search

datahuborg / datahub

An experimental hosted platform (GitHub-like) for organizing, managing, sharing, collaborating, and making sense of data.
https://datahub.csail.mit.edu
MIT License
210 stars 60 forks source link

users should have an API to create, look up, edit, and delete policies where they're the grantor #129

Open RogerTangos opened 8 years ago

RogerTangos commented 8 years ago

Send datahub a query and have RLS reply with the query it was rewritten as.

RogerTangos commented 8 years ago

@justinanderson notes that we don't want users to be deduce what security policies are based on the rewritten queries, though this might be useful for determining what other users' queries on the grantor's table would be rewritten as.

anantb commented 8 years ago

I think exposing underlying implementation details (re-written query) would be a bad idea -- it will expose new ways of SQL injection to invalidate the re-write (it's not hard to inject predicates to invalidate RLS condition).

-- anant

On Fri, Mar 25, 2016 at 12:00 PM, Albert Carter notifications@github.com wrote:

@justinanderson https://github.com/justinanderson notes that we don't want users to be deduce what security policies are based on the rewritten queries, though this might be useful for determining what other users' queries on the grantor's table would be rewritten as.

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/datahuborg/datahub/issues/129#issuecomment-201428480

justinanderson commented 8 years ago

Let's redefine this issue as "users should have an API to create, look up, edit, and delete policies where they're the grantor".