Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4aEF-0003WJ-H3 for pgsql-performance@arkaria.postgresql.org; Tue, 17 Oct 2017 22:20:51 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84_2) (envelope-from ) id 1e4aEE-0002gv-Tu for pgsql-performance@arkaria.postgresql.org; Tue, 17 Oct 2017 22:20:50 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1e4aCQ-0007wA-Uo for pgsql-performance@postgresql.org; Tue, 17 Oct 2017 22:18:59 +0000 Received: from fe4.lbl.gov ([128.3.41.71]) by makus.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1e4aCL-0005Y8-Ns for pgsql-performance@postgresql.org; Tue, 17 Oct 2017 22:18:57 +0000 X-Ironport-SBRS: 2.7 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2EBCgDbgOZZf0hTfUpdGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBFQEBAQECAQEBAQgBAQEBgwiCJY4bjzWBeJY0ghMKhTsChGxKDQEBAQE?= =?us-ascii?q?BAQEBAQEBAhABAQkLCwgmMYI4JAGCQQEFOEABEAsOCgkWDwkDAgECASIBBQEcB?= =?us-ascii?q?gEMBgIBAYgBghgFnXFAjjOLOQEBAQEBAQEBAQEBAQEBAQEiCQEIgxyCB4Zmink?= =?us-ascii?q?BBJJZhg2IZYtBlH8RhzKVQwIEAgQFAgYUJIEVTYFkKgwfK4M8gxGBblaKbAEBA?= =?us-ascii?q?Q?= X-IronPort-AV: E=Sophos;i="5.43,392,1503385200"; d="scan'208";a="892531" Received: from mail-pg0-f72.google.com ([74.125.83.72]) by fe4.lbl.gov with ESMTP; 17 Oct 2017 15:18:51 -0700 Received: by mail-pg0-f72.google.com with SMTP id 15so2459443pgc.21 for ; Tue, 17 Oct 2017 15:18:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:cc:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=SqqFk0NfNIE/Ol6j3KhGrFR+8m0eRAJiLQkWwUkppXo=; b=mTwgGHTx8F7ztGL4UxhX8h1+R999NyzwIQBwTO9BdgA1W5IHV/zc5zbg/FBB+lBqtn tF6rSmQ37xTnjtItUIMbFETC4ecq6U+PZSl+lDATnu1M21QeDHW66ern3Ux45MpEIYaZ qeG7RAcPQx56CIMMuMWyfH0Kn93k8v5l0Kbt1Xe5P13PXyUmcqidQQIxeRYIpcDgXPxl vCfb8y4lmtPTzUlo3mUXtmJwIhBTu1f/cQADB5hVzr/eoCGUMuO2S91yS4tCOPkn1U3F 37N1KCRJ5S1E7JBZpLVT17NA86GodyCLqBVgmc1E6NcefyPHuHMf4V2mnIUBhAsdXviJ PjmA== X-Gm-Message-State: AMCzsaVxFConrjOrE77vdkZJx3gYzln27G6JtDNDVw7HEo0Gc/KIu+Fi MSdJ1EV/NtjQkhlKZtj0upsWCxeAvoG42LF+rpRHZH+gj/ZsC+WswgNm3WRaKIWrUkxqYY8LXkn WBcYc82lYA7g+TI3slqXYxNahX24Sd2E= X-Received: by 10.84.143.195 with SMTP id 61mr8166534plz.357.1508278730988; Tue, 17 Oct 2017 15:18:50 -0700 (PDT) X-Google-Smtp-Source: ABhQp+SC+kklOamuXTwC+R7lml5VnI1wZ6/rwMWsa+RcvMM1MsA1PSlNxt0rkNBfGc5h10p3+mV+jw== X-Received: by 10.84.143.195 with SMTP id 61mr8166516plz.357.1508278730654; Tue, 17 Oct 2017 15:18:50 -0700 (PDT) Received: from [128.3.91.2] (jwcarls-dl.dhcp.lbl.gov. [128.3.91.2]) by smtp.gmail.com with ESMTPSA id f2sm4313655pgt.75.2017.10.17.15.18.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2017 15:18:49 -0700 (PDT) From: Joe Carlson X-Google-Original-From: Joe Carlson Subject: Re: Row level security policy policy versus SQL constraints. Any performance difference? To: Tom Lane , Tomas Vondra References: <59E66BA8.6060009@lbl.gov> <993c32d2-1389-66aa-1368-ca44de370a3a@2ndquadrant.com> <14730.1508278004@sss.pgh.pa.us> Cc: pgsql-performance@postgresql.org Message-ID: <59E681C9.7050709@lbl.gov> Date: Tue, 17 Oct 2017 15:18:49 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <14730.1508278004@sss.pgh.pa.us> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgsql-performance Precedence: bulk Sender: pgsql-performance-owner@postgresql.org Thanks for your suggestions. I had pretty much given up on this idea. At first, I had thought there would only be 2 or 3 different constraint cases to consider. I had thought of using distinct credentials for my connection and using RLS to give different cuts on the same table. The different policies could be established in advance and never touched. But then it became clear that I actually would need a very large number of different restrictions on the tables - too many to create in advance. At this point it's easiest to apply constraints on each select rather than apply a policy every time. Thanks, Joe On 10/17/2017 03:06 PM, Tom Lane wrote: > Tomas Vondra writes: >> On 10/17/2017 10:44 PM, Joe Carlson wrote: >>> What I was wondering is what is the performance differences between a >>> row level security implementation: >>> ... >>> and an implementation where I add on the constraints as part of each >>> select statement: >> The main point of the RLS is enforcing an order in which the conditions >> are evaluated. > Yeah. Because of that, I would *not* recommend RLS if you can equally > well stick the equivalent conditions into your queries. There is way > too much risk of taking a serious performance hit due to a bad plan. > > An alternative you might consider, if simplifying the input queries > is useful, is to put the fixed conditions into a view and query the > view instead. That way there's not an enforced evaluation order. > > regards, tom lane -- Sent via pgsql-performance mailing list (pgsql-performance@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-performance