On 17 December 2013 17:03, Robert Haas <robertmhaas@gmail.com> wrote:
> On Mon, Dec 16, 2013 at 3:12 PM, Gregory Smith <gregsmithpgsql@gmail.com> wrote:
>> On 12/16/13 9:36 AM, Craig Ringer wrote:
>>>
>>> - Finish and commit updatable security barrier views. I've still got a
>>> lot of straightening out to do there.
>>
>> I don't follow why you've put this part first. It has a lot of new
>> development and the risks that go along with that, but the POC projects I've
>> been testing are more interested in the view side issues.
>
> I don't really see a way that any of this can work without that. To
> be clear, that work is required even just for read-side security.
Not sure I'd say required, but its certainly desirable to have
updateable security barrier views in themselves. And it comes across
to me as a cleaner and potentially more performant way of doing the
security checks for RLS. So I think its the right thing to do to wait
for this, even if we can't do that for 9.4
Realistically, we have a significant amount of work before we're ready
to pass a high security audit based around these features.
-- Simon Riggs http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training & Services