On 02/09/2016 11:47 AM, Robert Haas wrote: > On Fri, Jan 15, 2016 at 11:53 AM, Stephen Frost <sfr...@snowman.net> wrote: >>> Whereupon you'd have no certainty that what you got represented a >>> complete dump of your own data. >> >> It would be a dump of what you're allowed to see, rather than an error >> saying you couldn't dump something you couldn't see, which is the >> alternative we're talking about here. Even if you've got a dependency >> to something-or-other, if you don't have access to it, then you're >> going to get an error. > > I think you're dismissing Tom's concerns far too lightly. The > row_security=off mode, which is the default, becomes unusable for > non-superusers under this proposal. That's bad. And if you switch to > the other mode, then you might accidentally fail to get all of the > data in some table you're trying to back up. That's bad too: that's > why it isn't the default. There's a big difference between saying > "I'm OK with not dumping the tables I can't see" and "I'm OK with not > dumping all of the data in some table I *can* see".
I don't grok what you're saying here. If I, as a non-superuser could somehow see all the rows in a table just by running pg_dump, including rows that I could not normally see due to RLS policies, *that* would be bad. I should have no expectation of being able to dump rows I can't normally see. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
signature.asc
Description: OpenPGP digital signature
