Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from
 <pgsql-performance-owner+M55536=pgsql-performance-ar@postgresql.org>)
	id 1e4Yj6-0006fX-La
	for pgsql-performance@arkaria.postgresql.org; Tue, 17 Oct 2017 20:44:36 +0000
Received: from localhost ([127.0.0.1] helo=postgresql.org)
	by malur.postgresql.org with smtp (Exim 4.84_2)
	(envelope-from
 <pgsql-performance-owner+M55536=pgsql-performance-ar@postgresql.org>)
	id 1e4Yj5-00035q-Ja
	for pgsql-performance@arkaria.postgresql.org; Tue, 17 Oct 2017 20:44:35 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256)
	(Exim 4.84_2)
	(envelope-from <jwcarlson@lbl.gov>)
	id 1e4Yj5-00035a-3c
	for pgsql-performance@postgresql.org; Tue, 17 Oct 2017 20:44:35 +0000
Received: from fe3.lbl.gov ([128.3.41.68])
	by magus.postgresql.org with esmtp (Exim 4.84_2)
	(envelope-from <jwcarlson@lbl.gov>)
	id 1e4Yj1-0006Yw-2p
	for pgsql-performance@postgresql.org; Tue, 17 Oct 2017 20:44:33 +0000
X-Ironport-SBRS: 2.7
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2FyDgC/auZZf8fAVdFcHQEFAQsBGAEFA?=
 =?us-ascii?q?QsBgwYChh+KIY81mCyCEwqKKUoNAQEBAQEBAQEBAQECEAEBCQsLCCYxgjgkgms?=
 =?us-ascii?q?VQDYCBRYLAgsDAgECASIBBQEvCAEBiAGCGAWde0CMDIIniyAyCQEIfYIfggeMN?=
 =?us-ascii?q?4JHgmEFih6HKoERhg2IZYFulwWHTRGHMpVDAgQCBAUCBhQkgRVNgWQqDB8rgz2?=
 =?us-ascii?q?DEIFui1QBAQE?=
X-IronPort-AV: E=Sophos;i="5.43,392,1503385200";
   d="scan'208,217";a="93153624"
Received: from mail-pf0-f199.google.com ([209.85.192.199])
  by fe3.lbl.gov with ESMTP; 17 Oct 2017 13:44:27 -0700
Received: by mail-pf0-f199.google.com with SMTP id u27so1964481pfg.12
        for <pgsql-performance@postgresql.org>;
 Tue, 17 Oct 2017 13:44:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:subject:message-id:date:user-agent
         :mime-version:content-transfer-encoding;
        bh=DSSyIlQYnHqfXOJyycB6PgBJNnGx4rEfj7kXKZuW+KU=;
        b=iwFuIYwYm3RgFhJe9ZlUw3g6owlIR7mzTBAbHQHioOpAiSzn6Qk+xJ4f4cLMvGYzZl
         ewzL8s2M4dVQGOV3QNVEGlJrB0CWyrH9esoo7B1mCeL775yG4/ilhsy9AwvZrocjt5GB
         RwlcqKjOedPIuN89bzgRhgGeYR2D3JSM6A7KUnKB9jt6r2Srt/bJ8DYYbZhnnVssnoXP
         xSewW1IZ2kwPfpfBRD+6mMPApiaeUMWC+c4PP4uwxHiXAeDwPViVhWHIsFYHLX4wbrJI
         aHAtOVvW4VVlqew9Tqqbv1yfrPACgKARhegu8iUU7Afy2PnPHApQdvPFXYgoDTBQlDt4
         WtWQ==
X-Gm-Message-State: AMCzsaWv7A0FNWUkwZQn7HQA23ajm0F2p5ssPRxGkYKkRNHeOzFh/pLn
	gkXbgxA0mPoKdFcJH1zJLj7Ykorf+cGM77SnHoBACaRjnsLJdCpn0/4k2GtnqtUfgcuH8DvuzB6
	jDIFxAABCVZEQXbVC763sd8H5P9Xwo9E=
X-Received: by 10.84.133.164 with SMTP id f33mr12894269plf.73.1508273067072;
        Tue, 17 Oct 2017 13:44:27 -0700 (PDT)
X-Google-Smtp-Source: 
 AOwi7QDvlne12zitb8GdBVyhaBybFDG94yfhS5hNiJ+X3HYXuVclX/qjWQaESl2HJvCAtFNPKKAL4A==
X-Received: by 10.84.133.164 with SMTP id f33mr12894258plf.73.1508273066751;
        Tue, 17 Oct 2017 13:44:26 -0700 (PDT)
Received: from [128.3.91.2] (jwcarls-dl.dhcp.lbl.gov. [128.3.91.2])
        by smtp.gmail.com with ESMTPSA id
 s9sm19488251pgc.18.2017.10.17.13.44.25
        for <pgsql-performance@postgresql.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 17 Oct 2017 13:44:26 -0700 (PDT)
From: Joe Carlson <jwcarlson@lbl.gov>
X-Google-Original-From: Joe Carlson <JWCarlson@lbl.gov>
To: pgsql-performance@postgresql.org
Subject: Row level security policy policy versus SQL constraints. Any
 performance difference?
Message-ID: <59E66BA8.6060009@lbl.gov>
Date: Tue, 17 Oct 2017 13:44:24 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.6.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Archive: <http://archives.postgresql.org/pgsql-performance>
List-Help: <mailto:majordomo@postgresql.org?body=help>
List-ID: <pgsql-performance.postgresql.org>
List-Owner: <mailto:pgsql-performance-owner@postgresql.org>
List-Post: <mailto:pgsql-performance@postgresql.org>
List-Subscribe: <mailto:majordomo@postgresql.org?body=sub%20pgsql-performance>
List-Unsubscribe: 
 <mailto:majordomo@postgresql.org?body=unsub%20pgsql-performance>
X-Mailing-List: pgsql-performance
Precedence: bulk
Sender: pgsql-performance-owner@postgresql.org

Hello.

I have not used row level security policies in the past but am 
considering using them for a project in which I would like to restrict 
the set returned in a query based on specific fields. This is more as a 
convenience issue (for me) rather than a security issue.

What I was wondering is what is the performance differences between a 
row level security implementation:

CREATE POLICY <policy name> ON <table> TO <role> USING 
(<field>=ANY(<values>));
<series of selects>
DROP POLICY <policy name>

and an implementation where I add on the constraints as part of each 
select statement:

SELECT <whatever> FROM <table> WHERE <constraints> AND <field>=ANY(<values>)

In my (admittedly small) number of EXPLAINs I've looked at, it appears 
that the policy logic is added to the SELECT statement as a constraint. 
So I would not expect any fundamental performance difference in the 2 
different forms.

Is this true? Or is there some extra behind-the-scenes things to be 
aware of? Can there be excessive overhead from the CREATE/DROP POLICY 
statements?

Thanks,

Joe


-- 
Sent via pgsql-performance mailing list (pgsql-performance@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-performance