strict/lax/off where 'strict' is
current behavior, 'lax' allows the 'maybe's to get pushed down, and
'off' ignores the leakproof attribute entirely and pushes down anything
that merits being pushed?
</dons flameproof suit>
So in other words, we might as well just remove RLS.
Perhaps deciding where to draw the line for 'maybe' is too hard, but I
don't understand how you can say that in a general sense.
'strict' mode would provide the same guarantees as today. And even 'off'
has utility for cases where (1) no logins are allowed except for the app
(which is quite common in production environments) and no database
errors are propagated to the end client (again pretty standard best
practice); or (2) non-production environments, e.g. for testing or
debugging; or (3) use cases that utilize RLS as a notationally
convenient filtering mechanism and are not bothered by some leakage in
the worst case.
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
