diff options
| author | Stephen Frost <sfrost@snowman.net> | 2015-04-27 12:29:42 -0400 |
|---|---|---|
| committer | Stephen Frost <sfrost@snowman.net> | 2015-04-27 12:29:42 -0400 |
| commit | dcbf5948e12aa60b4d6ab65b6445897dfc971e01 (patch) | |
| tree | 1409202a08f721acea729ed7851ad69130cdc469 /src/backend/optimizer/path/allpaths.c | |
| parent | 06ca28d5ab2f810ef25e718e0d71f2233542c151 (diff) | |
| download | postgresql-dcbf5948e12aa60b4d6ab65b6445897dfc971e01.tar.gz postgresql-dcbf5948e12aa60b4d6ab65b6445897dfc971e01.zip | |
Improve qual pushdown for RLS and SB views
The original security barrier view implementation, on which RLS is
built, prevented all non-leakproof functions from being pushed down to
below the view, even when the function was not receiving any data from
the view. This optimization improves on that situation by, instead of
checking strictly for non-leakproof functions, it checks for Vars being
passed to non-leakproof functions and allows functions which do not
accept arguments or whose arguments are not from the current query level
(eg: constants can be particularly useful) to be pushed down.
As discussed, this does mean that a function which is pushed down might
gain some idea that there are rows meeting a certain criteria based on
the number of times the function is called, but this isn't a
particularly new issue and the documentation in rules.sgml already
addressed similar covert-channel risks. That documentation is updated
to reflect that non-leakproof functions may be pushed down now, if
they meet the above-described criteria.
Author: Dean Rasheed, with a bit of rework to make things clearer,
along with comment and documentation updates from me.
Diffstat (limited to 'src/backend/optimizer/path/allpaths.c')
| -rw-r--r-- | src/backend/optimizer/path/allpaths.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/backend/optimizer/path/allpaths.c b/src/backend/optimizer/path/allpaths.c index c4b0c79fb17..9caca94f64b 100644 --- a/src/backend/optimizer/path/allpaths.c +++ b/src/backend/optimizer/path/allpaths.c @@ -1982,7 +1982,9 @@ targetIsInAllPartitionLists(TargetEntry *tle, Query *query) * 2. If unsafeVolatile is set, the qual must not contain any volatile * functions. * - * 3. If unsafeLeaky is set, the qual must not contain any leaky functions. + * 3. If unsafeLeaky is set, the qual must not contain any leaky functions + * that are passed Var nodes, and therefore might reveal values from the + * subquery as side effects. * * 4. The qual must not refer to the whole-row output of the subquery * (since there is no easy way to name that within the subquery itself). @@ -2009,7 +2011,7 @@ qual_is_pushdown_safe(Query *subquery, Index rti, Node *qual, /* Refuse leaky quals if told to (point 3) */ if (safetyInfo->unsafeLeaky && - contain_leaky_functions(qual)) + contain_leaked_vars(qual)) return false; /* |