On 06/11/2014 02:19 AM, Tom Lane wrote: > Hm ... I'm not following why we'd need a special case for superusers and > not anyone else? Seems like any useful RLS scheme is going to require > more privilege levels than just superuser and not-superuser.
What it really needs is to invalidate plans when switching between RLS-enabled and RLS-exempt users, yes. I'm sure we'll want an "RLS exempt" right or mode sooner rather than later, so I'm against tying this explicitly to superuser as such. I wouldn't be surprised to see SET ROW SECURITY ON|OFF down the track, with a right controlling whether you can or not. Or at least, a right that directly exempts a user from row security. > Could we put the "if superuser then ok" test into the RLS condition test > and thereby not need more than one plan at all? Only if we put it in another level of security barrier subquery, because otherwise the planner might execute the other quals (including possible user defined functions) before the superuser test. Which was the whole reason for the superuser test in the first place. -- Craig Ringer http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
