Stephen Frost <sfrost@snowman.net> writes:
> * Tom Lane (tgl@sss.pgh.pa.us) wrote:
>> However, by "not that much trouble" I only mean getting an implementation
>> that works and doesn't create more security problems than it fixes.
>> Usability is still likely to be a huge problem. In particular it seems
>> likely that any attempt to actually put RLS policies on the catalogs would
>> completely destroy the ability to run pg_dump except as a BYPASSRLS role.
>> That would be an unpleasant consequence.
> I don't follow how this would destroy the ability to run pg_dump.
> Ideally, we'd have a result where a user could run pg_dump without
> having to apply any filters of their own and they'd get a dump of all
> objects they're allowed to see.
You mean, other than the fact that pg_dump sets row_security = off
to ensure that what it's seeing *isn't* filtered.
The bigger picture here is that I do not think that you can just
arbitrarily exclude non-owned objects from its view and still expect to
get a valid dump; that will break dependency chains for example, possibly
leading to stuff getting output in an order that doesn't restore.
regards, tom lane