Participants
David R. Pike
David R. Pike
Tom Lane
Tom Lane
Stephen Frost
Stephen Frost
Attachments
Show all attachments
Thread Outline
#1David R. PikeDavid R. Pike
Oct 28, 2016
#2Tom LaneTom Laneto David R. Pike (#1)
Oct 29, 2016
#3Stephen FrostStephen Frostto David R. Pike (#1)
Nov 10, 2016

Row level security performance joining large tables

Started by David R. Pikeover 9 years ago3 messagesgeneral
Jump to latest
#1David R. Pike
David R. Pike
david.pike@trustedconcepts.com

I recently applied RLS to several large (several million rows) tables in my 9.5 database and noticed that queries against a single large RLS protected table perform well however queries that join several large RLS protected tables perform very poorly. The explain plan shows the optimizer is scanning the entire table to enforce the RLS policy before executing the primary key join that would reduce the query results to a single row from each table. Clearly performance would be better if it performed the join before the policy check.

From what I can understand the RLS implementation strives to execute policy checks before user provided predicate checks so as to avoid leaking protected data. Is there any way to make the join look "safe" to the optimizer to avoid full table scans? Isn't this a common scenario?

Thanks,
Dave

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Import Notes
Reply to msg id not found: 394640102.228888.1477674857969.JavaMail.root@trustedconcepts.com
#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: David R. Pike (#1)
Re: Row level security performance joining large tables

"David R. Pike" <david.pike@trustedconcepts.com> writes:

I recently applied RLS to several large (several million rows) tables in my 9.5 database and noticed that queries against a single large RLS protected table perform well however queries that join several large RLS protected tables perform very poorly. The explain plan shows the optimizer is scanning the entire table to enforce the RLS policy before executing the primary key join that would reduce the query results to a single row from each table. Clearly performance would be better if it performed the join before the policy check.

Join cases with RLS aren't optimized very well at the moment. There's
work afoot to improve this - see
/messages/by-id/8185.1477432701@sss.pgh.pa.us
- but it won't be in production before v10.

regards, tom lane

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

#3Stephen Frost
Stephen Frost
sfrost@snowman.net
In reply to: David R. Pike (#1)
Re: Row level security performance joining large tables

David,

* David R. Pike (david.pike@trustedconcepts.com) wrote:

From what I can understand the RLS implementation strives to execute policy checks before user provided predicate checks so as to avoid leaking protected data. Is there any way to make the join look "safe" to the optimizer to avoid full table scans? Isn't this a common scenario?

You can use a security barrier view which is owned by the same user that
the tables underneath are owned by, that will bypass RLS on the tables
themselves and therefore you'll need to implement the appropriate quals
in the security barrier view.

As Tom mentions, we're working to improve RLS optimization as well. As
is pretty common with various features, the initial implementation
provides the functionality but perhaps isn't as performant as one might
like, and then we iterate and improve it in the subsequent releases.

Thanks!

Stephen

← Back to Topics