Robert Haas wrote:
> >> IANAC, but that's my impression too. The simplified patch shouldn't
> >> assume that row-level security in its current form is going to end up
> >> getting put back in. AFAICS, there's no reason why the security ID
> >> for tables can't be a regular attribute in pg_class, or why the
> >> security attribute for columns can't be a regular attribute in
> >> pg_attribute.
> >
> > If it is "identifier", it can be compoundable.
> >
> > I dislike it is held as "text". It fundamentaly breaks SE-PostgreSQL's
> > architecture, and requires to scrap near future.
>
> I think the column in pg_attribute and pg_class can and should be an
> OID. The issue is whether it's a regular OID column or a new system
> column. Stephen and I are saying it should be a regular column.
> pg_security can stick around to map OIDs to text labels.
Why an OID? We store acl items now without a lookup table; I think
there will be at most the same number of SE-Linux entries. Also, by
using text we avoid the problem of cleaning out unreferenced pg_security
rows, improve performance (no lookups), and simplify the code.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +