Improve qual pushdown for RLS and SB views

Enterprise / PostgreSQL - Stephen Frost [snowman.net] - 27 April 2015 11:29 UTC

The original security barrier view implementation, on which RLS is built, prevented all non-leakproof functions from being pushed down to below the view, even when the function was not receiving any data from the view. This optimization improves on that situation by, instead of checking strictly for non-leakproof functions, it checks for Vars being passed to non-leakproof functions and allows functions which do not accept arguments or whose arguments are not from the current query level (eg: constants can be particularly useful) to be pushed down.

As discussed, this does mean that a function which is pushed down might gain some idea that there are rows meeting a certain criteria based on the number of times the function is called, but this isn't a particularly new issue and the documentation in rules.sgml already addressed similar covert-channel risks. That documentation is updated to reflect that non-leakproof functions may be pushed down now, if they meet the above-described criteria.

Author: Dean Rasheed, with a bit of rework to make things clearer, along with comment and documentation updates from me.

dcbf594 Improve qual pushdown for RLS and SB views
doc/src/sgml/rules.sgml | 11 +-
src/backend/optimizer/path/allpaths.c | 6 +-
src/backend/optimizer/util/clauses.c | 96 +++++++++++++-----
src/include/optimizer/clauses.h | 2 +-
.../test_rls_hooks/expected/test_rls_hooks.out | 12 +--
src/test/regress/expected/rowsecurity.out | 106 ++++++++++++++++++++
src/test/regress/expected/select_views.out | 46 +++++++++
src/test/regress/expected/select_views_1.out | 46 +++++++++
src/test/regress/sql/rowsecurity.sql | 20 ++++
src/test/regress/sql/select_views.sql | 14 +++
10 files changed, 320 insertions(+), 39 deletions(-)

Upstream: git.postgresql.org


  • Share