Josh Berkus writes:
On 08/30/2013 12:43 PM, Tom Lane wrote:
In short, "we can check some check-box" is a really, really bad reason
to accept a security-related feature. If we're going to put up with
all the downsides of RLS, I want the end result to be something that's
actually secure, not something that gives the illusion of security.
Can you be more explicit about "all the downsides of RLS"? I was just
looking over the patch, which is less than 5000 lines. While it's not
small, we have larger patches in the CF. So what's the specific
downsides of this?
I think it's going to be an ongoing maintenance headache and an endless
source of security bugs, even disregarding covert-channel issues. I have
pretty much zero faith in the planner changes, in particular, and would
still not have a lot if they were adequately documented, which they
absolutely are not. The whole thing depends on nowhere-clearly-stated
assumptions that plan-time transformations will never allow an RLS check
to be bypassed. I foresee future planner work breaking this in
non-obvious ways on a regular basis (even granting the assumption that
it's bulletproof today, which is at best unproven).
The reason I brought up multi-tenant applications ("MTA"), BTW, is that
this is the other major potential utility of RLS, and for such users the
covert channel limitations are acceptable (as long as we publish them).
[ shrug... ] You might've noticed I work for a multi-tenant shop now.
I'm still not excited about this.
That is, if RLS is your *second* level of defense, instead of your
primary defense, covert channels are not a make-or-break issue. It just
has to be better than what we had before.
Yeah, that's a fair point. I'm just not convinced that it's enough better
to justify the maintenance burden we'll be taking on. I'm not thrilled
about the "every bug is a security bug" angle, either.

    regards, tom lane

Search Discussions

Discussion Posts


Follow ups

Related Discussions



site design / logo © 2018 Grokbase