* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Stephen Frost <sfrost@snowman.net> writes:
> > * Tom Lane (tgl@sss.pgh.pa.us) wrote:
> >> However, by "not that much trouble" I only mean getting an implementation
> >> that works and doesn't create more security problems than it fixes.
> >> Usability is still likely to be a huge problem. In particular it seems
> >> likely that any attempt to actually put RLS policies on the catalogs would
> >> completely destroy the ability to run pg_dump except as a BYPASSRLS role.
> >> That would be an unpleasant consequence.
>
> > I don't follow how this would destroy the ability to run pg_dump.
> > Ideally, we'd have a result where a user could run pg_dump without
> > having to apply any filters of their own and they'd get a dump of all
> > objects they're allowed to see.
>
> You mean, other than the fact that pg_dump sets row_security = off
> to ensure that what it's seeing *isn't* filtered.
There's a specific option to turn it back on already though. This
wouldn't change that.
> The bigger picture here is that I do not think that you can just
> arbitrarily exclude non-owned objects from its view and still expect to
> get a valid dump; that will break dependency chains for example, possibly
> leading to stuff getting output in an order that doesn't restore.
We already have that issue when users select to dump out specific
schemas, I don't see this as being any different. The idea behind
multi-tenancy is, generally speaking, you don't see or have any
references or dependencies with what other people have. In those cases,
there won't be any dependencies to objects that you can't see.
Thanks!
Stephen