Hi, On February 25, 2025 10:08:44 AM GMT+01:00, Damien Clochard <dam...@dalibo.info> wrote: >So my first question is : Do you think it would be helpful to update the >SECURITY LABEL command documentation to clarify that security labels are not >concerned by object inheritance ?
Couldn't hurt. >My second question is more open : do you think it would be worth adding a new >way to declare that a security label applies to an object and all its >inheritants ? As I understand this would concern only roles and tables. > >Maybe a new optional `[ [WITH] INHERIT | NOINHERIT ]` syntax at the end of the >SECURITY LABEL command.... > >Something like this : > >SECURITY LABEL FOR anon ON ROLE extern IS 'MASKED' WITH INHERIT; > >SECURITY LABEL FOR anon ON COLUMN people.name > IS 'MASKED WITH VALUE NULL' > WITH INHERIT; > >The default would be NOINHERIT and all extensions that rely on the current >behaviour would continue to work without any change. I doubt that is viable. That'd mean we somehow need to teach the label infrastructure about all kinds of inheritance *and* make that recursive label collection fast. The caching right now uses generic infrastructure, it certainly couldn't with inheritance support.That'd be a fair bit of infrastructure. Greetings, Andres -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
