($INBOX_DIR/description missing)
help / color / mirror / Atom feedFrom: Pierre Ducroquet <[email protected]>
Subject: [PATCH] Document some of the row-level security limitations
Date: Thu, 21 Feb 2019 15:46:59 +0100
RLS relies a lot on marking functions (and thus operators) LEAKPROOF.
The current policy in PostgreSQL is extremely strict, not allowing
functions that could, for instance, leak the input size through a
malloc() call. While strong on the security side, this policy has
side effects that are not documented currently and make RLS much
harder to implement than simply adding policies on the tables.
---
doc/src/sgml/ref/create_policy.sgml | 30 ++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/doc/src/sgml/ref/create_policy.sgml b/doc/src/sgml/ref/create_policy.sgml
index 2e1229c4f9..372b2935ea 100644
--- a/doc/src/sgml/ref/create_policy.sgml
+++ b/doc/src/sgml/ref/create_policy.sgml
@@ -595,7 +595,35 @@ AND
user-defined functions which might not be trustworthy. However,
functions and operators marked by the system (or the system
administrator) as <literal>LEAKPROOF</literal> may be evaluated before
- policy expressions, as they are assumed to be trustworthy.
+ policy expressions, as they are assumed to be trustworthy. Please note that
+ marking functions as <literal>LEAKPROOF</literal> on the default pg_catalog
+ is done very carefully, thus preventing at least the following features to
+ work or to achieve the usually expected level of performance in default
+ settings:
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ for the following types, most operators and functions are not marked
+ as <literal>LEAKPROOF</literal>: arrays, enums, ranges
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ full-text search: operators and functions are not
+ <literal>LEAKPROOF</literal>,
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ functional indexes on non-<literal>leakproof</literal> functions are not
+ considered when executing queries and enforcing policies.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ Any query using these features on a table with a policy can not use
+ indexes other than the ones required to enforce the policy.
</para>
<para>
--
2.20.1
--nextPart2757171.vFQqL4fXcZ--
view thread (81+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected]
Subject: Re: [PATCH] Document some of the row-level security limitations
In-Reply-To: <no-message-id-1883514@localhost>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox