Josh Berkus wrote:
> KaiGai,
>
>> It provides database users fine grained mandatory access control
>> including row and column level one, and integration with operating
>> system security policy.
>
> Column level? We don't currently support that, except through VIEWs.
> How is it implemented?
PGACE provides a hook just after query rewriting phase.
SE-PostgreSQL walks on the query tree to check any required references
onto columns, as the implementation of the hook.
If a client does not have enough permissions onto the column,
SE-PostgreSQL abort the current transaction via ereport().
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>