($INBOX_DIR/description missing)  
help / color / mirror / Atom feed
From: Pierre Ducroquet <[email protected]>
Subject: [PATCH] Document some of the row-level security limitations
Date: Thu, 21 Feb 2019 15:46:59 +0100

RLS relies a lot on marking functions (and thus operators) LEAKPROOF.
The current policy in PostgreSQL is extremely strict, not allowing
functions that could, for instance, leak the input size through a
malloc() call. While strong on the security side, this policy has
side effects that are not documented currently and make RLS much
harder to implement than simply adding policies on the tables.
---
 doc/src/sgml/ref/create_policy.sgml | 30 ++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/doc/src/sgml/ref/create_policy.sgml b/doc/src/sgml/ref/create_policy.sgml
index 2e1229c4f9..372b2935ea 100644
--- a/doc/src/sgml/ref/create_policy.sgml
+++ b/doc/src/sgml/ref/create_policy.sgml
@@ -595,7 +595,35 @@ AND
    user-defined functions which might not be trustworthy.  However,
    functions and operators marked by the system (or the system
    administrator) as <literal>LEAKPROOF</literal> may be evaluated before
-   policy expressions, as they are assumed to be trustworthy.
+   policy expressions, as they are assumed to be trustworthy. Please note that
+   marking functions as <literal>LEAKPROOF</literal> on the default pg_catalog
+   is done very carefully, thus preventing at least the following features to 
+   work or to achieve the usually expected level of performance in default 
+   settings:
+
+   <itemizedlist>
+    <listitem>
+     <para>
+      for the following types, most operators and functions are not marked
+      as <literal>LEAKPROOF</literal>: arrays, enums, ranges
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      full-text search: operators and functions are not
+      <literal>LEAKPROOF</literal>,
+     </para>
+    </listitem>
+    <listitem>
+     <para>
+      functional indexes on non-<literal>leakproof</literal> functions are not
+      considered when executing queries and enforcing policies.
+     </para>
+    </listitem>
+   </itemizedlist>
+
+   Any query using these features on a table with a policy can not use 
+   indexes other than the ones required to enforce the policy.
   </para>
 
   <para>
-- 
2.20.1


--nextPart2757171.vFQqL4fXcZ--







view thread (81+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: [PATCH] Document some of the row-level security limitations
  In-Reply-To: <no-message-id-1883514@localhost>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox