Re: Security Label Inheritance
| От | Andres Freund |
|---|---|
| Тема | Re: Security Label Inheritance |
| Дата | |
| Msg-id | E715622A-04DE-49E3-A7F2-2E68067ACFEF@anarazel.de обсуждение исходный текст |
| Ответ на | Security Label Inheritance (Damien Clochard <damien@dalibo.info>) |
| Список | pgsql-hackers |
Hi, On February 25, 2025 10:08:44 AM GMT+01:00, Damien Clochard <damien@dalibo.info> wrote: >So my first question is : Do you think it would be helpful to update the SECURITY LABEL command documentation to clarifythat security labels are not concerned by object inheritance ? Couldn't hurt. >My second question is more open : do you think it would be worth adding a new way to declare that a security label appliesto an object and all its inheritants ? As I understand this would concern only roles and tables. > >Maybe a new optional `[ [WITH] INHERIT | NOINHERIT ]` syntax at the end of the SECURITY LABEL command.... > >Something like this : > >SECURITY LABEL FOR anon ON ROLE extern IS 'MASKED' WITH INHERIT; > >SECURITY LABEL FOR anon ON COLUMN people.name > IS 'MASKED WITH VALUE NULL' > WITH INHERIT; > >The default would be NOINHERIT and all extensions that rely on the current behaviour would continue to work without anychange. I doubt that is viable. That'd mean we somehow need to teach the label infrastructure about all kinds of inheritance *and*make that recursive label collection fast. The caching right now uses generic infrastructure, it certainly couldn'twith inheritance support.That'd be a fair bit of infrastructure. Greetings, Andres -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
В списке pgsql-hackers по дате отправления: