Improving RLS planning

On 26 October 2016 at 10:58, Tom Lane <tgl@sss.pgh.pa.us> wrote:

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries. Instead, we can label individual
qual clauses with security precedence markings. Concretely, suppose we
add an "int security_level" field to struct RestrictInfo. The semantics
of this would be that a qual with a lower security_level value must be
evaluated before a qual with a higher security_level value, unless the
latter qual is leakproof. (It would likely also behoove us to add a
"leakproof" bool field to struct RestrictInfo, to avoid duplicate
leakproof-ness checks on quals. But that's just an optimization.)

I wonder if there will be a need for more security_levels in the
future, otherwise perhaps a more generic field can be added, like "int
evaulation_flags".
In [1]/messages/by-id/CAKJS1f9fPdLKM6=SUZAGwucH3otbsPk6k0YT8-A1HgjFapL-zQ@mail.gmail.com -- David Rowley http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services, there's still things to work out with it, but I mentioned that
I'd like to improve equivalence classes to handle more than just
simple equality, which seems to require "optional" RestrictInfos. It
would be nice if we could store all this in one field as a set of
bits.

[1]: /messages/by-id/CAKJS1f9fPdLKM6=SUZAGwucH3otbsPk6k0YT8-A1HgjFapL-zQ@mail.gmail.com -- David Rowley http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Training & Services
--
David Rowley http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On Tue, Oct 25, 2016 at 5:58 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries. Instead, we can label individual
qual clauses with security precedence markings. Concretely, suppose we
add an "int security_level" field to struct RestrictInfo. The semantics
of this would be that a qual with a lower security_level value must be
evaluated before a qual with a higher security_level value, unless the
latter qual is leakproof. (It would likely also behoove us to add a
"leakproof" bool field to struct RestrictInfo, to avoid duplicate
leakproof-ness checks on quals. But that's just an optimization.)

In the initial implementation, quals coming from a RangeTblEntry's
securityQuals field would have security_level 0, quals coming from
anywhere else would have security_level 1; except that if we know
there are no security quals anywhere (ie not Query->hasRowSecurity),
we could give all quals security_level 0. (I think this exception
may be worth making because there's no need to test leakproofness
for a qual with security level 0; it could never be a candidate
for security delay anyway.)

Having done that much, I think all we need in order to get rid of
RLS subqueries, and just stick RLS quals into their relation's
baserestrictinfo list, are two rules:

1. When selecting potential indexquals, a RestrictInfo can be considered
for indexqual use only if it is leakproof or has security_level <= the
minimum among the table's baserestrictinfo clauses.

2. In order_qual_clauses, sort first by security_level and second by cost.

This might work for RLS policies, if they can only reference a single
table, but I can't see how it's going to work for security barrier
views. For example, consider CREATE VIEW v WITH (security_barrier) AS
SELECT * FROM x, y WHERE x.a = y.a followed by SELECT * FROM v WHERE
leak(somefield). somefield is necessarily coming from either x or y,
and you can't let it be passed to leak() except for rows where the
join qual has been satisfied.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Robert Haas <robertmhaas@gmail.com> writes:

This might work for RLS policies, if they can only reference a single
table, but I can't see how it's going to work for security barrier
views. For example, consider CREATE VIEW v WITH (security_barrier) AS
SELECT * FROM x, y WHERE x.a = y.a followed by SELECT * FROM v WHERE
leak(somefield). somefield is necessarily coming from either x or y,
and you can't let it be passed to leak() except for rows where the
join qual has been satisfied.

Right, so quals from above the SB view would have to not be allowed to
drop below the join level (but they could fall *to* the join level,
where they'd be applied after the join's own quals). I mentioned that
in the part of the message you cut. I don't have a detailed design yet
but it seems possible, and I expect it to be a lot simpler than the Rube
Goldberg design we've got for SB views now.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On Wed, Oct 26, 2016 at 1:20 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Robert Haas <robertmhaas@gmail.com> writes:

This might work for RLS policies, if they can only reference a single
table, but I can't see how it's going to work for security barrier
views. For example, consider CREATE VIEW v WITH (security_barrier) AS
SELECT * FROM x, y WHERE x.a = y.a followed by SELECT * FROM v WHERE
leak(somefield). somefield is necessarily coming from either x or y,
and you can't let it be passed to leak() except for rows where the
join qual has been satisfied.

Right, so quals from above the SB view would have to not be allowed to
drop below the join level (but they could fall *to* the join level,
where they'd be applied after the join's own quals). I mentioned that
in the part of the message you cut. I don't have a detailed design yet
but it seems possible, and I expect it to be a lot simpler than the Rube
Goldberg design we've got for SB views now.

OK; it wasn't clear to me that you had considered that case. I'm not
convinced that what you end up with is going to be simpler than what
we have now, but if it is, great. One of the reasons I did the
initial security_barrier stuff this way was to avoid inventing a lot
of new stuff. Subqueries already acted as optimization fences and
that was what we needed for this, so it made sense to me to build on
top of that. Now, if we do build stuff specifically for this purpose,
it can probably be smarter than what we have today, and that is fine.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Robert Haas <robertmhaas@gmail.com> writes:

On Wed, Oct 26, 2016 at 1:20 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Right, so quals from above the SB view would have to not be allowed to
drop below the join level (but they could fall *to* the join level,
where they'd be applied after the join's own quals). I mentioned that
in the part of the message you cut. I don't have a detailed design yet
but it seems possible, and I expect it to be a lot simpler than the Rube
Goldberg design we've got for SB views now.

OK; it wasn't clear to me that you had considered that case. I'm not
convinced that what you end up with is going to be simpler than what
we have now, but if it is, great.

Well, we already have mechanisms for controlling how far down the join
tree upper quals can fall; outer joins in particular require that. So
I'm thinking that it shouldn't take a lot of additional code for
distribute_qual_to_rels to handle this too. Admittedly, the amount of
boilerplate elsewhere, if it turns out we need a new jointree nodetype
to control this, is not negligible. But I'm thinking it'll be a lot more
straightforward. There's weird warts for security quals all over the
planner right now, and there are still some things about them that I think
work only by accident.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On 25 October 2016 at 22:58, Tom Lane <tgl@sss.pgh.pa.us> wrote:

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries. Instead, we can label individual
qual clauses with security precedence markings. Concretely, suppose we
add an "int security_level" field to struct RestrictInfo. The semantics
of this would be that a qual with a lower security_level value must be
evaluated before a qual with a higher security_level value, unless the
latter qual is leakproof. (It would likely also behoove us to add a
"leakproof" bool field to struct RestrictInfo, to avoid duplicate
leakproof-ness checks on quals. But that's just an optimization.)

+1 for this approach. It looks like it could potentially be much
simpler. There's some ugly code in the inheritance planner (and
probably one or two other places) that it might be possible to chop
out, which would probably also speed up planning times.

In the initial implementation, quals coming from a RangeTblEntry's
securityQuals field would have security_level 0, quals coming from
anywhere else would have security_level 1; except that if we know
there are no security quals anywhere (ie not Query->hasRowSecurity),
we could give all quals security_level 0. (I think this exception
may be worth making because there's no need to test leakproofness
for a qual with security level 0; it could never be a candidate
for security delay anyway.)

Note that the securityQuals list represents nested levels of security
barrier (e.g., nested SB views), so you'd have to actually assign
security_level 0 to the first security qual, security_level 1 to the
second security qual, and so on. Then the quals coming from anywhere
else would have to have a security_level one greater than the maximum
of all the other security levels.

Having done that much, I think all we need in order to get rid of
RLS subqueries, and just stick RLS quals into their relation's
baserestrictinfo list, are two rules:

1. When selecting potential indexquals, a RestrictInfo can be considered
for indexqual use only if it is leakproof or has security_level <= the
minimum among the table's baserestrictinfo clauses.

2. In order_qual_clauses, sort first by security_level and second by cost.

I think that ordering might be sub-optimal if you had a mix of
leakproof quals and security quals and the cost of some security quals
were significantly higher than the cost of some other quals. Perhaps
all leakproof quals should be assigned security_level 0, to allow them
to be checked earlier if they have a lower cost (whether or not they
are security quals), and only leaky quals would have a security_level
greater than zero. Rule 1 would then not need to check whether the
qual was leakproof, and you probably wouldn't need the separate
"leakproof" bool field on RestrictInfo.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Dean Rasheed <dean.a.rasheed@gmail.com> writes:

On 25 October 2016 at 22:58, Tom Lane <tgl@sss.pgh.pa.us> wrote:

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries. Instead, we can label individual
qual clauses with security precedence markings.

+1 for this approach. It looks like it could potentially be much
simpler. There's some ugly code in the inheritance planner (and
probably one or two other places) that it might be possible to chop
out, which would probably also speed up planning times.

Here's a draft patch for this. I've only addressed the RLS use-case
so far, so this doesn't get into managing the order of application of
join quals, only restriction quals.

2. In order_qual_clauses, sort first by security_level and second by cost.

I think that ordering might be sub-optimal if you had a mix of
leakproof quals and security quals and the cost of some security quals
were significantly higher than the cost of some other quals. Perhaps
all leakproof quals should be assigned security_level 0, to allow them
to be checked earlier if they have a lower cost (whether or not they
are security quals), and only leaky quals would have a security_level
greater than zero. Rule 1 would then not need to check whether the
qual was leakproof, and you probably wouldn't need the separate
"leakproof" bool field on RestrictInfo.

Hm, but it would also force leakproof quals to be evaluated in front
of potentially-cheaper leaky quals, whether or not that's semantically
necessary.

I experimented with ignoring security_level altogether for leakproof
quals, but I couldn't make it work properly, because that didn't lead to
a comparison rule that satisfies transitivity. For instance, consider
three quals:
A: cost 1, security_level 1, leaky
B: cost 2, security_level 1, leakproof
C: cost 3, security_level 0, leakproof
A should sort before B, since same security_level and lower cost;
B should sort before C, since lower cost and leakproof;
but A must sort after C, since higher security_level and leaky.

So what I ended up doing was using your idea of forcing the security
level to 0 for leakproof quals, but only if they have cost below a
threshold (which I set at 10X cpu_operator_cost, which should take in
most built-in functions). That at least limits the possible damage
from forcing early evaluation of a leakproof qual. There may be
some better way to do it, though, so I didn't go so far as to remove
the separate leakproof flag.

Some other notes:

* This creates a requirement on scan-planning code (and someday on
join-planning code) to be sure it doesn't create violations of the qual
ordering rule. Currently only indxpath.c and tidpath.c have to worry
about that AFAICS. FDWs would need to worry about it too, except that
we don't currently allow RLS to be enabled on foreign tables. I'm a
little concerned about whether FDWs could create security holes by
not accounting for this, but it's moot for now. Custom scan providers
will need to pay attention as well.

* prepsecurity.c is now dead code and should be removed, but I did not
include that in this patch, since it would just bloat the patch.

* Accounting for the removal of prepsecurity.c, this is actually a net
savings of about 300 lines of code. So I feel pretty good about that.
It also gets rid of some really messy kluges, particularly the behavior
of generating new subquery RTEs as late as halfway through
grouping_planner. I find it astonishing that that worked at all.

* Since the planner is now depending on Query.hasRowSecurity to be set
whenever there are any securityQuals, I put in an Assert about that,
and promptly found three places in prepjointree.c and the rewriter where
we'd been failing to set it. I have not looked to see if these represent
live bugs in existing releases, but they might. Or am I misunderstanding
what the flag is supposed to mean?

* Aside from plan changes, there's one actual behavioral change in the
regression test results, but I think it's okay because it's a question
of whether to put a non-RLS qual before or after a leaky qual. That's
not something we are promising anything about.

* There's one test query in updatable_views.sql where the plan collapses
to a dummy (Result with constant false qual) because the planner is now
able to see that the qual conditions are mutually contradictory. Maybe
that query needs adjustment; I'm not sure what it's intending to test
exactly.

regards, tom lane

PS: I've been slacking on the commitfest because I wanted to push this
to a reasonably finished state before I set it aside to do CF work.
I'm not expecting it to be reviewed in this fest.

���Xnew-rls-planning-implementation-1.patch�\ms7��,�
XW�&e�i�n��Rd�Vw������'�p�
g���d&�����������J����"
4�~y��hxM����E�
�M����N'��$�h�����HB�����gQ2���I��8{��>���T�����������fx��v�:�^��Q��6y��e2M[a��\�_��i��:��W���|��
���>Sj�����>\�_���~�^�m�E����(Mt�������a���������$�I�^/7��up���t����a�E�j�{{�}y�����[��8(�e:�&��~����2=�zOfE�m����l?�?~�@�����`
�����)P��6
�uZS!n��������i�S ��������o��w�o�518�JsM��-3�&�C�H�M��rK��Z"���;7t���I��8�OV�~L]�f�,�>=>;:��&������h���*^�5EA��8H���|�v$3�(JG����-��X�>��W�Je�tsy-��>w,��<�G9sm������Lw��Kt�fA�Gi������E��x�O��������JF1��D�����+�s��d��OOn�l�����{s;4�{\P/��t�$�_/�GD�"�~���G���>}u�����jM"��g:�{��SZM��E��l��T-1u����k����>���=����+�����a�[��w-`�N>�<��
����4���P��/�;��NB}A61����xyv����Nu;{u8�8}	�T�rc�,�m����n�,��t����m���u�~���~:�Bu�F�-��9�-�(���/��������`;��k��q�Z���c�S#�X��#H���cs��^gs����2����������
�o6����h���FN�^��v7�F`���ui*N,����pXYO��{����QI���y��K�qr�9=��}qv|��f	[,U	(i����.������2����Qi�����s�����B�������N��D����Y�L�G��(=�Fad�W�
�.�������^����!��*P�uU�U�H��-i�p���z���7!o)}��:�(`�c
2�W@H|����n����|m,x;�T:1$�S��.��j����X`x���ej4�$&��{�� T���4��/�<�A(�Bc@@W��h�8�����iSw���2�&��V�70�^�A���O�ID:d��n�	�$(�������E�XIF��JAx���l��F�IU�0��Jt��	�(^)8N�j��
a	�&�uE�)ZT����J��	���
u���B��y�[%9�J�G�*��@o�����=Q����G��'`�FDk��b�7W��oVxl(&)���8���usz F�Q&�I�9P�b0�g�d�wQx�}W�$��D��s����	x�++����6I��Q���L�mZ�j��C�&�$�p��^Q\q!�T$��Xf��7zV�Af����35����v��s^A�\1hA��r�����C4�m0`�Oc��i��z�c-w��!V2������X���cQC�9�%l�B"��.bK��#��^������p3�f!.+�B����	��	�l`lgs�*�m�e�m
���d�H�,����
������3oh��C��h�!q���@��"	��M��Z�>�43�d��5M�V)	���>��*�
�qaJ�[]����E`��T�k5�Qw�����~i�:H&g����:�'�X��^��c��+lQ�}�'��0v4�P�b��J�\��0���t�������i`\�����`����:����|�H��<�!��(�jF��0�e8�X[��u��EBcC�/9�����i���Y����#t�m��h��	9EG��~!�e�i��$(���V_�oZ��dn�����5PL

x$��L���.u�.|�.���li�6�Nc�4�+���e:r�g�wI������t&��;p�4&��4�g-b�F`x�_����8�#yE�� ���^2�����g���D%@@qW$�6�O�����V���/�0`(�V�
��E�P-Z!�S��� �
��/���Em����@�@�1��Z��ZC�9�G�O���)����Y3���V	/@i�1f(.�B`���p�����]� �Db��v�
65�*:=���E���$Q��#RDuG�6���A�k��w+�CS<���LJ�j����K
��H;�j�pw=D��������5Y+�A-��N�;��HH��Ks��)��B|19�Q����6!� kX�iF�K
��e�:��k���� ]yB��i�Yd�$>���,H�4g�B]z�EJ4�R<��T�f���yl��?�!Z��L��!6����%8�����-�#��v����`��1�\���Md	.!��jsM��jx�P�������G�S4u��!�
1�;��W5N#P�<7Q�R���e�=u��0dI�v>�I�EC�d�b�K�	@��_;;N�����X83f������m��.�{J���la���O�!V��X���r|�f{���JUm�=3\8a�y�KO�)[b��3���
6l��,3!��|��������p��W���t���'-���Y�K7����8�lU����!�$q������
���9��z��#����$�����0�B?�6p�|�����T#�S5u�8�,� �X��CX.�g��m�R��RH��SJ8M!�	��;�VgR��������d��U
�c���E)8&,���1��������h�����B����o���7�}�b:���7��0>J]Z���`��t�=�%��;D}���-N�Y ��a2w��2,�	#�B�`bd�}Dr�%lIO�8|��8H�L
^b�9G:L�b��#9��TX
`�z�*��H��X��{�
��}�����m�7����\�|M�_�m�g���p��g��^8��G�S��MJ��E�}�	R��+g�G�Z����� z�����q���������	�������i��yOnn��Icyud[0��\
Ww��_��?{��w��zC5�BC�hZ$�� 3�m<�5q�>�Xm�
��)�[�FX�.� ����S�����^t��}#�Kr\=����-�-Icf�qy��Og�%����\�p��q��;;dH#>���������/Mq�;�����A�sv�i.|��|@��A�����R]b��W��]R��/2�����P1{�����������}�=8P�|��<����$%'��d���L1�����
:Hl��c�G��0�Xj���6�����I
���7/x#{�e�t
A7�0��nN?�kr�%��u�=qz�]����q39�����G����0_�v�_n_	��4���zm&��:�������k�}���#�*�x	���p��6�E����8/��X��'ig���F�0��j�����z'k%�Y1)5��=���J�5z0c:��<Cc(x�[��m;Yg5����.�y�E���y
B��j�7����oD"�
T�o�I_��m�����@�GGR����6��W�	��d�J
��g�����U����C���y���J�y������g�������D[��q(�CP4)�#�Z2���s�l��`�QRh���Y��?�TX�I*�!dZ��w[��iF�)2�_��Z>)��F������# E�T4�7b,�ia4^��[P�����
~��,9����N��UU�����7��Xv���7����tt����2N��eX~]�hORK���B�+��8��H[�ZP��X��f���l�t�����g��zI�
m����oy�|e�����.�,R��$4q�����%�B%��_�1
3����6;���R��1�&S�a�1����i�vc��
��yJM�zn���E��suj"t8^sOwMXN��2	�H��������j������O�(]J���eE�D�d��
�����>�t�n����+��m��<+�Z�j@1���/��'Ly{�q�Nn��K:���V�?� ����T
���>%{u
��tc�k;�s��#:k���d�|IT�����T�"���&���Xuu��r:�����F��:�v@0�din��<0������w�<��*����H�����"J��o�i
���5d��r[����H`C��.a����������m�Zg�vZ�,��~d�g�����,$�(~�.�u��c���v6�������~5P������s�\�nu}+�[>IDA_9E���E���-�������:l�J�l�vt���&����#�ld�m���G0�n���>h��]^�S�WWt����������f�F{Y��H���B
�2��������*�f��M:�?���������vM��r�Dw�B{�C�/���
'�ww�.��i<)���IWlr��~������`-@������kuP9u?�x�d	ee����s�(�j4�9�jbo�AGYZkN�����fr�R�4h{4�J��D����	���#J�FQL�N)q\��o����	�Y�;���6u{���'c�F���z�������q`C���Z�����`�]����{�f)_�n�k���:F=o�O9En������gi}"�m9�t=�_���x��&�h���?���)��mq	P����*gU�'�A?N�����Y_�Uo>d���6}(`�������3��������R�e���v];f-���-���W��^����4.���/�j�����\�Z
�#?88><��O���rF��V��8B��zYU���Y�'Y@��E�|�3����g�:rv=%�\��W��@����/�������@}���f�.>�������4��.�qd+)�/��a�~�2���
a���JA��:B.��	���k�R�L�k�*q�����������#EL�b�j�\�PF%n
� F.	��F�^�u���\0�	HAUPW����(/�����4��	����\��$XU�������Ge�(�$C�H��������(���]����(_����C.+*X��+��\�L�Y����*��%�()'�������6u|���I�+��b����d(15%�Z�����2k���!B]���_d
�o?��������_����������v��i�mA$[�S��*��e�J�jD���6'I�MV��&�|����z����T��dgO�Y�v�g3�~�MU_���X^��\o�:o�Z�dF��)n��������k��`��Sgl]�1����:s�?�����-�\	A[������4@���``��jvd�pz�=�I�y��#h�j���t������n��g%&:�S
������v����K����>����^����
|���H�������V�������w�.����jZf�)g\�f>�8J��-g����LYK�r["�`E��4��fBg����-tt�6eo��-�&��t(�r=W@Y]s
��EG�^X�����������#�{~���B��-�9�G�����G������K}j��Z�S���+���;����cy�&q��@ t�P��sp�������l�?oG�)���P��1�t��b!C��0��8��/g�|���f��
H5��@�8�Ka���U*�M�8��������=9��;`�%�(��AR)u���<d�r��^�~�$�j��lX����2q,�BR*��&����
��n���gl|vZ���t�Y���x_?q��J">KiJ9�r�8�	��,���~�������d>�r5
����3�
���\�'�J���d��#s]�hkq�1��00<M��t�����5�N�)y�
pD��ALE�B�����^��H��1�X^�;T��XZ9��&MRs-u��`0/H��]��z:��V[4(��H���2����������>/��V�LS���$�WWB�^�Lm��=bJ�p�#!HNbS�y���>r^��a�P��h��^�Yz8,cJ����������3[��f���1��_��S�d��(jm���dB�����F��$�S������sh��2Q"�
�w
�����m���eSe���ic�{�����z<��"4}�����m{�a�m��K(��Y�����l��������,��=��{��b�&��jg��(u+-����fH�c�`PK�3���]�P
-v����B��[�n��wu���<N<�	� �II���`/C�/.�Eh��`�b]���'Zs<kocH&t� �"����~m5���4=
�m�<�jP���������"a	i��K�;�4����h,�S��,�����
���E�.�nO�/�	Z�l�e�9�_#@
���N���JE&^O#�X�zm���UT�bp,�n��V�y-����'4���wS3�Z�l����4�A�]�����9�F<����=�O4��h�s�m�M
�N�
@���_�a7y�@P� �F�w��P
t��������Y�mg�}����44�������6���� C�B������,�e-��
_�S�&�
�c��o�:?�}3�O0���~i��A��pc���+�����i�MW%����V[g5��X$����xY_�l�2d�v�SA�l$XJ��]��4�`U����x�aO�P�/]<<�}��?
���>�����]�n��|q���r�[�C��9���w'��s���8�-�w[��-���&�������yM��?�
qT�v�!
)~�E|=5�E�N�������~(]A�5/�v����C)8���\!����R�v��JO$1��8H"i0�9=c8Y�f���4����������u�t��=����f<O�R=��"�|*9;��G2���?��m��Q��5��%���`���E��%}���T<`����*v�'�Ym��^����9v��M	�'��2D����
��3�9 	*�K��e
�����w��{	�d����s8"����)SB���M�y�
p�o���5�F����f+M�J��)	�	�H���%�^�ZB�J�|BkiO^ec���$	v;�8#���lBM�i�������	dG��x����V�w
` t  Yl��>�����t�=�\���w+hA��;�����E/�5�"GI��J8\J^<�_����2a5���GM�}��ivO�L��K�2"�8U8��o�#�:X.o�����1.��k�u ���	��GO�F=�bNCEV8G�wt`#��@?�O���� h�k�Y�Y)�!����k�`����t��Z�S^���
Al0��g�2��ZF�s��f�2@9����(���b
���1d#�6����t������-�m;-���hh���"�g
R�NH�f>�K�Z�BH;�n���
������RW�@�2<�6'l�L�'���\&S�*:i�s���<3������.T�'c�l�k;�VvC��Q[%�6����sxj�*����_�j�O���y�hY��}Xi�V m��x�+#->��P��(
'�&����������F_2�LFE	[��L[rWK��^���](�w@`2�,z�.�[63X_l�����`�A����bFJU�0���7�CY|Y�����v��a�����#>V5�Lk�4�L{6�hp��JQ0�^�0�M
�5�f��j�D5��Q>t�N�L�2
f����>\�#�o��
�����B���44pSm~{���T@/������
b�A���MA��5"N0���)�+x�D������h�~a������od��8�P~B��lPo�%1��=��������c7�
�����)9b�	P�h
��c��Z�H��1C�%LQk!��
�^�/��e�H�)�e��x�=
6l�O�^/��h����!��<N�v��$���a^��Hv!���$7�	�R��E~mN����/��h�q���m�����S����M�u��������xBF��t��3�����-v�leQX�ZV��[V��\V��/�}K��,��L���<g}�x51��������<�$��\�o��6�(�����i�`��\I�
'����7�1�n����4[��?j�z~�`�����&~��,���-����Q����G0m��	��)�����l:F�e��0$hdOda���������7�����w[�J��@.�wB����zT�������i�tW����N�q�_m�wM���z_?�Y�F��L���2QX�Mz���}V� @��WmB`���a�R0������Q������@l�����Bb��Dq�?���4E0LX|+5
��a��(
HV^$�����*����u���-��*���,�$�_W�
8/O�W!�]���5q��d����?���s'���E��
�������������>�����P�(E���z�PNZ���1�0[&���������'�����kx3J;7)���v�V�u��M���I���h6a-�#����+��!�H�F8��@A��v�~i�����p�A	�C\W��rn��$LI�t1�Ef�R��
�X!�
�PC(��O�G�y������l����q
�@�jv6����6�;K�VL�������������t���4z���_I���U��f�6����<2T.	�IM�����~�v�a��2�d�������T�g���x��
Xr�K��0�74�4�%T����Zn�1��2�������o�4v9D\)*�W[��I���tz��8p������^^��)�E���Hl[P�1�:=�j�i*��+��!e���9�0�1"c��R�S�^:���N�YC�������0��f|������D1d�<�s�c)`+�/\���% �^%���XG�C})�}��R����X���icJ��g�p%m�9p
!0��9�l��,*���mF%��XA�7�q�
#�u�$!�\O�C~L��p����b��l�<��;F�:��'��G�.��W��A��ci(��0Q8�D�*k+�aE�!��-����Q8������;*�����n��������
V���))��N~Pv�k���p=o�'��
6�����:H,bB�b���%�g���Z�Z ��0!\���J���!�X�`��qI�G���U0�"�Q��XOL��ac�$��h`���z]
Y����a����J���LM�Y�N�a���@�����|���^�(U~4S+9�!|��" 	A��Y(�
�"��u�E
%e4�J��
�K���/�@�&�B�d�zMfgv�56j)w�l����C�\��>��Z" �k�����X�������DH��o�X�!��48\���)�z�d��k1��pK�_d�sD���#U_��V%��L7�#�.5��SS�t��'�IJ���3���GK��+Qc���*���.�V��6�j���]s����%.����d6����U:��N�5�2Jgd�oy���{uq�*�������9�|>�v������
w@��i�
0 jA�A����W���y@4+
���;��:/���N��n��l�.�/N"���S�����b
�w��7>a����x�~3�j��?��{�d%;�(�rS3P�r��Y�J*0�m2t;�niWM�P��	�-���k�X���
�j��AE*���O�B
[/��xy����LxP)`����}�f
U�����k (N& &�0����V{LeF+�����X���X$��hN�$�Yk�z5%�j)���������9�P{���._zI?h�8T������1G��e&�����&�a��T�����;�S��j����
�Vbrn)=: �nr�7��Aht%>�x31a������!<�J.�_D7��/�i ������
J��%�����k�rhJd�������|�@�C��Oh��V���[�F?��w:P]��16���s���Y�J���`F��
y��~����`�'C��Q2rd�f����K�*VF�A62�Z#�3l��n��6���FF��R��p�i4c*U�\� �Ql�R�.�����m�����C�inZ�)��R�(X�d��Ku����B�^�~}��%>��a�9���cF
��!����EWG�������?e���}�'Eo�Wq�>�{�Z��
�����e,m���b������/aLAA��Od�|	{E��
��eyu�v'9�4��p0&�l;y#?�
�rv�����$mQa�����s����s]���s��O
����;��k��n;�z8�i	�Y��������_"P^�����4i�����dC���Q�\�W�kl�@��d�^�d6*�����9�����4#�^�nD�E��eE\��w%rl�*Z���pj<XJ����v���N1[�+�P�+�����K��V�*D��d�
�e%x�����
�,<�3��{\������2))�hQc���2�#I&i�@�����9
��h�����vDz�d���<���W��
I�Hiy���/Si=��S�3b���������wG��9x�[b!������E$����X����n��55��^�c���N1�2TZ�H�hT�DfU��*�������/��A�i�Kn�n���������/�����=�'*�rK*���d��N�� ���f�~���/$���tgX�������jQU�����b��c�=K���"���
�
�0h����1Kl�w�o�"&|�x��l���bI�s���cc�&�;T%�5�Sq�$jl<���v��oa�0E�C9*(�
�	�A�����()F���VK�}����C�j�����N�)��O��c�"P7C�EP�"v����!!q�����)@�� ��S���a���x�p�X�Bj�����o��!u�^X���4�#H]|��t�L";��B=����S�)��sS����v�������&	���$�>S�l!`��2u���>�h!���k�Zl�@�/���c��������Y/,6�V-��-u�*���4�fV�yYK��%�b����&�L�����5X�����j����6��8GK&�y��G�e)�%��g����L�<����;�SYO1�b
��g�
�P�`'��3v�\�TM*����r�hR��%L;D�M�U���=V��=�j7sT��n��2+������]��m��_/,���J�J�e�b�����<�EG�rHc��v�za/,��K�0f��aY�@Z����=D�M�T
���A��L'Vz'7�r�G��d�,���v:��N`��{Bi'`������+,������S�4�P�}y�Ny��m�����_!h7������m�!Z���'>��+x�|�s(���e@�h�|��&�hjRA�1r�(I�]Q���E����b�]�v
���"�3
��%;���p- �� "���4�}����Z���'%A}Lj�F������,}�g�h�'�z�G0G�m���������~����:�N�n;�����3���o����f���e@V�#��H:!���L�B�!�L`v!�Y;(����]7a��=K//O����{��blcsu<	�h�O&���Y��>`5�t0�/������X�P�4R:���3���~����g�?�=zer�9Wbp�~K���U7Y�
�d�P��\3d2%>cf�~��r�����c�y�Qg����Q;y�JF$J<K���I�������GJ��3��#T�gx�ah���yA����@������X��A�_K�#L�����{�*�%�>tq
q��R�f�B��p���TH�������5�1�nC0��$��������(�
x�z��\�� 8��d��`�l:|_M*�-mI����5��m6����b
]�8�&�STx���0w7�1��*�j�L����@��(*�@x���D�.�F7
���c��jc����n��+����;��9�OU�Y����b�:��~�=�0����f��� ��6n�+��f��b�,J�	%G��:D$=��x
�M
 �-���)�>���^~e�l.F�O=��$�q�S�	+y'/V���5e
�1���Z���S���v��6+�G�
�G����!�G����Y0G���������%�;v��?�B��dg�4�
"v���R�/�R.���~��B�lJ����/�|w����'.���L�����������S�������=��|����������^g����i����ZK]M%�JO�G�K&�^��A��6X�_�8D"��
N������-���P�N���NN(��u����
�Bck%���|�)V�=7��m�����-�l�Z�O�$����=Y�J1Z�l%��	FS���)
bE�c�� }�W�O�
�k
�R��q���P�K��6������w��<9�H_-�:��2e�
�5K�2����
�e>����'[�h"���?~:�������}8�-Z�rx���I3X�� ��~�e��*���)n[p&n������
N���3��	�or�.5����4b	,7�Y��3����ri�?q��c
������S\������C*M��?m�\=v
�9
Zj5��o0m�|O0�I���k�Q6(�e�<i�UTs�8����)�����.��w�XK��pVCvG�c�+q�'z�oA�p��:���7��FN2�bG7�����6�����
��5�<M}�D ���j��z�G�T��0��"
0l:��<����t�o����\)��.��2�C�4L�t�u�G�A�,Hq�9(��8�p+�j!��<���(b���$��D������i����($]�=��I�i�� ��1�S�A����:�xOAQ�^��xm�E�
�
�� x�#�^
`�*K~L�o"o��FCyJ1������B,�&=��sgF�$��h���1�����<��Nq���]�[�G��74x����Q���h�����>��S�������U^
n=�x0����O-��n�Uj�d
�a�:��I�00kA��V���Is��5z��F"��+.i�i"��r^M|\�O�S��R�F��6�����t���`�HD��]��$�A����
���[��E�;bU��~��%u�����E�q.U%���%W����)oc�`_~�rH(L$���`y��Y�\�^����c���
&~$���&f[<}*^v��A�
�	�0�XU�I��P��w�C�U>h�3W�?K�{��+k1���0�"�I��l���� 1/N,���7������S4F���e��c����'OT���#�A��d�+���k|���9�o�c��X�N��(qSYs|��1�1&����Am�����z3[��X`�e?
����6oo�����5�z"�A�_��P�����j�AqBh� XPL
F�
2�`K�rz���������~b:����R��O�:)V�2<�
Q��p�'�'���:��*�2 ���<
/���e�Z��Vv{y�e��B���s�M����\��krB����V���|������|�QU������{�������S������K� ai	��%�?N�������"/�F9^�|0fW,|Gk �J�����F����(geJ�2����5@���@d/�����CU�t�G-\O�������`��I�?1:^�]��U�+����1�m�����;�x*�ij����^�6*RCP�����g�0G�������r!P�m6b����W��T�@|�� G{�^7��\6VB��g�/�jR�)(T%����.���F�
,��1Ws9�����B����M�T,L�J�(�o�[���p$�X�m'����SFGL���=0:h���UH���P�#�������/4�o8x�����%��Y��k0���2�`�������
o&��ba����]�\�v��y��lh���}�5�|�L��Q����,$��)�*�:�\�-�6��K�H��(�����)�}
4}CHb�������yQ�7P�l���>)����|C
��\�3C��W?C�0l�x�Sg�S�@+|22��+Y�B��������CB���j���JB���j#���\Gi3L?�^A�0��
P^��i�k"�42Mc�e��$�/\,Q!(�FSj�d[8���8j���`Lq��)�=.hz�-{�������:cL����zJ�
\��5�K��f�|���1
9���M}3Y�	�$���#�/�W�U�����e\�E���RB7Z�de\9r`������rv�L�3}�?�������:�h�G��
�'���!.��PDP.�d�ts;Zq��K�"J&���r�T����C�!��q��T
�������C���d�xce2
����Y����������$2��'Oz������`J�"N�4�<(5 �p����#l>�x#�7���&���?a��T���7��{!�FT:����}��D���u����������@�lxz�7B^W�FGL���u.����D;��ee���n6 �-UxW;�(d�����8Fm������hk�G����Jz~���q��yK�Vh���QOO�>�����w|wtz�����N�F'��2�����(�������2����v��7'?���^���P|8��A��l�o���;yw$����+��<sN�7;�
���AS��Y�4�H*V�Fh����TW�M�Ls��O~HV�IPL����$���x�}wr���?�xz�J����+}Z�����QT	
����Eq��g%VR�7���z��7'�Q�`@Ck����3
�Pr�p>�dEsJM�i�}G�v���'��s#�#y���
s|��]"�*����
O\G���Q~���^����C���h=0=j����1&�����t�1���:��7����,��7������6�6�U��Fc���|Y��n%�������:��{@#����;����_~��X��w��(�����A���;�����9��1�X���w����<u�����v�V����}�u�N{��+���p��iV=a�O8X���:v�M��e�Mdh������.x3r���G�Mt��TE�/XC,��Q1a�L��������&���,�Y���N�#��'m��:Bk�1���������Y�Bn����������+�����[�h��:��96�{���'8(�!��(��'y����w�E����T�c��}9��#��'}��`��I���v���#�*z}�����@�������q+YT����N_d��{��"p1Q�p�e;�~��
���i��p���}bx��?���V�Ng�����d%6K@�**��2���TO���9����;���tB�R� ��o�I�	����^����g0��d��@��xy����1�"8�p�l9h�g���4�n���X7����
�5~�t`QdB|���0���%[����'{��x;����x��\��vv<Q&
�d�K�OI:�0�p��f��;�4ZI8�3�kO�N��X�0s������%,�$[
�9�<
��D+����7�p����j�8��j�����UQ���cx(��8�P���I��f
�GC%k���*�a���C�g�;��]���=���&���D�^Q:4Bu��<<.�m?�5b��B(l��V����<'�dK�9d~����T%����I�tT�������q�1��d.�F,sU;9r��_�H$�|���`;�R��x����; [k@�"%.V����*��	�5�f���J��J����j�����N�^0� ���]����s�����.�$
�<>F�����5�L{�'9]�o����_^�MW�s��
B�U�:<��.��8�T���]]��Gb�$�~����
����"o�r��d!R������-�����(�e���0r0
h�����7�H��5���<�.���s��GKJ��M����RcZ&���� (y@���GzUiA����6 ��i��H����r
�>��D;�k]q�����B,��Z,	p+BD$��Z'��j���Q��[��
����jB�����&��|�r_[�t��y����!B�n�^���w9�-����n,eZ>��k=,}��y��������A�x`�	�"u���g
��Y�������� �%Z�6�u����K������������^��/r�(e������1����"��p�9�/����1/�G{�uz)��Pt�����t�w�G�1��Yw��U,1�.�y�NF�+����Y6�h����Q�Q*�wQ5���3jJ��[��L|B[�z�;U���	����M��
l<0�5��x������m��R�
�Lox��\X�`����;��N������yN&n1���R�K��YPKaG��i��*�.�p����Z�1��Z#�K���w����;��jK.��C@�����!��2Z��@�<����Vj}����A(�br�a�t[9ih�����������oA���205,������!���3��X�+��x���2bm�9����=��z���2�����$8��{�n��1Q��H��
9�����+Q�'8�/���R�
*����B�z��+A���������mly�����N�9���T��d
:�#@O�����������U�M�m4��1�$��D���7Y1y�VP�-���+X��0�:E����E �h���,��4�	I3�.��#"9�������Ma_"���m��RW���
������*F�i�0��V�:����R8c��;�n0
���d�
��t����
�w39VLc8���E��{Q�u�y��m��TAG��@��B]�K��Uh��0�[��-�����|5%0���_ ?I�-��QGU�&6�,Hb�������$����L
��#b�����8��������M���SQ��L�u����.���%l�G���jYe��� 'gG��� ���K��U�o����i)��,X�qb�/_�/��Oc��
={43��,����BkV�t�RX��I>�a5N��k:�z}��[��T!�&�PQPM��,@;f
�����G��
��~-���K`�o7����<�8!��IvYA�>b xB�����C��4���l��#L�4B�K���$Q��HJJ���}t�!�����2�"��@B�����{����������+j��fd
l.����e4�KHF�bk4�R�1�#��H������c��g�`\=�4K�l<K1~o�!�a+�xK�)��5�1��R�
��%����!�g�	�)��{����&���Hz����	�������i����
yz|�T�[����c�O��+�����JG�����	��+e8��������G������$��b6�i��e���^��f��x	!�E�m�%=7.�8]����X�bhI����1��j���[J���+m<��� ���'u,�<��cx���5�v�AT���PuBCv��q����^��
c
eo������jN�X��[;&rEj�����
5��������=(��f������;v������7U���/N�@�^���O�8�|��!���ND���\'{%�������w��t9��Qu���;vSG�u�]q������`c��4����H�}�d4D����mRn��"���WM��&`Os����qT��WNNywyRA�(iJ�".�v	�6@����� 0��d���x��}�����:=��V^aqC��+~4�o�x��^��e��n�������A=�s1K��g��n�e&��_S�~���TH���Qz)��R.���w���\��g��H�ZGm��]KdkB8w3F���x�@�������8*&���X���$C[K����wg���*+I��t��k
"�{���nI�.��
���o�P���d�>��A�x���I��T6l�S��^@e����������F�� �t4]q~.K��5�d�V)
d�6�	�s#��?1�Zif�6�%�/���bM��_��'�dlAz�>s��V�O&�TR�@�����ZA�T]��������������=-�����E@
�I;����@N�3n&�-��92�"y�.�>KR��#��r��TFLE���TB���������b����M3����[����r�vK�2��������2+v�����A��{�"����)�H�gy7�NF�����^k���k����*l���39����,������LS�������h	%.UY����U�����G�*���%�v,Y�'U@���^:�t���S�B0�z5LP/��M�`���xh����KXN���Q��x%��3���\��M��2�"��6h6J�j��I�!�Z�"�#HjG����[_CtaM	�`��*��8�x�4t#E�eJ��	�*!
�4��H���x�Y�0(�Q�yd��r1.i[�M�~��{r*8��}�ng,|���)�M����s��3����]\`K��j'�v��$���2)Q(#�%D�|(���a#u�vW+��u�n�t@��K\���.���r��DA�KUJ1gWJ���~�h�B?jec�
�UF�,�7��^0l�����	�29�)@��-T!>K/�;�Tm�L�tc�,qH�QK���K9td�9���X<�<�@�i��P{��J!�p��T$�7e�SlA���6>��
���:'��:�\X:|i���J�V�5���g�q�I��[�|�`B��i�0})���c��dK'�D"Z��D�h�g�{uE�����s3�j'4�s��7.I��NM�����1�����@��y��R$�F��0yF����Q��2@\��}G��
���{;*C��[�$�O�$iBwR��d��D�b��c0:�HJ(�%80�f=��`���������B
	��^"#��9|�_���+O�e�H���$��/�\�j�7��1v�l3� ���b��q���J��5��Ss�2�Vc�ES�0Q���x�0�-�y�5�D��_Yp��"=#���M�9��8JI�))<����7��Ld�U(����|���7r���+���_QK:���{��
SI-����`��>���
�y�/���������s��N�	./a������h�!����*�G|��R�k�m��q�;�����E��j��7��jE����i�����Eq�*����%
����@Om��J'�gk���R� �^Z[��,���V����(4!	2o
�������9�&.��K�8�s`x:��NOJ�Qq��� �@
�j���%��/Y�S�S�"�L��o :��I_yd����q��K������>@��XYv6����S��YN2@F�N
4��%���m��"�����$�F�8��������TE#�Z���*�����H+�"����i����s@_R
&[-�&��%�3�|��V�y
P�BB/`6~)KD�5��j��B������B���mC��s���� :K�$%�#�=�-����-�9���� 8$�����R�R�X�"��@���t?�}�������:�9"K�(]�dB'��0��)�7��=*������Z�v;�
�u�J�G1�oA�n�v{zPK���5��J�u���3]��.4�$��S�A��zB$�t7c�J
�U���f�R�f�Q���Y��Y���>F������f�p�e��]��*\f.���w�}M�a7�D`bO�c��}�y*��!�)�Q�)��U�����Q�I��*�)\��]V^%�6��HS%�?O�t��s�*

N�\����\z�P���M:��[����Lk
�G�M����W�}
K�#~����*��O
�`�������i���i�JJYg������|4�91�>q9a7��6|���%E����e|�4�Y����V��*�,\�9m�2��l���lB�.ynPV�o��pP$/����}T�����JG��I��~����m�B��)�p���$Ke�[�VV.[YY�;F0�=���b��)a������1�2�r�Vf��t\?�G��,
����>������M~��L����8���2�e�aB���+(^������@��O��2/I�T�zE#j9���c5��^wX��3��l��=
QM�h����@D"
Qg[_���3t�[:��D�{,���CG����v�UaOO0%�S+.�N�(�K�v]?����|/Yg�g*�T2���OS?�4�B|$��*�#o_��}�}�s���Hn,���(a���B���e&2�1	$�s{~sT�����d��6�
~�}4��������M&�c�2F�R�Y�k��z|,^��cO�b	����E����r��`H��b*�`����n*�uo����r`�����[m+�m������J�
�
*� �!�t>
/�(P:O����0�CP�2�C�
�Gb������&�BZ���*�jX{�[Z�V��	�i����
Wh��
H,���������-����!�#���(�k�r=�����w��N������]T������.�=>����9�Z~T��K��I��A�U
�.
���6'I�;~3�P>�Q�$L�X��� ��?��s�"�2"-���@>�R!����#�2�`�������F�{���/�s�!�6������W��:��4��6��G�+V����������B��3�����L����4l��L�V��2��xG��Pm�/C�P�pZ�<1dh`cB��T���W��6�-��N�ej��"�ac�XJ�H��$��jh�4x�1��x��(&A)���=9~ga��3�dB[�����Fw���	�#���*���R\E
2l��t���o�s�%�eq
8>-�^Rm�?	�@<?��U~?^d��Ts�����F��_A�����R]�>��*��� ,c������8����?0�z����|e&��kG����oc�>�E��$nm�PYO���\A�.���DD!�B)l�4�e[�Q��X(e5M0Z0	��'��
q;�Q_-p��
���`��Q�9�%-�RX(�����s3sL�i��W�S�UQA�G��������������c�E"Y�>uf]��k��EsH����_A`��l2-�
4���u�vW/0�u�v��
��%4���
�4�(���Mv��������&�m,�1�x&�t�Ge�
�)�L���y���B����g�
�n�<mo����H2�x?�������V��f[�nR�P�ci+P��<�W��/��1n�X�hb��������
5�{�c:k�����8��_�=��
�����m���&N���i��6�����`UA�15�x^'�	���1�#�<���
g((:�������\j�>pNI7cs�dfl���a-	�B�T@!������B�����9/���� m�9�����7B=�������x�������	�'.���#9�Ln
�����Ws,����
(Us�$����e�-��a('s !8 �:�x�����
;(��,��T��*Mx��Z������4����xyMe�0�Y.��g<4G,1��N_P�T��+d����hu<g)4������L>��z��T|d9�0a��74��ho��`LX
��^H6%�>�P(\���u����~�g���_?��zXs���\A����d(~P:	��N�%�����M��|	U$����xzGq"�m��@�A<��&�F��"�(�[E:�4Nr?-�$R��1�>��#�t��yVbR����"�+��� uI=8.�����������[���3���~�w'��s�������X��DjYJ���LV����"��EY=][/�	�6S!����{�j���+
J�do���Z�jI|*������}!b��h��A'���.����"�	T�Z�;�~�MQ�W���TVTL1�6]���$K���[��h}���nt1��gz>|�o�Ap�Lv���y�Ui����P�;�����
v6�
K:����������x=�=t�u�7����v�����z��o��l���K�g���T�e\�m���p>�D0��O��Z�z�JG�0���Q 
%���gY�	s����H���P�U��u������.��.�W!_��K���K���jT���
��n��P���g�-~
�e��KB$3�&�:�K�'bWf�d�b�SY��h������u�$^Il�X�b�l��V��2�Cd����pp���
������:�n�������H����3 �l�~�l�BZ��Jf�,p��m�����SKS�F�Za[U�}tf���=�0,���L�����
��%�C����
d��QB�����������wP%D0�������7g�����������Q.��������h�]�C�����@�Kp��`r��[��w������L��
x�����YXZ_��Z|����q����H}��"��Z>������_^M�`	����B��U�
������e�KkO��cb��6�C����y�"���$'��s�����:|��x(�T8����v��{
I�2��6=��x��G���X�/����e����|���y����I�'k���;�S��DN_��;Z4�:+���.T�RiY�,Cn�����D��?+��Z5����X��Cf��w�XM����%���=��7��~����^����r4���R�e��iq���������L��^m���I�S�����6��O.Y����?{o�|�]z
���
=
�O����i4�\���+F7�X��$��>��:w�,%�x�9�q���������|���r ��S��W���]�_�Zy�Q�_\|�o�/�������`>�Y���K��>�?:����p���}8=|ka8�Hh�����<�� ���A��^`�C���W��N}�5q_�����)��]hO8�Q����J��f�5����|�M�U��-+o��������\C�#�bt
�V�������������7���u�.����������in����5����T*�������BIo�fiYK�	n��n33�p�6|Q��*�*���$�6b�E���h�^�;C���\65J�J,[�����@Cs;�9@�����|�]�_\�V�E`��Ba#y+����qo�`����������Q:��FX���l0��K+�ba���3+����/�!�l�B6��?z��X���g������3�M�E���	Q�s�0@����;_��r�����6O��|��//D��,��6#�=,��/�
����-%U���n�����^�$�f�e�<.����/r�;_����vw���E�W�?r
�m-���i��E#���d�,
����b�\
&��.���/���x�H������K��
�K���|C�����E�NE}����������&
ev�M�9-23�����������
����e�6b	����n�o ��������\�G���Ki��)�X�
�,q��U�A6�<�R�k�}}����R��2����e����!
i�Z���r��;��k�lb���������t���������>E���=}���P"�)M`5�(�!������
J3�k}x���o�i�.�q��vw�VXe�b�Eq7��T��D�n�hs�F��w��TA{��d���=w�������N�j��^G%{�k�@�sX�\�pn��|�
����5��^wP�BT�=�q�7��"H����3��sx~�����v��c����+�A�f�%A��U�,Z������r'z��U��Dk������������2F?���px��Y����
�l_�{{�6�������������}rK)�M������X,�����7m*�tcE�7��T�uoi�'�����MJz����5�=<GT�������3j{�^c�M:�a�������w7��_D��)r��$r��j���b���?����Q�/�y��[,r������xsc�K�-�J���r!U�j
������"_+�W�X�����OK�@��
����������D
�(P�,���i
^/%m*H�<���Q��
�$�X���"+�4�����4�_$��]m���1H� %5��d_�Ql���2~��X!g���������]o�u2
�����g.�g���nt��#�LL�4���z��6"4�^o���;�dP�2g"���d�\���"�E�VY���/��2�����&��N��.�\���30��?��|8;_�����4:M�i�q�\�a��A��������C��M
����%����,��V
��a1�@e�f�V~�U�H�bS]��2�*����3}�]wv�ew���-���]O�����$�|u^/��:
�#VblNz��x'�#���.��:�.��<��i���*���1o}�8
e�2<;�'���-dB������j1��?�����}mqY��d=�1L,�Z]!��Jm~T�pO�i7b&y���lU���������j�+8���������K��=Xz �+�yqN�M*���_\�6�V�X�����
`Ij�pr0� J�$��:!��"_��)^�����N�LoW,��h�
��q6��n8)�-�h�����������o���+�J�\��a���xh�>49N}$Nzh�#]�:Xm�������nu������!�d�B#+*r
E��3�25g���^&������e��~�	r�L������M��3Xg�t��P�Z'�ok�k��nI��Ew��M�Q�W�U	�|�o���5�[Q����G��h���q5D�O�(y�0�i�TM��$b�iC��g:>���Gp���Nh�s����j����������������Z��D������$�U�~�����Q#�y$���jjfi�_SF�����X*��nY���bD��,�m	U���H���	s�<+t�WYTx������u�����
��!��#d��������;����w�o��:8������4xE��0�mv�v��X}��-D	[��a���B�l�i��aO��L�#,[�/�]���z�a��YK;��?����u���t�Uv1����v�^s�H�s�[�CG���{��^;�E�d�cZ.
�q�bD�<_d�7r`�G�������������k9�Z�9b�v/[�s�����l��/����M�b{�/�����1�18���|������6�"�v36��;�w���{��n����x5Q�[_:}�sOl^M��\����������������k����I������>a��q�^���s�M��
w��Z�]����;3�V��_�%R�>�����~s+���Q�D3���c���Y�K}a��������_�����S��Z�=���f���f��W��c	�Qd�:���:y��(�VtG!�������D�o����$�����
P���L����/)���
bD;�����Y��hH8�������~\�N�=�%zw���Y�D��+nVZ��r��p����w��N��?b1
�������Cp�m=���yN`�!i4�v�vZ=��[�H:�VB��&��������
�g������
>�����������X����>b���L'�0CG�W�I
���a%����-mb,�����Z�ZM
�ZnUF��t��v�u\wTA�B'��v>1>����:��l�y�*��v��?t��xD*Q�
���R�>W����a��5��!������z���E�v���`��\T��{���
I�u��bw�V��g�|6�����Q�K�p��(z��3�����5������O�bT��7y� �ed��0|��0��gL,�������_��Z��������1
�\
S]������o��M�W��?G��-RSa>��E�����_��}���f�n�3�,�a�0��YG*�7���5��Ov>���{�:�[yD�o��9
��pig aOO�%Lg�PF�9��_3	CTG����t�Ma��bd�M��4��o�����}�m�#���(*�����7�����T�w?%�_��M-�{�
a�e���_�@�m6�����r�h�
�3>|Q�^i��S?^���?=���l
���
����������E��=���yj�N�Z�������^�vz��Y�t�Xj��E��P�t��������c�u�Q3�m�f�;����|nj��E��/�E�|dj���5���Z�k�B��;_��/j����Z�E�L��N�y�_�Vx�fck�f��Jz%n[���_�I��6����F~Q$�(�_�/���)�H�u�}z�wz�������?� ������|+��"kZ� "�Z���
�+������{�����s��(X�Ck���E����	��!�6�F_��N���<������^k�t�b���_�H��E�6o��;)��ZM �q�//�a8
�a}]���n���ur/4_c���F�vN��bY7����������������-� �N���[-�WS�Ab`G(D�+DoN� �M}#^QHiM�"��r9��bd�Y�LN�m��������e��r
������P3.�[�r��_N���I)���&���4���]iI>D; ���IM�Ij
}JSZ=�p'����|�Y��&�l��MW�����8�n��:
�����N�KK�mtm�ubE�i�')o�j0!k���&1���\��s���+����XR�ym�/���-�q�o+of-V���Xh'��@��Yu5E������?Gf�O|����V�������u>���\�`����f��5��\����m�t����6��Z���g��'�	�4
~#�Hp b��A��7�m�k�����X�{�?�n���	�c���.�*L"����y'~�.5���cU�V+�c�FF��$S/���~���0|]]p�h�m%v/���w����?
3������u�j;���u��-���q&~Dev��!�-*�T���A����C�U{Z��_�(������Ac&	�,�	��g����H[A��7�m�x9�Hb���P|��XQz�C/�lSP���A���'��W�����`t��>��w���TG#R�~�	:�Ki����r��k����(I�/!=��,���*�'��7NO������/
�oa�,����x�����I�q&P�x�T�J�[�������q�u��3���O��`�
�
P2����1 UF�G��r:���[�z/~�,��x����7�[���?yj��`G�d�v���U������f�]/�$^���~#v���6O�����[�O'���4����r���lk~��,|�!�_��l ��l��K3\�������5�4�}���������,����Z(���
r���HoG��GA�V0�d����:�W!����������������x���_�?�x�y,jtiK���%���� ���������i���:us�l��
����t8�����z�X
���������
�������������#�E
�og�X������<���,�T��p�����X����r7�u(�+=1�ey[��_^<��?+?r@!�8�p�q�L�i�����]Z����NH\�P�@��_][n��68Yc~g�e��dY>T�����s�,:7&��FC�[SgHP��l��m ��
��2�Ck\6�����o��9��(
h<^
Y;���~����t� ��h��/�D�N����$>����AtW����[v���[h2[8���cw��Nvb*�?;[���r�������P�v#v�A�6�}��h4��#V��2�F���2�p�-R�:�D�����ma��j�=�D���W����b��6G���l4��	Y!��|�
�N[3x]L��7[��,�=[�\9]��M-�����~����W�T����0��:�g��d��8�Xr�5)^�Xz;�k��}5/�����N�9yd[�;&�R�EJ��N��P�<9��� ����m��
�J-�UaCe�4�z����w��7�t�nj�V&9YE�U�
'PL�>��G�w4����FZ�!1�6�l���;�Gv�W�	�/�4���&��w9���F����x��o/����Z�����������
�\�tgo�h\y%�+���">b
�hN�yU�
��<�
��8�u�qT���z������q��T7��������c�{�Zl��5�r����)w���N���u�������V_�Nj�;y����UO�[s��P^���8��\���E�@��8l"�D�[$\	.������D���Hp�D�V�C��H���������D<�O+-���X���E��t�(>�������<���Hs7�][���q���D���H�H�4Y�4Y�4Y�h� i�������M.���������)~������V����;���YY7�|k(-�nRoq����.�Ew-|Z�
����>���������x+-|Z�m,�������)+�`&Z�2�������|�]������������ �8/�G���/�Z�PVh��7O�p5������6����!o��L��C�b�g��0��;`�oa�^8�G��b����Q�VM�j��Gk�gg�|i
�ywvl
-�������������M��l�T��a����2�=��]ujwf��nk��������,���,�v�X6<�}��
6��d����>Z�����������gd�mbe�f,I�P��F���5��{���P��(vc(���
����P��`(]�|���c�'��8�-,�wmP���v�V��X��*���o
+0���W&�V�*�`:�I~~;�X"�����s�^.�0�������1G������������
.#���N5����z��'���pG+��'�!E���@IK��
�R��n���&�3
�\^`�(��<���9�����P�5P#�0����Y�OJ|�+�F��tG�pM�pK�af�\�H���� �C����J�W��Y��"����/�����`�Kx

Tom,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Dean Rasheed <dean.a.rasheed@gmail.com> writes:

On 25 October 2016 at 22:58, Tom Lane <tgl@sss.pgh.pa.us> wrote:

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries. Instead, we can label individual
qual clauses with security precedence markings.

+1 for this approach. It looks like it could potentially be much
simpler. There's some ugly code in the inheritance planner (and
probably one or two other places) that it might be possible to chop
out, which would probably also speed up planning times.

Here's a draft patch for this. I've only addressed the RLS use-case
so far, so this doesn't get into managing the order of application of
join quals, only restriction quals.

Thanks much for working on this.

Just a few relatively quick comments:

2. In order_qual_clauses, sort first by security_level and second by cost.

I think that ordering might be sub-optimal if you had a mix of
leakproof quals and security quals and the cost of some security quals
were significantly higher than the cost of some other quals. Perhaps
all leakproof quals should be assigned security_level 0, to allow them
to be checked earlier if they have a lower cost (whether or not they
are security quals), and only leaky quals would have a security_level
greater than zero. Rule 1 would then not need to check whether the
qual was leakproof, and you probably wouldn't need the separate
"leakproof" bool field on RestrictInfo.

Hm, but it would also force leakproof quals to be evaluated in front
of potentially-cheaper leaky quals, whether or not that's semantically
necessary.

I agree that this is a concern.

I experimented with ignoring security_level altogether for leakproof
quals, but I couldn't make it work properly, because that didn't lead to
a comparison rule that satisfies transitivity. For instance, consider
three quals:
A: cost 1, security_level 1, leaky
B: cost 2, security_level 1, leakproof
C: cost 3, security_level 0, leakproof
A should sort before B, since same security_level and lower cost;
B should sort before C, since lower cost and leakproof;
but A must sort after C, since higher security_level and leaky.

So what I ended up doing was using your idea of forcing the security
level to 0 for leakproof quals, but only if they have cost below a
threshold (which I set at 10X cpu_operator_cost, which should take in
most built-in functions). That at least limits the possible damage
from forcing early evaluation of a leakproof qual. There may be
some better way to do it, though, so I didn't go so far as to remove
the separate leakproof flag.

I'm not a huge fan of these kinds of magic values, particularly when
they can't be independently managed, but, from a practical perspective,
I have a hard time seeing a real problem with this approach.

Some other notes:

* This creates a requirement on scan-planning code (and someday on
join-planning code) to be sure it doesn't create violations of the qual
ordering rule. Currently only indxpath.c and tidpath.c have to worry
about that AFAICS. FDWs would need to worry about it too, except that
we don't currently allow RLS to be enabled on foreign tables. I'm a
little concerned about whether FDWs could create security holes by
not accounting for this, but it's moot for now. Custom scan providers
will need to pay attention as well.

I'd certainly like to support RLS on FDWs (and views...), but we need to
hash out what the exact semantics of that will be and this looks like
something we should be able to address when we look at adding that
support.

* prepsecurity.c is now dead code and should be removed, but I did not
include that in this patch, since it would just bloat the patch.

Sure.

* Accounting for the removal of prepsecurity.c, this is actually a net
savings of about 300 lines of code. So I feel pretty good about that.
It also gets rid of some really messy kluges, particularly the behavior
of generating new subquery RTEs as late as halfway through
grouping_planner. I find it astonishing that that worked at all.

I'm a bit surprised to hear that as we've been doing that for quite a
while, though looking back on it, I can see why you bring it up.

* Since the planner is now depending on Query.hasRowSecurity to be set
whenever there are any securityQuals, I put in an Assert about that,
and promptly found three places in prepjointree.c and the rewriter where
we'd been failing to set it. I have not looked to see if these represent
live bugs in existing releases, but they might. Or am I misunderstanding
what the flag is supposed to mean?

They're independent, actually. securityQuals can be set via either
security barrier view or from RLS, while hasRowSecurity is specifically
for the RLS case. The reason for the distinction is that changing your
role isn't going to impact security barrier views at all, while it could
impact what RLS policies are used. See extract_query_dependencies().

* Aside from plan changes, there's one actual behavioral change in the
regression test results, but I think it's okay because it's a question
of whether to put a non-RLS qual before or after a leaky qual. That's
not something we are promising anything about.

Agreed.

* There's one test query in updatable_views.sql where the plan collapses
to a dummy (Result with constant false qual) because the planner is now
able to see that the qual conditions are mutually contradictory. Maybe
that query needs adjustment; I'm not sure what it's intending to test
exactly.

Would have to look at the specific test in question, will try to do so
this week, though I'm also planning to be more involved in the CF this
month and want to make progress there.

Thanks again!

Stephen

Stephen Frost <sfrost@snowman.net> writes:

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

* Since the planner is now depending on Query.hasRowSecurity to be set
whenever there are any securityQuals, I put in an Assert about that,
and promptly found three places in prepjointree.c and the rewriter where
we'd been failing to set it. I have not looked to see if these represent
live bugs in existing releases, but they might. Or am I misunderstanding
what the flag is supposed to mean?

They're independent, actually. securityQuals can be set via either
security barrier view or from RLS, while hasRowSecurity is specifically
for the RLS case. The reason for the distinction is that changing your
role isn't going to impact security barrier views at all, while it could
impact what RLS policies are used. See extract_query_dependencies().

OK. In that case I'll need to adjust the patch so that the planner keeps
its own flag about whether the query contains any securityQuals; that's
easy enough. But I'm still suspicious that the three places I found may
represent bugs in the management of Query.hasRowSecurity.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On Thu, Nov 3, 2016 at 6:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

I think that ordering might be sub-optimal if you had a mix of
leakproof quals and security quals and the cost of some security quals
were significantly higher than the cost of some other quals. Perhaps
all leakproof quals should be assigned security_level 0, to allow them
to be checked earlier if they have a lower cost (whether or not they
are security quals), and only leaky quals would have a security_level
greater than zero. Rule 1 would then not need to check whether the
qual was leakproof, and you probably wouldn't need the separate
"leakproof" bool field on RestrictInfo.

Hm, but it would also force leakproof quals to be evaluated in front
of potentially-cheaper leaky quals, whether or not that's semantically
necessary.

I experimented with ignoring security_level altogether for leakproof
quals, but I couldn't make it work properly, because that didn't lead to
a comparison rule that satisfies transitivity. For instance, consider
three quals:
A: cost 1, security_level 1, leaky
B: cost 2, security_level 1, leakproof
C: cost 3, security_level 0, leakproof
A should sort before B, since same security_level and lower cost;
B should sort before C, since lower cost and leakproof;
but A must sort after C, since higher security_level and leaky.

Yeah, this is pretty thorny. IIUC, all leaky quals of a given
security level must be evaluated before any quals of the next higher
security level, or we have a security problem. Beyond that, we'd
*prefer* to evaluate cheaper quals first (though perhaps we ought to
be also thinking about how selective they are) but that's "just" a
matter of how good the query plan is. So in this example, security
dictates that C must precede A, but that's it. We can pick between
C-A-B, C-B-A, and B-C-A based on cost. C-B-A is clearly inferior to
either of the other two, but it's less obvious whether C-A-B or B-C-A
is better. If you expect each predicate to have a selectivity of 50%,
then C-A-B costs 3+(0.5*1)+(0.25*2) = 4 while B-C-A costs
2+(0.5*3)+(0.25*1) = 3.75, so B-C-A is better. But now make the cost
of B and C 18 and 20 while keeping the cost of A at 1. Now C-A-B
costs 20+(0.5*1)+(0.25*18) = 25 while B-C-A costs 18+(0.5*20)+(0.25*1)
= 28.25, so now C-A-B is better.

So I think any attempt to come up with a transitive comparison rule is
doomed. We could do something like: sort by cost then security level;
afterwards, allow leakproof qual to migrate forward as many position
as is possible without passing a qual that is either higher-cost or
(non-leakproof and lower security level). So in the above example we
would start by sorting the like C-A-B and then check whether B can
move forward; it can't, so we're done. If all operators were
leakproof, this would essentially turn into an insertion-sort that
orders them strictly by cost, whereas if they're all leaky, it orders
strictly by security level and then by cost. With a mix of leaky and
non-leaky operators you get something in the middle.

I'm not sure that this is practically better than the hack you
proposed, but I wanted to take the time to comment on the theory here,
as I see it anyway.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On 8 November 2016 at 14:45, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Stephen Frost <sfrost@snowman.net> writes:

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

* Since the planner is now depending on Query.hasRowSecurity to be set
whenever there are any securityQuals, I put in an Assert about that,
and promptly found three places in prepjointree.c and the rewriter where
we'd been failing to set it. I have not looked to see if these represent
live bugs in existing releases, but they might. Or am I misunderstanding
what the flag is supposed to mean?

They're independent, actually. securityQuals can be set via either
security barrier view or from RLS, while hasRowSecurity is specifically
for the RLS case. The reason for the distinction is that changing your
role isn't going to impact security barrier views at all, while it could
impact what RLS policies are used. See extract_query_dependencies().

Right. securityQuals was added for updatable SB views, which pre-dates RLS.

OK. In that case I'll need to adjust the patch so that the planner keeps
its own flag about whether the query contains any securityQuals; that's
easy enough. But I'm still suspicious that the three places I found may
represent bugs in the management of Query.hasRowSecurity.

I don't believe that there are any existing bugs here, but I think 1
or possibly 2 of the 3 places you changed should be kept on robustness
grounds (see below).

Query.hasRowSecurity is only used for invalidation of cached plans,
when the current role or environment changes, causing a change to the
set of policies that need to be applied, and thus requiring that the
query be re-planned. This happens in extract_query_dependencies(),
which walks the query tree and will find any Query.hasRowSecurity
flags and set PlannerGlobal.dependsOnRole, which is sufficient for its
intended purpose.

Regarding the 3 places you mention...

1). rewriteRuleAction() doesn't need to set Query.hasRowSecurity
because it's called during "Step 1" of the rewriter, where non-SELECT
rules are expanded, but RLS expansion doesn't happen until later, at
the end of "Step 2", after SELECT rules are expanded. That said, you
could argue that copying the flag in rewriteRuleAction() makes the
code more bulletproof, even though it is expected to always be false
at that point.

2). pull_up_simple_subquery() technically doesn't need to set
Query.hasRowSecurity because nothing in the planner refers to it, and
plancache.c will have already recorded the fact that the original
query had RLS. However, this seems like a bug waiting to happen, and
this really ought to be copying the flag in case we later add code
that does look at the flag later in the planning process.

3). rewriteTargetView() should not set the flag because the flag is
only for RLS, not for SB views, and we don't want cached plans for SB
views to be invalidated.

On a related note, I think it's worth establishing a terminology
convention for code and comments in this whole area. In the existing
code, or in my head at least, there's a convention that a term that
contains the words "row" or "policy" together with "security" refers
specifically to RLS, not to SB views. For example:

* Row-level security or just row security for the name of the feature itself
* row_security -- the configuration setting
* get_row_security_policies()
* Query.hasRowSecurity
* rowsecurity.c

On the other hand, terms that contain just the word "security" without
the words "row" or "policy" have a broader scope and may refer to
either RLS or SB views. For example:

* RangeTblEntry.security_barrier
* RangeTblEntry.securityQuals
* expand_security_quals()
* prepsecurity.c
* The new security_level field

It's a pretty fine distinction, and I don't know how others have been
thinking about this, but I think that it's helpful to make the
distinction, and there are at least a couple of places in the patch
that use RLS-specific terminology for what could also be a SB view.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On 8 November 2016 at 16:46, Robert Haas <robertmhaas@gmail.com> wrote:

On Thu, Nov 3, 2016 at 6:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

I think that ordering might be sub-optimal if you had a mix of
leakproof quals and security quals and the cost of some security quals
were significantly higher than the cost of some other quals. Perhaps
all leakproof quals should be assigned security_level 0, to allow them
to be checked earlier if they have a lower cost (whether or not they
are security quals), and only leaky quals would have a security_level
greater than zero. Rule 1 would then not need to check whether the
qual was leakproof, and you probably wouldn't need the separate
"leakproof" bool field on RestrictInfo.

Hm, but it would also force leakproof quals to be evaluated in front
of potentially-cheaper leaky quals, whether or not that's semantically
necessary.

True. That's also what currently happens with RLS and SB views because
leakproof quals are pushed down into subqueries without considering
their cost. It would be nice to do better than that.

I experimented with ignoring security_level altogether for leakproof
quals, but I couldn't make it work properly, because that didn't lead to
a comparison rule that satisfies transitivity. For instance, consider
three quals:
A: cost 1, security_level 1, leaky
B: cost 2, security_level 1, leakproof
C: cost 3, security_level 0, leakproof
A should sort before B, since same security_level and lower cost;
B should sort before C, since lower cost and leakproof;
but A must sort after C, since higher security_level and leaky.

Yeah, this is pretty thorny. IIUC, all leaky quals of a given
security level must be evaluated before any quals of the next higher
security level, or we have a security problem. Beyond that, we'd
*prefer* to evaluate cheaper quals first (though perhaps we ought to
be also thinking about how selective they are) but that's "just" a
matter of how good the query plan is. So in this example, security
dictates that C must precede A, but that's it. We can pick between
C-A-B, C-B-A, and B-C-A based on cost. C-B-A is clearly inferior to
either of the other two, but it's less obvious whether C-A-B or B-C-A
is better. If you expect each predicate to have a selectivity of 50%,
then C-A-B costs 3+(0.5*1)+(0.25*2) = 4 while B-C-A costs
2+(0.5*3)+(0.25*1) = 3.75, so B-C-A is better. But now make the cost
of B and C 18 and 20 while keeping the cost of A at 1. Now C-A-B
costs 20+(0.5*1)+(0.25*18) = 25 while B-C-A costs 18+(0.5*20)+(0.25*1)
= 28.25, so now C-A-B is better.

So I think any attempt to come up with a transitive comparison rule is
doomed. We could do something like: sort by cost then security level;
afterwards, allow leakproof qual to migrate forward as many position
as is possible without passing a qual that is either higher-cost or
(non-leakproof and lower security level). So in the above example we
would start by sorting the like C-A-B and then check whether B can
move forward; it can't, so we're done. If all operators were
leakproof, this would essentially turn into an insertion-sort that
orders them strictly by cost, whereas if they're all leaky, it orders
strictly by security level and then by cost. With a mix of leaky and
non-leaky operators you get something in the middle.

I'm not sure that this is practically better than the hack you
proposed, but I wanted to take the time to comment on the theory here,
as I see it anyway.

Yes, I think you're right. It doesn't look possible to invent a
transitive comparison rule.

I thought perhaps the rule could be to only "push down" a leakproof
qual (change it to a lower security_level) if there are more expensive
quals at the lower level, but as you point out, this doesn't guarantee
cheaper execution.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Dean,

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

On 8 November 2016 at 14:45, Tom Lane <tgl@sss.pgh.pa.us> wrote:

OK. In that case I'll need to adjust the patch so that the planner keeps
its own flag about whether the query contains any securityQuals; that's
easy enough. But I'm still suspicious that the three places I found may
represent bugs in the management of Query.hasRowSecurity.

I don't believe that there are any existing bugs here, but I think 1
or possibly 2 of the 3 places you changed should be kept on robustness
grounds (see below).

Agreed.

On a related note, I think it's worth establishing a terminology
convention for code and comments in this whole area. In the existing
code, or in my head at least, there's a convention that a term that
contains the words "row" or "policy" together with "security" refers
specifically to RLS, not to SB views. For example:

Agreed, at least for 'row security'. I tend to view 'policy' as just
about sufficient to stand on its own, in an 'object' type of context
(vs. something like a 'policy decision'). There aren't many other
mentions of policy in src/backend either, the notable one I found
quickly being 'LockWaitPolicy'. That strikes me as pretty distinctive
from RLS-related policies though.

* Row-level security or just row security for the name of the feature itself
* row_security -- the configuration setting
* get_row_security_policies()
* Query.hasRowSecurity
* rowsecurity.c

On the other hand, terms that contain just the word "security" without
the words "row" or "policy" have a broader scope and may refer to
either RLS or SB views. For example:

For my 2c, 'security' is a pretty overloaded term, unfortunately. We
also have things like fmgr_security_definer(), fmgr_info_cxt_security(),
the security label system, etc, so I don't know that 'security' can
really stand on its own, except perhaps within a specific context, like
"within the rewriter and planner/optimizer, 'security' generally is
going to be talking about security barriers, be they for RLS or security
barrier views." Even that is likely a bit of a stretch though. I tend
think we should move in more of a 'Security Barrier'/'SecBarrier' or
similar direction. Anyone working with the code associated with this
should understand that RLS is built on top of the security barrier
system.

I'm not sure we need to get particularly wrapped up in this, however, or
go making changes just for the sake of making them.

It's a pretty fine distinction, and I don't know how others have been
thinking about this, but I think that it's helpful to make the
distinction, and there are at least a couple of places in the patch
that use RLS-specific terminology for what could also be a SB view.

I agree that we shouldn't be using RLS-specific terminology for
components which are actually used by RLS and SB views.

Thanks!

Stephen

Stephen Frost <sfrost@snowman.net> writes:

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

On 8 November 2016 at 14:45, Tom Lane <tgl@sss.pgh.pa.us> wrote:

... I'm still suspicious that the three places I found may
represent bugs in the management of Query.hasRowSecurity.

I don't believe that there are any existing bugs here, but I think 1
or possibly 2 of the 3 places you changed should be kept on robustness
grounds (see below).

Agreed.

OK. I'll push a small patch that adds two of those and a comment as to
why it's not appropriate in the third case. HEAD-only should be
sufficient since we don't think this is a live bug.

On a related note, I think it's worth establishing a terminology
convention for code and comments in this whole area.

For my 2c, 'security' is a pretty overloaded term, unfortunately.

Yeah, I think we'd be best off to avoid the bare term "security".
It's probably too late to change the RTE field name "securityQuals",
but maybe we could uniformly call those "security barrier quals" in
the comments. Then the basic terminology is that we have security
barrier views and row-level security both implemented on top of
security barrier quals, and we should be careful to use the right
one of those three terms in comments/documentation.

Or, if you are willing to put up with renaming the field, we could
call the RTE field "barrierQuals" and then they are just "barrier
quals" for documentation purposes. But this would be a PITA for
back-patching, so I'm not sure it's worth it.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On 10 November 2016 at 17:12, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Yeah, I think we'd be best off to avoid the bare term "security".
It's probably too late to change the RTE field name "securityQuals",
but maybe we could uniformly call those "security barrier quals" in
the comments. Then the basic terminology is that we have security
barrier views and row-level security both implemented on top of
security barrier quals, and we should be careful to use the right
one of those three terms in comments/documentation.

+1 for that terminology and no renaming of fields.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

On 10 November 2016 at 17:12, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Yeah, I think we'd be best off to avoid the bare term "security".
It's probably too late to change the RTE field name "securityQuals",
but maybe we could uniformly call those "security barrier quals" in
the comments. Then the basic terminology is that we have security
barrier views and row-level security both implemented on top of
security barrier quals, and we should be careful to use the right
one of those three terms in comments/documentation.

+1 for that terminology and no renaming of fields.

Agreed.

Thanks!

Stephen

Stephen Frost <sfrost@snowman.net> writes:

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

+1 for that terminology and no renaming of fields.

Agreed.

Here's an updated version of the RLS planning patch that gets rid of
the incorrect interaction with Query.hasRowSecurity and adjusts
terminology as agreed.

regards, tom lane

��(Xnew-rls-planning-implementation-2.patch�\ms�8����
�W��I���l��q<����Y���}RQ$qL���������
�(������K�$�4�~y�A�4��T�?�r��,����N��I:�f7LW�"	� T���?�����������h0�L�a�?S������g;;;_�Y����(;�?jL����(�/�Y�	�����J��2��hot����S���s_���~��R[gW��{������z������NZ�:�)���T����v�ko���mz�2���<� ���e[�X��,Mg�Y�?�c}�co��/n~<}�����'
������y�]�.�LO���UQ5�>�>������:�H��a8�:����@5�<��h����W}(�)������C�}~|z}>~w���f�Uy\3hd���,`�iz�<���_nh��%���������L�8&�~��@�c�R=��r�<9<���h����k��	��*^�5G���q�$:c/��H��p���y[�98��|���^������^ryu�T��y�s��*�k�S��:��m��[:+4�eA�Gi���7���e����/��k����kJA1ns"i�����m��E��h��7A6��������97�[\p/��4j�����V�#&@��p���_�
��!}u���7�jM#��g:�k��Q�ZM��E���A��Za�\����%Z�}��;�A��V�=4��o�%��7��o6^"��)|�yb	��
�k�1��D�_Z�{,�b����:�)����tyr����Iu�zu8��8��T���e�"6�������Y����ACs�Z��������t��.��<�K|QT5:8�^�=U������fUm k���c�q�Xk�`kZz	��:��f���O��*���������?�7 �������I�f�q��#idM�zYk�t�XN�o����R��:[+���^�� ��qt�;>��}qrx��f�[�T	(i����.������6����Qi�����q���������

������D�����Y�L�E��(=�Ead�z�X]�mm:�S�^����>�*P�uW�V�H��
Mi�p���z����6o%}0���,�
1�W�HS|����n�.��b�/x��P:1,�CB�6���6m��D�\����hIL�Gw�+A�#%i�
_$yCP0��@����T����l���O�(�n�(mQ
���oP��^-���Z!M���a��%6l��x0���3RM�8����#�x9�XZ"�)U
��K�.��6&���A!�:�P+�,��
,��K�`�&��*���/�L����f
H���!��2���X_�M����@�"a7���I*G0��x�����b
����dM1�}����n�H{��2HB�������B�6
o���*j��M�8@��x^�0���Seeb�:�f7j.��������Yu�k�h���{��J�����S�	3���t��z^����	|�fY�d7����s�F��ikI!�F�<C! -
�Du=��>-X}�u0�y�uBN�^��	T0%O�T%@�%'
��y�~�� ��Mo#q�:"��%��*�/"9�0�cX���EL0�L0����[�z�������YZ��e
m2��Ej�����������w��
�C`�x�C�M�
'��{P��c����K��3�P��Lm��������U\�2�����0$q����U!\�eD;����_���)�hF�.
��X�)�L4��cLs�����������k��+��E�/�p!M1��!�e�jq��`i��du��-	��@��#$�$�jNH��F�h�-J�:�96���s���E���\��J`-G���	
xYv1�zbB�D��)���M�h%A	����c���5S��a��,�`20VU�y�(�3�t��u����F��P���	y��
�)��GI�9P�|��+B�sJ��	��p�Rt�I�1����D�u��3��f�F��-�,2����Rid� $�Cxc\�;#M��H�QP�y]�����M����f���'p~�G��6 -�����������:?{�\��(��$5g�1���	��&\�j��@R~�"�L����u���Q_*!$M<�!%�AFp89
�4j����0g���X�H�ly��W3������^FyNN�k+"'
�C?�E�T\
N^��u��ELl5E*%��j�dB�����i�QG���S��.��l-�A����F��vnn��Y�K��������5�I�#��Qe&�7�w�b�6�)���U�L:��p���J��Z\m�
�U:,�g�������$+�H\�u�:�)�x@����Lw�*(Ds��)��w��Y
}fc�A�Y]r�(�'-��g���2�\�����Y��-Ps�>W�5 �����OI/NMH:���c���S����_iFz��|��&i�T'q�}*&���cG��u�����B��E$r=����?c�4dt��������lI�)���2#�Jt	�F�Z�t��I�	��-��g��d����uD��L��!��a������4��UK�t�\
MX�o�b��2eI�{��3�����������`�����_|��8���-i2DI��.�|�g7�z���N�������A8��N+��Xg�����H|�U-Z��K%�r�qo������m�Y�L��;Us���e9����1��r����~c3k��xCQ��pUC*<��y�������i��[
��C�Nxg�{t�\���b9�U	E���-#Q�	��v����s?�]So[G{�U�������9!6QHdD�3��E�Z�nL��{�
����)N��Ef��I�s����J�����O��,J���v_�(��
H��L=.IS�N��M"��GrB�A�i�9y�mv'p(U�
 m8W�@�R���^��
*�z!�)���
)c�=���'�*}J=���
��.�I����mlg��z�g'����f�O��6%=V�m�m�c����6\�t�x�|jp�-���O{'{������u����$>O�Xh'���7�������>��������Z���s<xL�?�:�i�������?�n�?����qB(KW���!�����+���amE3�A+:^����������~}���J���tXl���tAcmm�?��w��$M��-J�c����
~������Gq�;�������wr�y.8Cu"@L2.��;�=Nm�Q������6����.%��L��A6���b
l6
��rF:�����z�C����u(er�I����3������H}W�K$�(f�	 4
T"�K;�w',dZ ��������Y+}!�������V���Rw)�v�fwY\��jw�@�`.N�p�3�8�(&�=Q������</2��inG��HRvuF��>Up��TU�q����|��i9�^���@Q;]l@��I��,�Ay$w������d�7�Q��R���9��U���C�s��C�#�T�w�(��H���0��=.a�]<��N���-��#1tF����U��y��7��z�'ey��v�l���@+f�40y<���8�.�����s���y���RN�D�����\%���D�T�m\o9�"(���#�Z
���s9����QRh���Y��?�U���*�s�����6t�����^�92�_��Z�(_v��S��KG6���9��������a��Z�t��O���e)y��^��{��KB�P�|#:����-���N�������e\�G�09��T:@&����H������Jl�J�-c-�b�JI��mi��������NL}�[�W4��������g�'���H����"e�%�_������yUB�Q��0b'{�=p�_���&32�}s��i[�/?BW�)=���s�;��<V�fB���t�������)�&@��������|P{.�n����6�}����eM���d��5
w������9�vt�j���8+��m��<+�[�k�1o��/��'ys�����4KW��/G���b��t�T
���.�{�!���F��v��G����3�����������TM���'��w����e����i��
Z�<����RI���7���g�gV��-�x&��W��50��5+@�*���N?!����!k�K�v���:haMv���]����������u�o�U�������yw=��\��E�B�����F\�
?FI��m�}�v�/�wK�@wdlV��{�.Wg����m�0

�*)���p��4���Y����|]��T*�����s�G��,%n
U3���%����P2�q���%���|wq�N�^^�	�{K.�����F{����n��D�.
3=��]�j#����e�L&�(�Viq�p�>c��+:�#��Twa������EO�c�{|������o�@j+�a�8���4�F^��*����Q�%���"^������htF����������!J9�� �i��dR������g�S&� �"Z�y)q \��o��Vl�=����=�O[��A�q�z2���L����_��gK^���J�U�
���?�^�i5O�x�=���S�N�y��?e#��qSs-e�2�ZH����:!��f�	���#��P9�����
�X�TSZ/�raux4���QuI{xt2�W'�[&2e��&(�������3�����9��=�S�U��l������V�L�{���A����4.�I��6�
��8u����v���dH~��p�7:<>�*��>Xuw����UuO�(�b<�rr���8����y+��>�������0��V�r!�w�~�����������������w7�����G��U��N�+2gX����~��+�
a�-��E59dt�\����@�k2�����%^����Q��?8Q�d��TM��M�����q9'�:��������������D�.��g�23*
)�h�$M����z�W�	��4x�����p�mdV���IJ��t+pB�Ps�'����v)C1JQ5�f��H	�����Y���W�L3!Ta�%�����R9%��]�4�tMk�����N��/�p����v��"%��:X������,\v0t�K_��;`��7���������_
��v��4���w���i���;t���)�Mw�A���A������.�I�EV!�&�|����z����Tw�)����j5�����F������gi�:�����?������&sb����R~�s*
�����S��qt�c&_f���m=-�?8A�j�J��<��&��
Z/�{Q�G�����������t:��@$����,��;,�Y����t/O�#H�(�P4�Y�y����9g����scy�h��y4:�������c�z'��>��X���O��p�����Vqa�����bG�����������)�m)]����%8E�:���O�1l��^Ytr&�jo���hM�����Rfu�)��'�{��wQ��REO��C���]�����[�_�����`0��O��S����>�����~�
=���������Ah;���sh���be��/�B=��VU��o�.�A��XJ��q�A��wW�q��������5����8���t:b��t[o<+��_�G�^��q���
3��Y�yI���o4�+s!]��������|Y����e�X^7I��]4��P�;'�(���t���."�z�0�qa�����[U�yCI��)
){R�|���Pe�	Y����P���Ug&����QL��3�u��wH����+M@��Do���u�^���R���x�������� {��W��	pD��AL�*Ek�����c�f��`uEo���������5k�`��myw�m���4�-V"P�ft5����o�;9�����,i��{��K%���$�Dr��������7\f�p�������D %��[�������3����Zmo��lV6�Rg<$ i�}!��bn/O��Y�bi��+���*��E�����6fI�5��G}�`uB= n���{��6���n�e�D^W�_������'�,~�Ed�R�cEl�������J���9��Ox������v8�~��pt��:.�����5���N��O{_�����������;�T���g?������2�<��{�H�c�`PG�������Fh<t��?�-�htWWWUWW}\���OJJ��!Y�>�/��-��E8����6��t�8��-�/������VN��fG!�4��GS-c*�R�^A:tO�@XB��r�����>���U:Jm�na���:���������fQ������z���=��YF����ii�!E��me�S�g�a������+�^1,�n��Vr�Z2�{�Oh1�	��a���'�#O�C5�A�O;	�Gy��x�94=�,zd+����s4��s=��0��v�pp�	v�e5)�ygw�����A���l��*[p��E�vKh����A�|+X��hK�Y��dZh�}*,���"^6�����=Em��0�P}���9��p>��B���5YL�B�,�W0
�����=W%�'������FM@?�����o&^��.��L
�����,	�J�r�bE���Ady���ipy��O��y|���y�+��^8�%�LK��������bq��r�[�C��9�-�w'�s���8���w[����M�~�n��h��<��I��GX�$0Z�� ���"����2r��K�f�{Z?���i�K���z���0X
���!Wi[�[��._V����!��I$
=gg'����NK��n��h�y\OW2�c�YJn&��?!����Q�������|$7	pv��#)�V�U�^C��Xr���*�\4�^�,z��-�"1
��n�Li�^��y}F��{�nFp>���Bj7���hg�Y�
?IPa\�/K���
���K	&�l�>_��g��M�2~dm:�Cl���v���4�n��{�,kR�$�'�"%����{�h)k��	��=x�����$I���D/id�P�����Y6�.��b�_Ng�RX��mt�����d�0�G}�-���#��8r	�o���-��d:>��*z9n�9�K:g�W��R����
�o��k���5������
<�r9/)��xbL'���ry~����H`g�h^��9E�N���~���)��y4�8&Y�(%��Q���!�Q=PwD[�����9yY�����AYQx��k��������d�����4.Z�f�YO=���r� �w�7���Z��O��K\��9Cf����!n�JFG�L������m��{|
M��Q$��A<�	�����&2���|P
���~7��Sx��_����	��O(-�����$����d���V'�|�x����r�>��������`������m�5�}����!M�\�S�$P	?���u�F����
V��ee��a�([��)�������PCmF0�4�����H�^�k��{}��s�l�k2m�]-�n{m���P:����5�X��]��lf��P���[�`�A����bFJ�
5���7�CU�Y��,#�o�������u]g2�f��Td�=�]48t^%�8`��������hA!�V��^���<e��c�he���n� 1��4F:�C�=�iX �4��#�q��$�������9�~6��
#|62���������kD5�`0<D^WS�[���d�,��)�o��I���qD�Ws
����c�	�3C
/�`���D?�g�-�!���pZB_���#�1�'�G
#�5\lD}��!��-(s�Z��
������,[��L�S�S�ipv`[�����zb��DF��YU�qb��'!����0E�Y�p�!�}a�����ksz=J��x��DB���E<Hm��<�Y_\zEX���v�FB0��	9#*�L� �>\����8�}��E�]jY��nY��rY�o���-�_���sa0�r��b�$�0�?�g��1h�8�����N����,{�WT^���i�J)uN<��7�1V7m�8^�� y�^���n��*�M��)�Y���-	$N�����H��G0���	��G����l:F���x$hdOla�����o��#�/�,��m�f(�[�I5?�o0p�Q����v��K�]��%�u��S9��JY�5�_o�}��g�;!R3�H��a57Y�Q��l�AR��'�K�	�Od����J��z{v��^:G
]PP_*�"v�jKF�����K�8�*�T}�xa���(lj�! d�(�Z��������@e7��+^�lH�Ta/,gQ,����BY�yyj%�c��(XCjO�LQ!T�]N�w�L�P�A����O���U�w
��4��u�:o���2����IKm7�1i���#�����5��Dq���q
{FY�&����N��J��,��v7����MX����j�*8�vdx#�Ad�� �;I2�tt��}�����!.i��97�C��H��"7Ji��i��ch �C�g�#?�G�n
|N�a�����Y�|5;enAi���R���2��5��$�����t��
��d��e���*�ssO��K"�
B��$���L�E[�V���[mr
�	�xT9����
4��Z�hhk�����������"}�����u��@@m%���%�[��]c��5$�F!ayRstp:�B���My�fM//����#GbG$����P������/8�
�m���lN�!z����X8�u��O����`*0}��T��q�����w�b#�
0��h �,�G��}�B�c%����@��D���Z�@�h�h/�B��9e*
��X�@ L�R�,��A��s�`C,(�e�7��2�JPRWF.��XA������F1%�S���g��
?���E�O�|�1L6���: #X��SM�#y��+�o�9��X{
�:J�*DH��J�dX�c��j��2�
��D�{�h�F���t[�=��T��h��z	��?t>����d�
���z�O�SC>^x�����!&dd-���^R�'�PE&�e�+b��)�B��,W<'���c�B���@�%�"U�c=���-��%�8�N�����EM�
���������jK��8�CY.OU1V�1A�Y�K*Y��������T�.S�4Wm+=a@�B����Rf�`*hf�R�%���.��E�/`I�9���}���?L������)�5�
�T�~���������=���RKDuM5X1�k���:X����T���� ��I?�ex�@�R�gz@N����
�$�E�>�y6R�x(oUr�v� &�Rc�@5Em3�?k�(�A�~��q/	F'��D����Y@U�_�����6���������
-��ZM�E#A����^��X9����yF�Q��V;�����\u��*�������9�|>�v�������
w���i0 j����h������_@4+=���;��^~�-�F�������D8��'[���^`���5��e���	�J��/7S�@�-���J��S���851�PV��eK�a�YT���'\���U
F�`�me�4�n�+�<Z�� �b(�CE����������E�<V�pb�;(0Q�^�~p��
�WAy�6'�K���g�/
��1}�M�J0���Fc��Fc�Xb�=���Xf�����
�X��23��s,a���n���/d��2�L�i����#Po�I�0x��	j�2�
����eq���(sG�R�E\�[+Q9����]7��z��E�v�]Iv�LL��v?"�h
���t��������P
�?�� U��s�D�o_�t�b�[M�����������j���#�	�I�j��v���'2�N���p6��_[�����v�������s���B���_���
X��Po�DT��Y�Y��_����{Q{�����(������[���E��J���p
�Y4c�W�\� �ql�R�.���I�6��O����iab�)e�V�(\���Kn�Q�E�^�~}��%

�a�9���cN��!�Ae
aluL����������|?,�����Y\�O!��*��nqCWh���yJ����(�t�z�L�S0S�
��q�/a�(C�iw�l��gw��L�<�cB���7���*g��1�(H����|1?)�;�/�U��y8��y��0�����\�mw����.4�%�f�!�?�0����|X\��Y���IO�V?�&_������~7��d%A&�e4@f�:�q8o�g��;od�a:|�V/B8����eq]��w�rm�*:�x
p<X�����v��f�2[�+�0�.+�����K��^�-D��t!�g%��	���=C!�>�Y��*dSF�����~cL,�Lb��&~��s�v��DP�\mw���Y�3h���_��T���H� (�z�]x�jE�������g��O�����?:MOB!+���`�|D��
����������a�����K1�;���Qi]"��Qm�-s��Z���k���
M�%.���!�/��{�Y�kSL�,���?6,j�rK*���d��N�� ��������C���g��;����p�L�EHn8/��C��Y
9�"
W�vZ����#�M�P�w1�A�0u�qm�A95�TOI��qM�N��z��������*e��Q�%U��1px&�R�����
5��@��XKG~"�r�2����[-
2BWl�3�H�P%��������^M��a�*sF��`-����+��B�H�,��2�Q�=�VA<�^�Lup�k�d�,�)��'�����c���JI	�V�\w&���?��E��&���9�
��`:�����)Y�vv��������')����F���>��E���>*<���C7�������$�"|��[�1vj�"�:�q�����b�n�JZ����r���hi�c����d�[����a����
�4��y�\��"����]�1�Fz&�������#m��%����oQ��	l9�`Gw�Nq�BnV����;�YvW3j.8�c)�����N�=�0�p��)�T�d��1Y�i��"�}�+���v�����a���>7_%
\uaOw�������'3r*9�M{�K
P ���-����k�� �nTZ����y�G�y��|X�w��#8(�2�G�\�����3��\�'����r��t��1��v:��N����Mq�����g���+,�����S�E���}y�^X���E�-��B|o`o�g���2C��KCP|��Wpk��v#�PNV�+���}��&�hfRA�1r�*`�]Q����tx���H=
0��s��A����W��c��p- ��tBG�s�>�jZI�r��g����A0&c�X��B����o����9Zm�	��^#
�;����
[�N�~J�i�ZN��N*[]V�g�(�����q�J�B�
{���#����22�fy�\2���gm��N�v]W�b�=��`��<�R��h_%0��Bz��_�N��@=��a}��e��%l_���J���X�P�iR3:����5���a���wg�?�;ze:W\s�zbb�~K���U���
�4Z��a./2�R�1�B�'��:\����B�p��I�g����R<���K��#<K�������e�<��K��3�#�g�
a����A-	��@���:��j,Y��P���%U�s��:�{�*�%���b?�6]����5;!%Y
r��A�d3�wk�mt�&p��b��#.�3�*e"V�V��X��[9�'�L�r�`U(��&����F�]�����_�lbI����@w��)��[��X�
��x����w b��"�E���[����#�!��4$L��m��1�A�?����+���	P��9�OU�YF(��A�����
�i��L,������>������u���z��i�,J�)#G�jM��Y<%�f �
6@�B�����-���X*����3�2Iz\�T�b�����u��A���dMU$�z��(��Q{<�����~�vE�PeE�hq�BzDJ���C�U��\�k[YQS�c�����.$����V��A��l2�������K���]am
z����V�A�
��'.��������������S�������=��~����������^������ce�[����I�����/��{�������E���tzv48=z�����}am�u��u�vW?��Z�]����:��
�Bo%���}�VY��k��`X��=���V���$!�T;�}Y
�6Z�l%
>�FW����bEc�� �%PER�!�u
�R��
���P���86���L�7��yrj�1�Z�U��O"H���5��`g���o����tB��/3���B�t+�o��`gOXz����6M��:����?��~���o'�V���(ey59!��~�e��*���(V\09jb1�Qr���iQ�t�tzF�qC#XU�r��vXG��i,$8�P���3F����r�?q
E4����X���)�Zv@tl�!����c�f�\�v
�9M�'ZjyZ�9x�g�/��I�����(����EGs���p�8�
���y����K�����2�P��O<�10�8M����� �(U�(�N��AD�	qCLy�#��p0|�������1�'������x��mq�����.3So=J���j�3�����|����t�o��Y���gR��u�\4��
��i���z�d�p����Ns�Q��	�:uB����8`=�<<EQ�o���Ob+��L>��I�Y=M�B����5���D�6
	���;�@�Q}�n��)� ���������a������:2-��0������q=�v��4F����
�
@���a������I���O��6F7x6���
��3�!y�'�V�\�M
Ku#�n���1�l>~���G��Pq�������������t&��2�@���h�Y?�G�h���%~Ri�Z�&���v6�����l�=`�~3K�T��I6���j��bX�}��2�4��Y�����c�V04@"�W���&qBXM�uh%���-Z�q�q�m���XRP�*��PCXj�py`,Q���uV�x�M��
z����[���c���e0fk^H@:
������P��x0	b�CSJ��x���6��Ma5Az&�U����Pp��{��1�_�=��~q��������2���!�
C42J2
e3`�`>>��%�������/a�

�?��p���zo����'
%@���ZL
Z�9.���[|���9���1y�+8��MVI����y�Xj��u��/����x����?SY��
��������0�c�����h?�Ys�bBY�	�O
�
��A����-'��0���`8� 1��.����IlH 
�^(��p����/ui@�$��b�.�C��(QP
'?rj~�o������");����������^+�j���S.n���^h]'{{ws]9��	����ZsZ��)�Z{Z���FUsZ�3��N�V+���������:kai	�\]<N�����"�/�F9���1�S]���@����Ipm�nG3�XQ��!� 2�����J9������ �r�*=Z�z:���^X�n��'��$P|�wm
|���V�S|�L@Hw?��
O���6L{��z����1�U{=M�d�sD@?/��.Rq\��^���*���/4�L	�D���Y���?V���gO2;��&e)(,'����.���F��,�*pW�s9����aB����M��I��J�)�o'��o�8� 0��I�@�����x��-%���&�����=c�?/�w�BO�v�)�,��L�9X��1
�Cd��d]���X������z����>O@�t�������Qo��3}����b���d&���0��r������/�vF�_G���7Isg�U��[�-#�V�������@E�e�C���G*&�-���q���a_!�
����U@��w
M=�_��+(U�R8����481S���!�+]mC��<ZI�"]��6�(lI�7������+�Hr%�HL8�v (I#�41{Q�kF��a���[4���@���Z����}�������r��������=��1N��b��G�n�������S�K��~M3b������#�u���<d�OR�N�$&�T�U����U��f���R��
T������r*z��O-n��h�\55]�����2K�|����h��P�2+|��I|C2�\�[���3������x�H�2J����r�T�a�f
C*#��qY��%�r���d�C9��u2Y��1�`CC�l�H�����j��c����;=��A7��RP!ZJ�s���A�
��c����G�@�@�����C�cj�Fq�RY��t��B:Q�}�6�\,p�R<J�>C�%��1`��0�-������x]u�]1��k�u���2����X����D�kz��-�����|�����9G�l����P��k�G����F����j�/-�Za9��b==����7�?
��������G��:���H�+��N���_��&��;��H����=�����
	��c��/����������G7r	H
	�����3���b��#��z,%	�M����r�(�a���hZAj�i�i�-F���rA)���`�����4�����@�NN<���?�9=z%��=�M�����A5:�lu�	�B��d�}YHa�Y�+vz�>8�`2i���

�����fC
��b������9}�����'I�D3�G����PCu�,�P=Tp�?�����Zv9��<D���+Xu�����K�N����F����Z\"���"��,�F�p#����qS�Y9�Ig>*E3��� �
��bX|��L�8��S����DF���<��%.�,l��u� cb�Y-�8�N�#T��'�D����K=��2�Z���2D��`��E���s���M�P�
�o�O���
��'�������\^H��,����C��?�K4�����:.���=���SJ�!Hu�lh0���_B�Z����Sq�=������
.����O"/i�Ng�i�����c,�s9�A�(f7	3W<!�������i�@���A8�L@�A+�u(���.��zE�xSqv�J�X���' ���j�HSEB�i�����g1�h�d�0�vJ�(���jU�+���g-�<�=B�0)8rA�g$x��4�'�
z��u�et�����4��7�s�M0o[t�l���~z�h����&������Nn�a��n%��_������|* ��X:l�����8<��������J"�����d����*5����� ��\^�2K���x���Sp�O�
�:
Y	D{�-W�/	d���D`~�8������l�"�p�)]��}M���5���:Tb,�����9>V��E�j��w��V���"iR����xE9����bE��1W1���*��-�������9*,i��hWKV�c�y�	J`�2_)�>�9��?����I����*I��J�I�Q�2W�Sp+chg�B��y��QX*K�x��}v<����8�L�bu�����:�P���.�t6
W���=��9�`�C�����
���N���Pb���1����^����T�����7\���I~���]�f{9�i�
��$A����'U���G�~�wu^n�Xx���	�K��HS����e,� c����"X�AK�
�8d�B��d�
7�����8��>�7���Ib����S�P�tY�����<Zb�3��~��2�4��?�'�����{@������;���#��k��U8����0�u����b�
�@��bI�
�>A�vbu2��G,�T�%M0�k��&�?}:�����#����11A�
��7�p0J���Aec�w5��]`���{,������G6z�`��[x�8:==9��g�2f�[@�Hmi�����x�`�7��y���q�����
��s�20����,|N��IC��q/M�L�q���|�_	`���"��p�9�/���,p/�G{�Ruz��!a6b�<�
�a�������cP���V9��$��(�Y�E;���jm�g�
���iF}F��c��jvS�M���t���!Y����6��|>�R}��'����h�W@��$6x��A�3���K�jffH�?�an�%���D=�0�Vw'��i�RVTs����F<�F�z��3j)���/
yTG�e.v�B8A
Qk��^zp���d�^v4����\���^�)��B��e���NQ}���*4�*J��]�P��������
�6�=e��

�mC��U�T.��� �<8�	B<�O�7����
�1tC����G{z]���Km����IqN��u��A�<&��I���>����p`-j���?�=v�v"��;;
�H����J���r��$����
w[`���v��Iv\�5�~*��L�x��fs�x�$l>0��d��g��f�sKJ<I���R�����k�t�Q�boO����@�'KX=�8�(h���}�s��S�>
�c����k��&��r�Q��)KeQ2�	{���Csg�l ���r��Q$U1�\�B�,#��0���s����a��5�r���C6��]������
M�i�Q��(�r?N��`6b����-5�*���	����{���y:�1��V���Tmb�y���X�/��������*��e�K�M�q�]g���I����*e��lV�P�Ha�����ae����W~&���h����~������?[g�'�'gG��QA���������j+�R�uY��"N����D��&R��j�N|{�f&����}�Fh�*��^����5��8����z��<8���;	�u�j2
��d���c~��j�������k�\\
����S::A8�y�0KJb��
������$4)�)e����`�>�TTLX����N��&�����#5d:��������z���iy<�[�
��4��^Q��6#+<s)q�6+�	�?S��I�WJv������@�S�{��26�,��.z
	}�-P<K1~����)�xK�)�&�1��R�
��%�DR��!�g��s��p�'+r\�AE��:��w�1���e�>����F�������c1�b+���;���A���J9F�.���������u��2pd"��q�����
��C�j/!x��(E

��F&O��+�N�&6q�4/��� ��v�����qL���#z����9��������@\
E5�
�I�B��=�����dV������17���RT&�>,4��Z��"�������P��n�5������^�������~kR[?�MUjH�a�����jU�����mDD�j��t!W0�2��\�%%
<����ju��l�3��Vt���;����������a�N~�1�g[z�/=Rp���������MjX�@]�s(�h��cr��qR�S��b��S�.�A�"�����U���.���huW�FnU�1����I�#V������
K�\_��~c��v�*-��l`��I�w������Y:�x�~���#�7�H!�����fc1��Rr#��\�����]3���f�L�uPK����[K��� \�K`�8^�"g�c�0�"�z)xj!5e�������������7OZ����}���A���x<�ch��Y����v��;(��5YO|mP����xaR	5dM����P�'f;3�=r�
B��p!=M~0�\'n�a9������0��'��c�� =7R�G����f�#\�
���� $���bp
���G�g���(�������FI�N]b����O�iU�T�-�BK��E�]�}W�k�i
{%���,�����I%�
������[r�%oF��^��H���$���
U�PN���JdU���{`�Y>�+X
����(#��7�v���P������5AU����Q~?��!�gK��z� K��RyR_!j�_*���,���d�s���A��{]w
��j��~L=_P�>] AwS5�d�	��vh�^�HF��,�Y%���������+��X� L�D���8��~uI+� �K\�j��^���HA��=
S�sm
��
��WA�*�U��vwF��g��Y� �7dHe�
�x2�@&3�<��	�-���\g���7�*X!��5���P�b?��h��2�x��t#Cr
����?�j�1��8���Y��	�Q�I_hir�'�lL�������o��m��s�=z�f�7�����Y����Gaq	'��m�=���%E�����2�\BT��R�P(6"Q�ow�rb]���Tt���"?Q^J�*)��O��UT��
�R�/%��Ek�A�O+UJ�*:�I��Y6��a�F���W�rS�c�1Z��n��Yz�������o��rSNe=z�Z�|)]����h3�5�8�2�W1��ioQS���"���w��o
�����LQ���������p�*������R!���-�������b3�3�je�����mR0S�����nKl�D6�@?��/���n�
�BrC���`����y�U\�28���
�?�c0�Nk?�D
���
��s��v]���~�8���V��J���8:<S�
=e\�V�	�}��I�&t'S;NfGI@#U:B��T�H���C���Y���o�P(��EL�S�w
�����a<���������+_y�e1�[�X�`��/h_�f�?	�6�y��hNH�c9MJLA?e��������l�F�����W�(E��{<_~��<%pV��o�����`����#�MR$AvL����[nZf��*�m�
K�f����4�ZM�W��.V �=:k���TR�(���!-�����*��n�e`�
{zG,�����|�Co��K�0_2=:���$P%Z��,47#�R���~>�v�Y/�XZ��������*R�4�GN�r�z�(M���y<�$"@�v��F�v��v.����W�|���a���$���,��P+��S�?��1i��!��s��]V`p!S�%M���90<���^g'%w�p����0�SH�j�vAL
#�M��p :����	:��6����t!�K���6���>����V>9H�ZISD?�YN2 	�N
b��%���m�<!C�o!����$C�$D����T�W��D�,oLc���gdC�g�����t�s��&[-�&��%��|��V�y�x@�Idz
S��Xy"R��C��V�+D�����m�Q��7D
�;G��
�xa��wR�x�����P����%�8��_���*O�Zj!���ULxhB�����'�j��Cw�4�UG�D�I���=���D:))�zC�����qm�]��u�ql���K��
�������r�����x�� e�k��U8��=un�
]6�)�h�K.K�"�\-J��H���l,�
��tl��kV�5+���N�
�f}�f-
��*�P�#����}�U��~�*�p�O��#\��%�yN���T�aO�c�w�}�{
X&���Q�T��0�d��j>2N��
JF��g��W����7�U���S6��\��J!CS�?��=2�	�#��$����(��B�i#`��(���=��B�)���H9�����������@F���k�X�zI�����"�yI
m�4E���S�S~S�@�d"�%ZR����^���K��5y��i%v�r��u���+3��fY��g_���fa��x
E:E�u�����Wy��@������f;v�}�>�$�"�R�����U�VV�����B�xJ,f(�(����@l#/C�Rg�V��}��~�q���0�&A����_�n��t�3��p���8�]�����	U��GA������5��z���&I6�*�*Q�Y%��O��������)vd� ��i�g��@c=e� Q�:��&\~C��+@�����bc����Z����
{z6(y��ZI5�lfD�.��u��t���.Yg��
��2d�����~<O��4t^
=bQ=�*=�����z�z�z$���/�U�R��@,������������XG����� ��G��upt�d�A_�����������	��&Ke�!�K_���
�QfNQ��l3(�5:��~��
�s��?yb�������P�����Q��S�
>Mq�ba��6+{�������|�
r�J]f�
H��i@�TA<
����>H1��p��AX�ze��|r��B�n�#��3Zg���Z���j{l,zT�>-��(��W���|6������Mt��#.���>��i��|:Q��`,��\_��/r�H��}��%D�Eq��VPs�2���L��/�����8��"c�:	�p���
�1
�>*FOF��������mL����nd�����
���]�y	(�*�I�
����|���DV&�&K0Z0)��'��a��!���(^�0�
&���\�_��W
��.���gc���9��������F}UT��Q>z�bm�#=��������"�O�:�.�P
6�r�fA�G�������[h���xvW��u�v�M����`4�S�
�#�(���Mv�G|�����?��m,�O���3��36sez.��0��7���,^��e,�S�>g"_�
�0������i&��Y�X��1=|m�Q��&�
�U��j�Sa}�B
�QSc���EW8�|N�������r���2<��7�f�@
�Xlw�P�v�/.�4�A.(����^�7R��M�
�����&�*0���lu4�z��TMk��P?�B��g	�����������\;��+���a��1sV
��>}!$*$����@?���\�/(n�8�P+`_6u����ae��]
�v:"
OX2
�Z:�`2�J��������qxv�ajp5�z+ZAbV?���7L��}]RQZ�a�6��B�R:��.a
<p� :��09Q�ra0�"�����$�v����\L�!�X�~�n0����,W�]�f|����=�.��j��2D��M_�����e���M9�%��(���r8YN!�e�
�8��[�}E�%g~�#�
"
1�"O��:��.�;�Eh��5���[HL"��!�����E�@�q'�~�
l�N���}��K�^��KkO�5m�����N?���H�9%zp��>P���Q`Y��O~�����t3�5�"�k���[}��L����%80JKRk)�vj���BXn�iz�����p��&�v�N���������X�T�XX���k3��8W��)�k��LL�������`�KW����Z\	P�!+s����UD��At�f��"v����t�1H��r���
N���b�E��l�
����lf��9���F�'y:>��2�5�s,�t��
(���|�)��q�%a����(3���R�i��Ll����X��4��e�~��������sp��&������4T��3�a&����y	����?�j�L�#�8�v���!4�t�Aql�����)����>��@�(�=�����(�T���'������5W�OtwIiw�v��<\r��]����p�u�����m��px����)Y���p��|�"�)'j2�#�T~��,����f)6?���p)��Y@/��X�x�E���v���/��R������Xl"#�e��E��0��n 9/g� ��6oK,���k��	0��:c!r&���'���-dmZ,��@]��m]Ma�)���=B�
��U�V�3?�Y�'�� ��i��)��7�C�!n��n��C7�Ey���P�x;��������{�?!f�dO|����3�q����'FBCJ^����?�xt�K����!���v�$��9n�-u�<}e5�g������Y�����+��Z������	�����GbY-�5�S�j,��Q��o6Z�
��:��CkP)�����'~�11�Y�X)>~��E;`#�I��e�������^<�f*�a�fx;�h=�
P��
Y�@�J����zg=V���xd}~�=�l(�`xY�j��fD�:��.�����*�����N���������g����e�M��X���3�g-�����	���5y�l���K�4��]�6h��lq��I�����l�&������}Y�|V��?9;~{$�����Z�p�$���s��|�v�J����ZoO>�}�N~�!���a�'
�PM�i��i<�(���+F7�X��4��>����YJ���
d�X��/i3����4��@�(�`f���&���s9k��F�J|q�)����&*��o��Xtfq�B,-��|�pt�����l�s����;���|�y(��.�'w&�@P���.��ZQ�+SK�`��'_��b��)��]hO8�Q����Z��e�5����b�M�U
��-+o��������^C�$�bt

um���������������u�>�������j�kn����5l���T&�������B�*|��l��U{�����
_�����
�bm;���{Q6C/6�����6���M����6��!36���N;��"��cS��k���[`�*�����`��\(l$`��0<�].4���7��46�1*��X�H+Q��
Ac�tY#W,ltp�F8�~����?&�mq�n�G>�5�����NN����3�M�Ea��Q����!qM��"��]Tm��<�E��}�M�}�B.�
��a�a!��x!�P�����R��v�K����^���f�g�".��F�;F�;CM�����2�+�;����;�*h��E#^�Frv���p�[�`.�V����N�v2w$r�N�n�����@��X_J�7�����Y�T���������m�6i(�u7���@���'���?�9=:$�����,X�Kh
>�T}l�:@ �G�NE�K�4��#�����S��,�Y����%�J|LE����������2��*����e�w���!�=[+�S��Z�����,�Wo�����q[vG���B�}���z�*�Dt3��j��f34HV�o[C�fV���7��=��-�q��d�����Z�.����f�&�u�F��M���sS
Y����I�����t�q��9�������J�X�����������#�&6Job��	���
E$D���"��M)��D�j:H�ys~����m
��}�����+�A�2���B�*n-�Z�����?��?<�*n�5�o�����*7e2x-����C��p�����*��
�l_�{{��6��������S��>���-�0z��k)T�G�X�=�{�e������10����������y"=LMz�d�g#�yg��sD
�����;����5'��3�N����~wS��U�~�"�L"����(�{w���������'~���D�x{x�
�77�?�������<R�OX$�M��W�Z[���������yZ�J�o�v�m�t����$RpG��fA�f8N3�ziSC�I���^
&��������N$E�.�9}��w��&�c�� 5�O�/�$T�r*����*V(P�^�6}���E�����(V���\��\i�����O���Ji�9v��`E	lDX�����
w*����e�DN��d�B��R�"w�,r��+`��4=�S�[�Dh�����\������~������R��W,���l��o&9r��1���������lj(�8���O�W
[�dQ��
����1`*�6������Fj=u�^|�y�|�2�a���wuP�����uw�S����v=���i�I����^z>�4��X��;��W�����K/���0������c��������B8M��2<;&�p�[��������j1��?�fxX����lt\���&�H���Hme6?*f�'��1��p�|���_��i�m���.�
�x�hj2m�Vq���c���	�x�:/.�N���������R�
�
K�����Q�$Yv��,*�I��]��in���v��������;	@�Fq�
;��� �b����o�qssc���o�J�J
'W�kP�?��M�S����H��6V��.�zu9�[]���z��i�-�����Z��RQ����L���������34�dh�n�b��:�C������Y:�uOg��
��U����zX�^s�V%=<�W��n���
=�!'��{�o���
�[�����G��l���q5D��f+y�0�Y�TO��$b�YG��{:����G����vh�s����i����������������Z��������}��:~�����Q#�y$��i=3��4�
��)#����.?����[V�qp1��d������vT�J���9P'+��WYT��J����u�����
��!��#���������{����w�o��pm��)i�����:�lS�����|O[��>����g�����{�^S�
���������Kv����aX�r������ki1�����:Z�<bI���5�h`�u�z��^;I��k��(���pL���E�<N-F+:�,:���#�_Y�\YNMex�GdL���Z��l}�T�E.��x;Z���/����}����6py����ld���c{Zl���`�A��w��������as7a��R�����Y:}�sOl^O��\����������������k����I�����l�>c��q�^��Zp�Mi���;pwm���j���9~k�����
)r���
E�����:��T���2��nm��*m����X���oT�+��~tj}�������u���}��p�KxX�r ��Yg'�������Ew��z��;Mt�>�_L�[�
}�
U}9���.~M1��b��q�!F�-
a���?_�5�����s;����z
��%�$�S_�w����uO(������*��a��9~����L�#�����������c[�onn�eDM����VO%��-����+�I��b8�gC��h��n���r��*m�����2�91�j
������2�i/����ZR�2�7�u~24ZK�8���k��}�P�J=�&��	�j�Sw��n��:�;�!S��g;��%���g�Z|��<[�Ax;�^7:Cw<"��k�&��L�/U�>�C{X`z
l�:��&�� �h�t���u6��;
5"��>C&u�BRt]oS���*��W����73
�oin}E�~s�s������>=����b��G��"i[o>��U_�j�&��������_��F��������1
'����@���������B�.��q�[>���|���jz'[�5�����}�����g�+�a�0��YG*�7����D�'��Z�������:"��z�%�S��s���'��R��s(#������!���v�v:���0���q2��nz^���}��w^�|f�x���9��
ZSy(���o����9��Z��mj���:(a���]w�B|�
E�k�
E��uC����%�j�?�����~�6u����_��5l�N�+l�V�wgcqV�W;�.���f�}��;�ku2�G#6;{��y��������N�������|5;�p��Y����cf�����w�03����L���Y^������Lgo��{���r�Y�w���_���f�W���Y��	���ipY�E����I8���z(���m���`y@�d���N7)����jH~5$���gHn ��9�C�S����t���E�2���C��,��?���5c"�N8�`��;�*����@����r.���qd
�Hp��^2U4�� bm�k����7�6��x�GHH���H�+�H��u�T�Y|h�&~����	���b��rE�p�{"C����1J��:����X�f�e�M��u����������_��������-� ���;��������� 1�#"�I���G����
�(��!sC��K1�lY�'��v�t~��s�2fr9��j��j[e����y9�/'A������b�c\sr��W���4���H�$d�Z@�����?�I�av)���r�	�Z�E�UC��{��6{��t��Q������t�f�v]'1���z�����vj�nC���5�?�x����A|H�%��W/{A�o���Y�3k��.���:
��%����(+���/�9�0�`��6?����^�mW�����=����;F&0,@7�K���j�r'3�����=����Z���g��'�	�4
~#�Hp B�7 ����6b���a�A~�?��?�6�_���1@��| �*L"����{'y��t��VcU��+�c�F%N��$S/�s��|���0|�\p�X�m%v/���w����?
�������u�j;���u�I<���q&~Dcv�!�-��T����Xw����<���#���8�>(.�]3M�tYL0�}������F�
zM��lk���yF�m�����&���������6%E)k;$Z�{��y���`F�����}Wl��������L������H$�����V$�X�����c���B,�""Nz�������x;��@���J�WW��J������L�8,�d�M�n�T�e=����,�&hcg�c�2=�� "�b�kB�%c@��yA����_�n-���aLJ��Z�������z����wpB���H������v�*��sZ7u�����d�$������o�.�����)��0�h��q���D�z>�-�e����%��_7�@(����
d:���8���������������qpp���`��,����Z(���
r�����#���0�#+�Lrn�kx��W!���&����������&E�����^<�<
����|�������`g��r�I~���4B��
us�|��
����t8�����z�X
������8��K�������������#�E
�og��H�����<���,�T>/�`ay�� �gO`h���#�C�\x���,/���������G
(d���0j�J���`
�����W�������U����������5��w�[��N��C�	�o�^�d��1���6��:G�� �UZ���r7@��@mM�~�H���/�}������R������#_���A����m7�E��"�I�}a�����~�����C�-;�d�-,�-�����^������v�@����^e?y��P�v39l�>mf��/��h��Gl[U���el��1z��uV���������?�� !�+����'���6G���j4Fu�����|>�l���.&�����W�P���!WNW����\�7�����s�������&�]g��,����G�K��&��Ko�umW��v��x��G���|8���8&�R�EJ��N��2�|9�
/�a8����[���Yp�����Y���k�u����[vS{�F0��*^��Wpp�������������x�_�I+?$F���m�������N?�j?��K8-����)a�]N)*��Q��;�
^j���K�v�������o�6��|�5D��W:���+WQ��Z�w����&��o~�����.x�~;�zw�s���u���}w�T�kU����
��
�p��X�^����v������ y����5w������������Y�N��w�v���\�����-
��2��`mQ0��� +��A=�����E��"�=��U"��P$�M�C+����a$���^��;���Z���+0��s}��-��]1��u��[W���C����v#@����7+@�M�[K�xe�c
������X�x������p���_|��P�4R?%�v�uw�J�|7v��t�&Cz�m��G�������G����B\t������1���}}�����i�-|Z��������������J�n����f�%,��>�/������U`
�`n�.���X�q��� �q�X�����e�>/x�4�V���8��g�� I�gQ���}<�.�|��
s�n��nP��S{���n���
ju������{���v�������wg�����m�
�������������L���-��7�cp��U�v�����n����-������M����Ld��G}���{L��������u���h�w��}A���&�Qvl&�����m��=^G��w�N���b7�����Q�������5�W�q�=�|z�����y���]h��5+p�z���Z���WX��ra�B�����&���\c�x[zOO��{8������WA�
�-b�8��}�G�E�5W�E\N�e%�j.�U,�6��vX9G�.�V��O�C�l;{���1�7r��u����M<^������Q��E��]s���5�/��k�F�fX�����xoWI���������VR�����b��A$�8��f������E�K��/���
��hs

Tom,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Stephen Frost <sfrost@snowman.net> writes:

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

+1 for that terminology and no renaming of fields.

Agreed.

Here's an updated version of the RLS planning patch that gets rid of
the incorrect interaction with Query.hasRowSecurity and adjusts
terminology as agreed.

I've spent a fair bit of time going over this change to understand it,
how it works, and how it changes the way RLS and securiy barrier views
work.

Overall, I'm happy with how it works and don't see any serious issues
with the qual ordering or the general concept. I did have a few
comments from my review:

diff --git a/src/backend/optimizer/README b/src/backend/optimizer/README
[...]
+ Additional rules will be needed to support safe handling of join quals
+ when there is a mix of security levels among join quals; for example, it
+ will be necessary to prevent leaky higher-security-level quals from being
+ evaluated at a lower join level than other quals of lower security level.
+ Currently there is no need to consider that since security-prioritized
+ quals can only be single-table restriction quals coming from RLS policies
+ or security-barrier views, and thus enforcement only needs to happen at
+ the table scan level.  With such extra rules, it should be possible to let
+ security-barrier views be flattened into the parent query, allowing more
+ flexibility of planning while still preserving required ordering of qual
+ evaluation.  But that will come later.

Are you thinking that we will be able to remove the cut-out in
is_simple_subquery() which currently punts whenever an RTE is marked as
security_barrier? That would certainly be excellent as, currently, even
if everything involved is leakproof, we may end up with a poor choice of
plan because the join in the security barrier view must be performed
first. Consider a case where we have two relativly large tables being
joined together in a security barrier view, but a join from outside
which is against a small table. A better plan would generally be to
join with the smaller table first and then join the resulting small set
against the remaining large table.

Speaking of which, it seems like we should probably update the README to
include some mention, at least, of what we're doing today when it comes
to joins which involve security barrier entanglements.

diff --git a/src/backend/optimizer/path/allpaths.c b/src/backend/optimizer/path/allpaths.c

[...]

! /*
! * In addition to the quals inherited from the parent, we might have
! * securityQuals associated with this particular child node. (This
! * won't happen in inheritance cases, only with appendrels originating
! * from UNION ALL.) Pull them up into the baserestrictinfo for the
! * child. This is similar to process_security_barrier_quals() for the
! * parent rel, except that we can't make any general deductions from
! * such quals, since they don't hold for the whole appendrel.
! */

Right, this won't happen in inheritance cases because we explicitly
don't consider the quals of the children when querying through the
parent, similar to how we don't consider the GRANT-based permissions on
the child tables. This is mentioned elsewhere but might make sense to
also mention it here, or at least say 'see expand_inherited_rtentry()'.

*************** subquery_push_qual(Query *subquery, Rang
*** 2708,2714 ****
make_and_qual(subquery->jointree->quals, qual);

/*
! 		 * We need not change the subquery's hasAggs or hasSublinks flags,
* since we can't be pushing down any aggregates that weren't there
* before, and we don't push down subselects at all.
*/
--- 2748,2754 ----
make_and_qual(subquery->jointree->quals, qual);

/*
! * We need not change the subquery's hasAggs or hasSubLinks flags,
* since we can't be pushing down any aggregates that weren't there
* before, and we don't push down subselects at all.
*/

Seems like this change is unrelated to what this patch is about. Not a
big deal, but did take me a second to realize that you were just
changing the case of the 'L' in hasSubLinks.

+  * We also reject proposed equivalence clauses if they contain leaky functions
+  * and have security_level above zero.  The EC evaluation rules require us to
+  * apply certain tests at certain joining levels, and we can't tolerate
+  * delaying any test on security_level grounds.  By rejecting candidate clauses
+  * that might require security delays, we ensure it's safe to apply an EC
+  * clause as soon as it's supposed to be applied.

[...]

+ 	/* Reject if it is potentially postponable by security considerations */
+ 	if (restrictinfo->security_level > 0 && !restrictinfo->leakproof)
+ 		return false;

The first comment makes a lot of sense, but the one-liner doesn't seem
as clear, to me anyway.

The result of the above, as I understand it, is that security_level will
either be zero, or the restrictinfo will be leakproof, no? Meaning that
ec_max_security will either be zero, or the functions involved will be
leakproof, right?

*************** select_equality_operator(EquivalenceClas

[...]

--- 1352,1364 ----

opno = get_opfamily_member(opfamily, lefttype, righttype,
BTEqualStrategyNumber);
! if (!OidIsValid(opno))
! continue;
! /* If no barrier quals in query, don't worry about leaky operators */
! if (ec->ec_max_security == 0)
! return opno;
! /* Otherwise, insist that selected operators be leakproof */
! if (get_func_leakproof(get_opcode(opno)))
return opno;
}
return InvalidOid;

Leading me to wonder if the above ever actually falls through to the
InvalidOid case due to ec_max_security > 0 and the operator not being
leakproof. Reviewing the coverage-html output, it looks like the only
cases where InvalidOid is returned is when no operator can be found (and
that only happens 20 times throughout the regression tests, and only
through two of the many code paths that call this function).

Perhaps it's more difficult than it's worth to come up with cases that
cover the other code paths involved, but it seems like it might be good
to at least try to as it's likely to happen in more cases now that we're
returning (or should be, at least) InvalidOid due to the only operators
found being leaky ones.

diff --git a/src/backend/optimizer/plan/createplan.c b/src/backend/optimizer/plan/createplan.c

[...]

+ 			/*
+ 			 * If a clause is leakproof, it doesn't have to be constrained by
+ 			 * its nominal security level.  If it's also reasonably cheap
+ 			 * (here defined as 10X cpu_operator_cost), pretend it has
+ 			 * security_level 0, which will allow it to go in front of
+ 			 * more-expensive quals of lower security levels.  Of course, that
+ 			 * will also force it to go in front of cheaper quals of its own
+ 			 * security level, which is not so great, but we can alleviate
+ 			 * that risk by applying the cost limit cutoff.
+ 			 */
+ 			if (rinfo->leakproof && items[i].cost < 10 * cpu_operator_cost)
+ 				items[i].security_level = 0;
+ 			else
+ 				items[i].security_level = rinfo->security_level;
+ 		}
+ 		else
+ 			items[i].security_level = 0;
i++;
}

As discussed previously, this looks like a good, practical, hack, but I
feel a little bad that we don't mention it anywhere except in this
comment. Is it too low-level to get a mention in the README?

diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out

[...]

--- 2104,2114 ----

EXPLAIN (VERBOSE, COSTS OFF)
UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND a = 3;
! QUERY PLAN
! --------------------------
! Result
! One-Time Filter: false
! (2 rows)

Perhaps Dean recalls something more specific, but reviewing this test
and the others around it, I believe it was simply to see what happens in
a case which doesn't pass the security barrier view constraint and to
cover the same cases with the UPDATE as were in the SELECTs above it. I
don't see it being an issue that it now results in a one-time filter:
false result.

Reviewing the other regression test changes, they all look good to me.

Thanks!

Stephen

On Mon, Nov 28, 2016 at 6:55 PM, Stephen Frost <sfrost@snowman.net> wrote:

diff --git a/src/backend/optimizer/README b/src/backend/optimizer/README
[...]
+ Additional rules will be needed to support safe handling of join quals
+ when there is a mix of security levels among join quals; for example, it
+ will be necessary to prevent leaky higher-security-level quals from being
+ evaluated at a lower join level than other quals of lower security level.
+ Currently there is no need to consider that since security-prioritized
+ quals can only be single-table restriction quals coming from RLS policies
+ or security-barrier views, and thus enforcement only needs to happen at
+ the table scan level.  With such extra rules, it should be possible to let
+ security-barrier views be flattened into the parent query, allowing more
+ flexibility of planning while still preserving required ordering of qual
+ evaluation.  But that will come later.

Are you thinking that we will be able to remove the cut-out in
is_simple_subquery() which currently punts whenever an RTE is marked as
security_barrier? That would certainly be excellent as, currently, even
if everything involved is leakproof, we may end up with a poor choice of
plan because the join in the security barrier view must be performed
first. Consider a case where we have two relativly large tables being
joined together in a security barrier view, but a join from outside
which is against a small table. A better plan would generally be to
join with the smaller table first and then join the resulting small set
against the remaining large table.

We have to be careful that we don't introduce new security holes while
we're improving the plans. I guess this would be OK if the table, its
target list, and its quals all happened to be leakproof, but otherwise
not. Or am I confused?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Robert Haas <robertmhaas@gmail.com> writes:

On Mon, Nov 28, 2016 at 6:55 PM, Stephen Frost <sfrost@snowman.net> wrote:

Are you thinking that we will be able to remove the cut-out in
is_simple_subquery() which currently punts whenever an RTE is marked as
security_barrier? That would certainly be excellent as, currently, even
if everything involved is leakproof, we may end up with a poor choice of
plan because the join in the security barrier view must be performed
first. Consider a case where we have two relativly large tables being
joined together in a security barrier view, but a join from outside
which is against a small table. A better plan would generally be to
join with the smaller table first and then join the resulting small set
against the remaining large table.

We have to be careful that we don't introduce new security holes while
we're improving the plans. I guess this would be OK if the table, its
target list, and its quals all happened to be leakproof, but otherwise
not. Or am I confused?

The plan I have in mind --- it's not implemented in this patch --- is to
fix things so that the "lower security_level quals must be evaluated
first" rule applies to join quals. It should then be possible to allow
flattening of security-barrier views without security holes.

One part of that would be to teach distribute_qual_to_rels about it
so that less-secure quals can't fall to a lower join level than
more-secure quals. I think that's relatively straightforward, though
I've not tried to do it yet.

A bigger issue is that we don't have security_level attached to individual
quals at the time when view flattening gets done. We'd need some other
way of maintaining the distinction between security quals and regular
quals between there and where RestrictInfos get built. I don't have a good
idea about how to do that yet, but it doesn't seem insoluble.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Robert,

* Robert Haas (robertmhaas@gmail.com) wrote:

On Mon, Nov 28, 2016 at 6:55 PM, Stephen Frost <sfrost@snowman.net> wrote:

diff --git a/src/backend/optimizer/README b/src/backend/optimizer/README
[...]
+ Additional rules will be needed to support safe handling of join quals
+ when there is a mix of security levels among join quals; for example, it
+ will be necessary to prevent leaky higher-security-level quals from being
+ evaluated at a lower join level than other quals of lower security level.
+ Currently there is no need to consider that since security-prioritized
+ quals can only be single-table restriction quals coming from RLS policies
+ or security-barrier views, and thus enforcement only needs to happen at
+ the table scan level.  With such extra rules, it should be possible to let
+ security-barrier views be flattened into the parent query, allowing more
+ flexibility of planning while still preserving required ordering of qual
+ evaluation.  But that will come later.

Are you thinking that we will be able to remove the cut-out in
is_simple_subquery() which currently punts whenever an RTE is marked as
security_barrier? That would certainly be excellent as, currently, even
if everything involved is leakproof, we may end up with a poor choice of
plan because the join in the security barrier view must be performed
first. Consider a case where we have two relativly large tables being
joined together in a security barrier view, but a join from outside
which is against a small table. A better plan would generally be to
join with the smaller table first and then join the resulting small set
against the remaining large table.

We have to be careful that we don't introduce new security holes while
we're improving the plans. I guess this would be OK if the table, its
target list, and its quals all happened to be leakproof, but otherwise
not. Or am I confused?

I agree that we need to be careful that we don't introduce security
holes.

Also, I do think it would be nice if we could arrange to have the same
plan in the security-barrier case as is in the no-security-barrier case
when there are no leaky functions involved.

That said, I believe this becomes a similar order-of-operations question
to make sure that values are never exposed to leaky functions until
after all necessary filtering has been performed. In particular, when
considering joins, if all of the join operators are leakproof then we
could possibly reorder the joins however we choose, as long as anything
leaky is performed after all joins required for security correctness are
performed and all security barrier quals are applied.

Thanks!

Stephen

On 28 November 2016 at 23:55, Stephen Frost <sfrost@snowman.net> wrote:

diff --git a/src/test/regress/expected/updatable_views.out b/src/test/regress/expected/updatable_views.out

[...]

--- 2104,2114 ----

EXPLAIN (VERBOSE, COSTS OFF)
UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND a = 3;
! QUERY PLAN
! --------------------------
! Result
! One-Time Filter: false
! (2 rows)

Perhaps Dean recalls something more specific, but reviewing this test
and the others around it, I believe it was simply to see what happens in
a case which doesn't pass the security barrier view constraint and to
cover the same cases with the UPDATE as were in the SELECTs above it. I
don't see it being an issue that it now results in a one-time filter:
false result.

Hmm. I've not read any of the new code yet, but the fact that this
test now reduces to a one-time filter makes it effectively useless as
a test of qual evaluation order because it has deduced that it doesn't
need to evaluate them. I would suggest replacing the qual with
something that can't be reduced, perhaps "2*a = 6".

In addition, I think that the tests on this view are probably no
longer adequate for the purpose of validating that the qual evaluation
order is safe. With the old implementation, the subquery scans in the
plans made it pretty clear that it was safe, and likely to remain safe
with variants of those queries, but that's not so obvious with the new
plans. Maybe some additional quals could be added to the view
definition, perhaps based on the other view columns, to verify that
the outer leaky qual always gets evaluated after the security barrier
quals, regardless of cost. Or perhaps that's something that's better
proved with an all-new set of tests, but it does seem to me that the
new implementation has a higher risk (or at least introduces different
risks) of unsafe evaluation orders that warrant some additional
testing.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Dean,

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

Hmm. I've not read any of the new code yet, but the fact that this
test now reduces to a one-time filter makes it effectively useless as
a test of qual evaluation order because it has deduced that it doesn't
need to evaluate them. I would suggest replacing the qual with
something that can't be reduced, perhaps "2*a = 6".

That's a good thought, I agree.

In addition, I think that the tests on this view are probably no
longer adequate for the purpose of validating that the qual evaluation
order is safe. With the old implementation, the subquery scans in the
plans made it pretty clear that it was safe, and likely to remain safe
with variants of those queries, but that's not so obvious with the new
plans. Maybe some additional quals could be added to the view
definition, perhaps based on the other view columns, to verify that
the outer leaky qual always gets evaluated after the security barrier
quals, regardless of cost. Or perhaps that's something that's better
proved with an all-new set of tests, but it does seem to me that the
new implementation has a higher risk (or at least introduces different
risks) of unsafe evaluation orders that warrant some additional
testing.

This also sounds like a good idea to me. I'm not sure how practical it
would be in this case, but I do think it might be a good idea to also
review the code coverage results and see if there are tests which could
improve wherever it is lacking.

Thanks!

Stephen

Stephen Frost <sfrost@snowman.net> writes:

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

Hmm. I've not read any of the new code yet, but the fact that this
test now reduces to a one-time filter makes it effectively useless as
a test of qual evaluation order because it has deduced that it doesn't
need to evaluate them. I would suggest replacing the qual with
something that can't be reduced, perhaps "2*a = 6".

That's a good thought, I agree.

[ getting back to this patch finally... ] I made the suggested change
to that test case, and what I see is a whole lot of "NOTICE: snooped value
= whatever" outputs. The fact that there are none in the current test
output is because in

UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND a = 3;

we currently decide that the subquery can't be flattened, but we then push
down the two leakproof quals into it, so that they get evaluated ahead of
the snoop() call. The revised code doesn't do that, allowing snoop() to
be called on rows that will fail the other two quals --- but AFAICS,
that's a feature not a bug. There is no security-based argument why
snoop() can't go before them, and on cost grounds it should.

I'd leave it as shown in the attached diff fragment, except that I'm
a bit worried about possible platform dependency of the output. The
hashing occurring in the subplans shouldn't affect output order, but
I'm not sure if we want a test output like this or not. Thoughts?

regards, tom lane

*************** SELECT * FROM v1 WHERE a=8;
*** 2114,2198 ****
(4 rows)

EXPLAIN (VERBOSE, COSTS OFF)
! UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND a = 3;
! QUERY PLAN
! ------------------------------------------------------------------------------------------------------------------------------------
! Update on public.t1 t1_4
! Update on public.t1 t1_4
! Update on public.t11 t1
! Update on public.t12 t1
! Update on public.t111 t1
! -> Subquery Scan on t1
Output: 100, t1.b, t1.c, t1.ctid
! Filter: snoop(t1.a)
! -> LockRows
! Output: t1_5.ctid, t1_5.a, t1_5.b, t1_5.c, t1_5.ctid, t12.ctid, t12.tableoid
! -> Nested Loop Semi Join
! Output: t1_5.ctid, t1_5.a, t1_5.b, t1_5.c, t1_5.ctid, t12.ctid, t12.tableoid
! -> Seq Scan on public.t1 t1_5
! Output: t1_5.ctid, t1_5.a, t1_5.b, t1_5.c
! Filter: ((t1_5.a > 5) AND (t1_5.a = 3) AND leakproof(t1_5.a))
! -> Append
! -> Seq Scan on public.t12
! Output: t12.ctid, t12.tableoid, t12.a
! Filter: (t12.a = 3)
! -> Seq Scan on public.t111
! Output: t111.ctid, t111.tableoid, t111.a
! Filter: (t111.a = 3)
! -> Subquery Scan on t1_1
! Output: 100, t1_1.b, t1_1.c, t1_1.d, t1_1.ctid
! Filter: snoop(t1_1.a)
! -> LockRows
! Output: t11.ctid, t11.a, t11.b, t11.c, t11.d, t11.ctid, t12_1.ctid, t12_1.tableoid
! -> Nested Loop Semi Join
! Output: t11.ctid, t11.a, t11.b, t11.c, t11.d, t11.ctid, t12_1.ctid, t12_1.tableoid
! -> Seq Scan on public.t11
! Output: t11.ctid, t11.a, t11.b, t11.c, t11.d
! Filter: ((t11.a > 5) AND (t11.a = 3) AND leakproof(t11.a))
! -> Append
! -> Seq Scan on public.t12 t12_1
! Output: t12_1.ctid, t12_1.tableoid, t12_1.a
! Filter: (t12_1.a = 3)
! -> Seq Scan on public.t111 t111_1
! Output: t111_1.ctid, t111_1.tableoid, t111_1.a
! Filter: (t111_1.a = 3)
! -> Subquery Scan on t1_2
! Output: 100, t1_2.b, t1_2.c, t1_2.e, t1_2.ctid
! Filter: snoop(t1_2.a)
! -> LockRows
! Output: t12_2.ctid, t12_2.a, t12_2.b, t12_2.c, t12_2.e, t12_2.ctid, t12_3.ctid, t12_3.tableoid
! -> Nested Loop Semi Join
! Output: t12_2.ctid, t12_2.a, t12_2.b, t12_2.c, t12_2.e, t12_2.ctid, t12_3.ctid, t12_3.tableoid
! -> Seq Scan on public.t12 t12_2
! Output: t12_2.ctid, t12_2.a, t12_2.b, t12_2.c, t12_2.e
! Filter: ((t12_2.a > 5) AND (t12_2.a = 3) AND leakproof(t12_2.a))
! -> Append
! -> Seq Scan on public.t12 t12_3
! Output: t12_3.ctid, t12_3.tableoid, t12_3.a
! Filter: (t12_3.a = 3)
! -> Seq Scan on public.t111 t111_2
! Output: t111_2.ctid, t111_2.tableoid, t111_2.a
! Filter: (t111_2.a = 3)
! -> Subquery Scan on t1_3
! Output: 100, t1_3.b, t1_3.c, t1_3.d, t1_3.e, t1_3.ctid
! Filter: snoop(t1_3.a)
! -> LockRows
! Output: t111_3.ctid, t111_3.a, t111_3.b, t111_3.c, t111_3.d, t111_3.e, t111_3.ctid, t12_4.ctid, t12_4.tableoid
! -> Nested Loop Semi Join
! Output: t111_3.ctid, t111_3.a, t111_3.b, t111_3.c, t111_3.d, t111_3.e, t111_3.ctid, t12_4.ctid, t12_4.tableoid
! -> Seq Scan on public.t111 t111_3
! Output: t111_3.ctid, t111_3.a, t111_3.b, t111_3.c, t111_3.d, t111_3.e
! Filter: ((t111_3.a > 5) AND (t111_3.a = 3) AND leakproof(t111_3.a))
! -> Append
! -> Seq Scan on public.t12 t12_4
! Output: t12_4.ctid, t12_4.tableoid, t12_4.a
! Filter: (t12_4.a = 3)
! -> Seq Scan on public.t111 t111_4
! Output: t111_4.ctid, t111_4.tableoid, t111_4.a
! Filter: (t111_4.a = 3)
! (73 rows)

! UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND a = 3;
  SELECT * FROM v1 WHERE a=100; -- Nothing should have been changed to 100
   a | b | c | d 
  ---+---+---+---
--- 2096,2156 ----
  (4 rows)

EXPLAIN (VERBOSE, COSTS OFF)
! UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND 2*a = 6;
! QUERY PLAN
! -------------------------------------------------------------------------------------------------------------------------------------------------
! Update on public.t1
! Update on public.t1
! Update on public.t11
! Update on public.t12
! Update on public.t111
! -> Seq Scan on public.t1
Output: 100, t1.b, t1.c, t1.ctid
! Filter: ((t1.a > 5) AND (alternatives: SubPlan 1 or hashed SubPlan 2) AND snoop(t1.a) AND ((2 * t1.a) = 6) AND leakproof(t1.a))
! SubPlan 1
! -> Append
! -> Seq Scan on public.t12 t12_1
! Filter: (t12_1.a = t1.a)
! -> Seq Scan on public.t111 t111_1
! Filter: (t111_1.a = t1.a)
! SubPlan 2
! -> Append
! -> Seq Scan on public.t12 t12_2
! Output: t12_2.a
! -> Seq Scan on public.t111 t111_2
! Output: t111_2.a
! -> Seq Scan on public.t11
! Output: 100, t11.b, t11.c, t11.d, t11.ctid
! Filter: ((t11.a > 5) AND (alternatives: SubPlan 1 or hashed SubPlan 2) AND snoop(t11.a) AND ((2 * t11.a) = 6) AND leakproof(t11.a))
! -> Seq Scan on public.t12
! Output: 100, t12.b, t12.c, t12.e, t12.ctid
! Filter: ((t12.a > 5) AND (alternatives: SubPlan 1 or hashed SubPlan 2) AND snoop(t12.a) AND ((2 * t12.a) = 6) AND leakproof(t12.a))
! -> Seq Scan on public.t111
! Output: 100, t111.b, t111.c, t111.d, t111.e, t111.ctid
! Filter: ((t111.a > 5) AND (alternatives: SubPlan 1 or hashed SubPlan 2) AND snoop(t111.a) AND ((2 * t111.a) = 6) AND leakproof(t111.a))
! (29 rows)

! UPDATE v1 SET a=100 WHERE snoop(a) AND leakproof(a) AND 2*a = 6;
! NOTICE: snooped value: 6
! NOTICE: snooped value: 7
! NOTICE: snooped value: 8
! NOTICE: snooped value: 9
! NOTICE: snooped value: 10
! NOTICE: snooped value: 6
! NOTICE: snooped value: 7
! NOTICE: snooped value: 8
! NOTICE: snooped value: 9
! NOTICE: snooped value: 10
! NOTICE: snooped value: 6
! NOTICE: snooped value: 7
! NOTICE: snooped value: 8
! NOTICE: snooped value: 9
! NOTICE: snooped value: 10
! NOTICE: snooped value: 6
! NOTICE: snooped value: 7
! NOTICE: snooped value: 8
! NOTICE: snooped value: 9
! NOTICE: snooped value: 10
SELECT * FROM v1 WHERE a=100; -- Nothing should have been changed to 100
a | b | c | d
---+---+---+---

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Stephen Frost <sfrost@snowman.net> writes:

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Here's an updated version of the RLS planning patch that gets rid of
the incorrect interaction with Query.hasRowSecurity and adjusts
terminology as agreed.

I've spent a fair bit of time going over this change to understand it,
how it works, and how it changes the way RLS and securiy barrier views
work.

Thanks for the review. Attached is an updated patch that I believe
addresses all of the review comments so far. The code is unchanged from
v2, but I improved the README, some comments, and the regression tests.

Are you thinking that we will be able to remove the cut-out in
is_simple_subquery() which currently punts whenever an RTE is marked as
security_barrier?

Yeah, that's the long-term plan, but it's not done yet.

Speaking of which, it seems like we should probably update the README to
include some mention, at least, of what we're doing today when it comes
to joins which involve security barrier entanglements.

I tweaked the new section in README to point out specifically that
security views aren't flattened.

! * In addition to the quals inherited from the parent, we might have
! * securityQuals associated with this particular child node. (This
! * won't happen in inheritance cases, only with appendrels originating
! * from UNION ALL.)

Right, this won't happen in inheritance cases because we explicitly
don't consider the quals of the children when querying through the
parent, similar to how we don't consider the GRANT-based permissions on
the child tables. This is mentioned elsewhere but might make sense to
also mention it here, or at least say 'see expand_inherited_rtentry()'.

Comment adjusted.

+ /* Reject if it is potentially postponable by security considerations */

The first comment makes a lot of sense, but the one-liner doesn't seem
as clear, to me anyway.

Not sure how to make it better.

The result of the above, as I understand it, is that security_level will
either be zero, or the restrictinfo will be leakproof, no? Meaning that
ec_max_security will either be zero, or the functions involved will be
leakproof, right?

Right. We still have to check other member operators of the opfamily,
if we need to select one, but we at least know that the original clauses
are safe.

Perhaps it's more difficult than it's worth to come up with cases that
cover the other code paths involved, but it seems like it might be good
to at least try to as it's likely to happen in more cases now that we're
returning (or should be, at least) InvalidOid due to the only operators
found being leaky ones.

To test this you need a btree opclass that contains some leakproof and
some non-leakproof operators, which is a mite unusual, but fortunately
we already have a test (equivclass.sql) that creates such a situation.
I added a test there that demonstrates the planner backing off an
equivalence-class deduction in the presence of lower-level security
quals. We might have to tweak the test in future if we refine these
rules, but that seems fine.

As discussed previously, this looks like a good, practical, hack, but I
feel a little bad that we don't mention it anywhere except in this
comment. Is it too low-level to get a mention in the README?

Done.

I also adjusted the test that was collapsing to a dummy query, and
updated the expected results for a couple of new queries that weren't
there two months ago.

regards, tom lane

�RGdXnew-rls-planning-implementation-3.patch�\mw������
�{�Fr$�V�����qw�w�8u���O:I�)R%H�j�����$HQ��������%�`��g��h:U��,�U�k�pw��:��&�D��0]��E�A����?���~P�'�����������=���w�������o�����s���5��km�,
��d�v�41���R;��'0���{��=������B��L������;�tvzyz=�����}'-r���F�h��`�'�7�� Q�M�K��I���^���up���t����a�E�j�;{�}wq����O�7n>qP=�tM�#�2�sez��������q�@l?�������`�����~~@5�T��!n�&�����A�x��|����������W��kfpZ���A#3ZfL�����mH|��o;J��
�����Gz&E�X?0�\�f���>9>z5������'`T�.k@A��8H�1J>
���
�����cl����r8��F�zU�����
Pryu�T��y�r��2�i�S��>��n��[(��:��0���{���;�Q>�g|�/]��\Wr�Q���wWW���<0�\�����L��;��{}sn6��/��tj�������#&@����^x6������6��_��Id��L'v-�;�^�I���U��T��%���tr�aNQ�U��������n%�c�q��Y"L|���n�<�����'�X�������J���U����� �I����6%[����.O�}�� �"�nV�Gc��#��*^���R������&��LO7����+x���+����y��4�l@�46`QT5<8�^_{�B{C�HU�!�X�W�;������N��cMK�0�������Q���S��t���~���������l�a���`�#�'NN6��5
�ad�K8��n�����R��:�K���^��$3�|���w|�������!�X��P��?��]X���Y�m&����Qi������s�������r	TYzo�p(QA2)?��A�E:Sw��7JO�Q�Y�Ur@�� ��MGuj�G������
�v��j�x2�)��o�c��P/s�f ���fS��u�!F��
i���4������h6_{��c(����!!g�|j��C�y,�x���25B���J�*�HI�{�I�L���~�J=��<[��Q��i�cp�(mQ
����P��_-�de��&���dX�v�
�d0������F��I�����i
�Y,-�������%V��PdQ�R�j�$�	��yE�%Z2T����
������A�:Q�T�)=���R��a���%�o���~���a�)��
0Tg�9�z1���O�����b��(�1�;�����Ie���������\�6
o��7Uj��M� �k��:L�k�TY�������F���{b[�wmsV�<��&����i���(�<B�������a�����q`���0E��i�.fV��!�i������lDz�ga��GA�
��{�U��9���NF4��NT�:����
��dLUZ�t���<l 
�(��6b��#R�^�������3��0����}Z�DS�S�8v�9�y8�� h�`�`�B�L$i���b��A_6��S�"w�x���8D6q�V��h"�:�O�#��j�G���X���Y_�j�6���[�����0����.�aJ�h#�g�U.\=��<rd���t�]S ������]�9�xS$.k��}Ls���=�������k��+��U���p.]1��!�e�j�=�ha��du��=	��@9�b
fH2IJ���	q�1�(�O�(g�dC���E�����v%��#xr���,�m��P(Q�yJ���o�,�EIP����,���d��o��0X��M���2�9|���.�]7��
jD|v��,�����oJ���Qu*�O�xI��#��mPL��3�&��4��2���g�!�n���[�Yd�
!;��Rid� �����8'w<F� )�0���C]�����M����f���'p~��h
��Buh��l��nC`I���h.BF�8I��=A��hc�������\
$��KBe� et������R�1 i�)�(q�d8����M��<��ss���(i�-�6s�j
(*�[��"�sI����@�\�QZLjym�z7�N1e�)B)���6�L(����>i�Q��'N�:��V���!Cb#��6�[��Q�g�.(.�[2R���< ���2�������X�
����e�8�T��%�lU�5��j�o���a!�p�[��8p��dE��t�.C�"�4
h^��t��
V��@A47�@��y7-���l�"���G�<i�X�,&�/������b	m!5�����
�5^plUy~JzqjB��^�]hNU��g|��k��\5N#���8���S1�_e;���c��x5�U��� "���9:�@��
s�
 ��_?d�=����D:���T2��4b���K��D������}�MV����]Y �/d��y
��R��,�&���LQ,O���H�K����H�����{J���C��`%!��h7�-jt�=>��^�p���{�����]�([�pLD���g
�+t�n�'�*�s��E9��;.���4J�f�.�#<�g7���E44��!�7�c:=���Ps��*+B�"&��9z�>�Rg)��SEd�c�3CMi�P���\��R�
���|��".	�e�L.�d����2���VT�|(�G`���c
��)6Pw����%��d�QNiBA���
a1XR�"��;@
���r�Z>�JaK%���+<-%�����d���wW�!Q8'�i*5
�V�0a�-x{7��i�4aCK�el��_����P@\#	F���(��h�W}
~�%)�����:�%�W5I%R��w{��d�*�����q(�T���O������ <�*���T����n��������]���'��EG�Y+� %${"C���Z^��o���)wg����Ju���
BU9��X/!��grh��uyeE��x��x�U�o�akE�����Dq�
C[|���8����+�Pj��TN3LG�KR���0���V�-����r+�(&���
�e@K���~��Z�m���y�$��(�W���K��6H?�Y`qH� ���m�>5��c����I�S�rb]+�����?�zo�HU(V�~���15
	5c�L��	��[ew����H�
Y��`yDK,M`{-���3�>���vy�nd�l*�+����e��w�L�w��~c?wbt�*�����0x�QKS�cg.�������O�Fu�3}����_N��O{'{��N���� ���q|���N#N�o��Hcy,m[0��\"�o)e�N{�
�����4�&��]���6~�5q�.�X-����NM��4gD�H��x������-��z�Yr��.o��[��6fW�XI��)��\I4��V�s�0W��iomQ�q)l�����?��������n�)���{'r��W��m�&yC���&|�PD����l�3���$�6F&�� ��|�48��4�w���x��g��s�[������L�j�<��dN���*�|�#���[
G�����(��C���tfR��!ey� ���Z���vya �hH	K{$K9E)�v�nK*|�5��|���o��K����D�N�'��������E�qB2���A�6���8���3�s��t�2pG�|�[X��������r��U��IOB'�dA�H~���:�z�T%k���������uv2V)�&nL���g����N5z��B�Y�����sZ}���������t���R��wbC���o�I_��}�����w`�G��(���.��W��c�����=�����!�����s��M�|�|y)G�"B�h�
��a�U�v2��+�����mM��b�LD�����\.r�jp�()�|�����Oe�9Y�s����f��>:����5 3��uh��|����#/�@@@Aw��s)�A��j�����t��O���e)x�_���^T��!�����-��D�vn�e'����N���2.- 
e�~\( ����h`����S%��%���T�Eu�����K\�T�K\NL}�[��4������T��g���������e�z��&�����?��%UB�Q:��0b'{�=p�_���W�3�2��;p����i[_n����Sj��S����e�W3���Z�xzh�t���I�&D������|R{.�n���N��>��JxYS?12��gM�������c�}�
H�yrx�����	�yVXX4�[�����	C�\>� 7��%m��Q��������,�$U�?C+�K)����n)���[;�s��#�k���}K�U�����T�C��������u8`Y9�i�zuuK��:�lQ8�T!��n��,��J��2�g�J���Fr�n	j\fT�$��s:���1[,��iO�3����]����_���o�"nK���7���[��g����YH�p���`!u.��u#�G�������>C;�WG��e�@�liX��{���.�����E�Q��WAQ�7�I�����~��������4������_v�������.���\��|�pq�A�^^�q+��)�q=����K��i]F�S�$+�R!�,�T�t���D�tH��uQ,��i-7u7[$�+�����ED���8g"�����GTt6�D�bf���;p�I�����9�O]���
��D�������<{��]�������te%g�����s�OVQ-������[�W�~~����8��/G���w-�i������������B(�W9����i��d'�^���+g���"�(��8��"��`�V�mcX�1�=I-�?m��������JiUQo~���l��@���*	��/Jm����&|
���|m����{����y3���us���Z*�����g�*��0�?��7�$7�<�����-~[
�����)�Wq����?����������W�����������P��3��)un��w�?�N����c�f�������L���+Z��H��Y���%�JH�8u~�[�;�� ���S���z��������<���q�1y~�����EY�'���u�HXX���)$���
��YIbq5%�]��W�
�}W_��#�9"s������������7��{�h����e�[RN�zr���N
"�Eb_=�Sm�X.��y���50���L��|�@������uC���x���"%���j�|�LL�\
"G�r�O�\�w��0��0�`�N����TfFU(�����1�i����k!���*�Y������8I)_Z���\���}������]9����k��;����^l@�Ixy��0\�Y�����,��Oa;I5]�\�yzoS\��]��0\��5�[.u������9����.k�"������������6��������n��e����:�k�����{!t���)��wf��e�J������.�d�EW!�&�|����z���$���9!?{����`k}:���o��r����L�z$�y�����(���(�M��{0�QzM��r�����3�%����^��2��	����PB��9�Q�\5H���d`/ ���&��;F��?�0�x'�N-8P��jdwA�P��/�Y���t�WG$��hw��g��e��K���E��j�����������[��\�=�;��}�0����<Awy�]�p��n4�������O�8��[CE�����S��R���%���{�]��g��Dg����
����
�����|,�RQ��.{W�����(G�%�?FE�J=�R�}���Q��kE~O{�hO����`29>:��|��&��W�j�~%Y�ao��e��X�����
����F��C�f0�������/�@�;��U=C���K{�<)�h�y����l�����,����)���k� ���bl�n,��E�/���^��q���g(gY�F7���|SR���t���D���]o�wD���[���56�P�f%7�]6[�WE��{����y{���'���S���\SDW�8�8�r�n+G������$A�1E((Y�'���k�Fh,\�������F�������_%��m����>ek���J��<�W���Z0���bs���z�8��-�T>q������!�b��%<rq�H�
B}��gm�h�d���`��"|�f����6 r��V�Cx�UQ��R�9DO�a0~���V�Q�^�+�V�����P0(/�r�� �]����uL�6M!���d:���#s�%���}�-:j�M�
(9��A� Y�$s���������C8$La�I�'d���Z9���`)1���e��`���cF~@�7���_f��x������i]�[����(Aq]L����e�P��b2�[��	
���A�\J(
ZO�����F���8��Me��	�t��5X�Q MM|�s�3G�'4~+�mt�������l��+�����
��[�'����|X�RR"��e�k�
��G�B���0N��p�wm-'I
:������k3<���G���,$J�h�e�j
0�#���a���%��+C,Y�x��h^���@uD��
�0����������w����P�m��#1��5c��rI�r0v�E�'Hw���ol+��z<�9e����������c���MO%~��e���B��W�����|[��,���c%F�*��)�y����CS�d�P��x�kum���g��lO��Tt83�����Mx(�����7���6*p�']�"�o3�l�)be�y��m�C�8k�W��\PE[Xrf��!h���MaA��e#���7�)j���
~��7Z����.��h���&�"��:x���%,�vl�tl��D��	>jwt��Y��Er�0��������v,SC�l�:5$�F��R���X���i�{^�m{'�aO�P�/]�<�}��?
���9��p,��k{}��C�4������wmq�9��	����>>q+9���C��H����``����`l^E�"���%����bpS�_�O>�,{����W��9mJW�N�Kc�'�z���Q���[C�:m�o0h�|[eR��V\$�4_�]1\��7��mM�w{m��m�EpS�\�Bh����|����TO�/�O�J�N+���"��p�L��t[qwT�za�b�q�3�80��zI_��?(1'��f�����2d����:<�c�{���|b�.#��o�X����Y-�MPa\���%lC��C����R�����pD��6�SB���M�E�p�q��4��������c-B�����Z�DZ�}/}� e-Z>���'���R�M��UX���lB�������E`�l��^M����V
+���0:�,�Q_r�����\.���������&����('
x#GI��J8\J~x������C2ayW����>��4?��V.=������T
=���	��[���$Gg�E���)zu�v��0�����XD��c�8[��M)�C�m�h��4�5/���]�r���y��-��_��$��w�q�B4�z�MZ�{���l���mV(o�X������!�s1�$���iC
�2��������A���N[��<�<)�H��A<�	�����k�k`CvT[����2�Z_��<u�st0CuJa/f*=�42r��l2����/ S
!�\n�'�~<�P�I���^�vz���z_��*�m��7��.	T�O9��.�����8��2hY�(~�i�� m��x��"-6*b��F��ST�|�i���L|uO���~.����vM�-��-�m��qJ�����a�f��q�r��>`UP�>Y�H���f����Ph���03w�qG�Q���{�#^V7�L��2�Lk��48u�%�8�����p��3.���=�T�����#�e�-bX�e�7�
���N'F:�C�9�i(hJ�������b������o%���M�f��K��5�!���� p
3A0<bH�f��/R��<
n�_I���n�q��#�&!��S�LBpI�P��#�����:[&;��F[B��������2~��f1Y��G����!��2������0�}�O��e���}�i<�
��Gx�-dU���io��p�"cL�D�.���'
��h��o�o[��Q����^	
S0n�����m.h��_\�Ih���q��$.����2rN6T���Cx�;������v��
�{��mu��mu���:�d ~��:����{�����Z�������A�8J�����mEY����lW�
��)xu�x6�s��f���
��lc��:�������&ij�g�E�#�'}���L�q�%��_�BA�u�0�8:�M��E�0*	��[�n�:�����[~���������[����@R�B����zT������������|�����T��:���������~��������*e��Z���Q����AR��'�����'2x��x�pj�9;�^/��05(�/��;�
�%����Va���%~S����`��xWf6u�2c��X"V�W����R��o�
�b����(�8W��BY�uyj%7{��	W�'{&��v*c.��;��������Q�����U�w
`�4��u�8_��2�Q��I[]7�1�����#��X��=��B!��_q
�Fi�&��X�N��J��,��z7)�9_�&��t�[|5�<�
��k�")H�A!�n��/
��(�1:A�Ke�yA��x��+)�.F���Rj~�C�+D5�����Y�����Y����>l�~]0��fg��m(�`����Qo�B�H�����d%����(�A���{���\_�zn��)�$��1��I�P�h�~��]t�kwZ-���!� ���GYl*�5�fX��Z��
���t��fqG3��YB�����%y�0P_	��d����oc�#����+I-,5
U�;r��� kb����]^��TR������;.b�M��l�6��P^6���=BGDb.�L���`��GP�)KJ�5���Q�J�f+.��a
C��b��{D=���\�{K�=�	"�UF-��v4�����<P����v�L���*����9�F9�6����mpQ�|�<+��%�����+��f|!n�QLI��-D)��g����q��5�uA�
�
������V�}�+}&��8xI�d�
�9����R5PRd�����!��q��2����!���?�x��r��Z�S�����l�l�
��?4>����d7
���~�O�SG>~�B���CL��Z�}���r���T^�T��p��A��\��$/���
e�
�T��l�dT�������_���;qf#�-��}���j��\KEUq�
 �y��@�����m�����T
S
�Q���~x�L
�\��x�a�P-�p��_H�+S�����TrH�h���Q$+i�}_e���``28�&�s���
�T|(�
����?�!w.���FJ=�
�v�DS�A�V^`A"$��R�D���0���v���1C��T��h!�b8o������8#������J�O�n�D_��fx�����t�� YY�8����T������Y@&���1������u�}]���S�->j����	09�Jw�7b��[��aF�r���q\&~�D��|:F��3�v�!x16>�v��������	wA��k0!�A�A�h���|I���VZ``�{�_M�~�,�F��!����C�D8��'{����1�w
`y9r4>a��4���p����%�Z��I�
�k��n���J���l�7,a�'�'�����q�E��$�b��0qZ������A&�PAh�y���Lfx��K�#b��1��\S�^�A��_A
;'S�K������/
Y�1�4U�1"�!Hrv6+m4�%&��k:�e��T�C�B�2����)#1��<��O8���/����dzH�H�������[$�W�MP���
�\U���9;�S�������

�V�rn)=� {nk���AL%�}�s�`����0�����%_�/b��C�@5�H�T]����}����u`9�$2�G�����J�?�Q�&�
�H��zv����T�t��������o��Klg�*9l~:���9=��U������]�.D�J���Z���E�/�����l]���Aw�5�N���G���zW��E�q
�i4*��\�!�ql�V�!u��M�m�u�
�C�iab�)e�V�8�
�l	Q�1FY�z���
��X���0�G�9�8��L�5���1�����1��'�;|�_��?��1�
��T�4��B�/���P�H
H�>F��9��2a�@MGX@��C|GE�-��e{u=��^eZ�Y4�j����8�
�rv{ &%I�����[��%�M�K���8�"\���<}J_?���\�c�:�
�1]�NKp�FCV�<
����
�����5_���IK�V��&[�����r\���z�� ��2"�Q-�8\4t��x�kY9��Os��EGt?P@�B�/�pW*�>E�_ `N�'Ky3����u��]fr%����e�P����uI�P���
����������9��yg(��s�u�
��G��q��O�1	&�M&��@���;-��h"���\��
>h��W���T���HJ!(�z�^x�jE�������g����{wt�^�BVH�������	�������}O���{]��b�{�)����D�G��$2k�����%41��ZN[|����`�0��mfo�M1�cy0Z����EMZnI��@��������0����;��Jl#��VK��e�/Br�yQ�;1��g)��U��� ��5o�z���.a�`x����S��]d��B��v���&�';l}���t)(
�_QK��,s�%���30x&�RF����
5��@��XKg~$�2�2���V�[-
2BSl�3�������������z6�U4RCm)�s{�B�/��$�b/���^D�"f
��[�%k�`E��q
������5��R�V�2x&���?��"[�������9�
��`:��\&�JV����~�}0�'�i
�v���{�g_\p��LnaW�y@j\�Y3lF#!w�C�n���L�e��J��A�����V�����5�]e�5W��,���/+h���T-����
/�i�)�e��1�Ej�����c���L.���!��9F�b�L�	�F�E	L�p�@��n���E�����q5v��l�f�\0(�R�C�N*so�]x��)�T�d��1Y�i��w?{��������JL���2���O���`O7�����[�'3r*�MwXK
P ���-z����)�����x0/���P��e}�;���&U:�*X�o&����xbQ(q�.gxYA#K��`,�k;�~g�
����,W<��Za��}���>��/N�)�5>��Y�"5/����y8�-3E��T�k�x�f�w7�d5�b�����$:�,*w!F�S�2y(�u�����x��TS���]��Y�=��:Xrl�sN�D�M���������/����^)	Rf�b6�($_N[-�v�g<3G�#8���k$�s7u��"-`k��7hS���N�`��yT�l![�;C�Z��l�Z���.d�W��7�����IW�s��)�.�8kWH�u���:H��D�����<J���~�� ��I\Gs|y:�>�����
�e���y�VVj���Fi�I]��$��	�|����O�����������Z���8���V]X�^7U	�i����\^d2�Fc��~O�uu������(n��`r��^�)
�P�%R�����LF�dC��~�X��%�����3���1�L��B����	�x`��l��C�	O,Y��P�o�%U�&�xAI�=x���g�����M�O���t�NHIV�\*z�.�����q]����d���\���W+�X,��W9�'�M�����8t�{�����%5��`�j����-��fK�5tu���DNQ����������X�7�l�y"��+�Y��tqxW`�'���eG&a
�6}�1�����*{^���L����Q~�:�2B��r��nW�NG�50����f��B��6��;��w��
�(f��uV�h��0�����@$�#����>���^|c�|/��4�m����UNc������Y�P�+�5U���Q���$����vg��u:��(��*�(���%�����>G�������������g�z�'~�x��v�Lo���l2�����+�������o����>��'��bG�
��~tL��`rFunupa���������_e�����vd��\��������`�q+�������Z���(x�d��~=LU�+���C�������������w�����j���{�v�����K]ph���d
M���?���Xe��\?��R4�D�!Rha?S���SmL�ei4��h���(����0�24��f;:�����.�*�2	1�Sh��'@��`X�X\���9�Me��~����S����2�B�|A��H��Y\�83?6~+�7���������_����l���{��Y�`�����Xt�ku���O<~����^'FD�6�
)Bs(ey5q�R������B��o�L�'�X�(qi�oZ�9y�N�Hz#nh�
�[N�k�ud���B���}������?�{���[\�� ������Xo���K- v��v4t���k��A5��tDO���dV�y���r�x��=����h0r�kr���6` 2z��'!������yj[.�u�����@��4N/[�� �T��|;�u��$�	qGLy�#�~8������Q�q������@k�%:�/N�S��[�ef��G�8s������@����/�H�Wg��8�L
��	������H1
S1[��T�
2�i;J1>�\�<T�[������E���o[��2� �M�g�4

�Gl/�����$��iJ���H��YDF�2t�%��SA4�	+��I�y��.)�������@�����z��$�i�!7*a[�*t��m7�D��v��I������6F7@�����n���3�!y�'�V��
a7�V&�rM�n���1�l�?|��G��Tq���ym=E�Y��[O9�L�?�
d6��i7�*�rM@i���%~Ri�Z�j{���k��&�k��5�������lt��rM�\L�O�S��R����ky1����B���
���V?�@�I|!,�&��:�D������G|��bIA��������:�����D����XG'(w�x�����U�
E���./�	k�B�7�����vB}P2��4���:�l����O`sP�XV�w`:�����
?��af�G��.�_\��,+����L���~�����!��PJ0C�@��~�����p������C��WL�������B	k$������E�[|��"��������m�
�$�B���b,��p��	|�WB�P��d�'-���\ad)26��6�r��`�I��?A�A��Z`�ZN��xiW@�"n��n9%�y^Qx��
��`O�rv�)������b9q��������O�:)v�2:�Q��p�#����������M*�2 ����/���e�Z��V�xy�����B��-������\������u������]�����T����������u������R;��b�'JZB�
W����E[y��S���(���/�����hDX���7��v<'����Y��	�h}U�������d��(����������o���O����@����)���b[-N��1������t9�U���V�i�=^oT�5F�j��	���a�����e�� ��(��r7�G��T�@���"����^7�[
�?VJ�<`K2��&�)(,'����.���F��,�*0W�����X�B���M��I��J�(�O'G���p$A`�c'w��3FdL0��=0:h���r����R�������	X���8j!�
�x��J^��������=D6�|V�s�V&c>�M�B���v��y���|��s��|�LS�~s��yD2���Uw|y������^�v��_G���'n���8�@�7[Fz�=�-^u~�
��i��r�X�7�J�u�2�}��7�c�NV

F�5P4�lq���T-H�+-E!���T��^- C�Wg�
��h%
��CO��GaK����G��#�a��"1�����$�L�D�E�)I�
�MFT�oi��Z:��j�-�:`�1S�2k
����v�v����8���
\�n���Z�Y�W���Rb�����o�q8!�~�C�il&�"�����!����sU���_��k��h���^Fh�A+������,���v(��y��������k����
��2��	8 �����6$�e���0c���	I��BQv/I�(��XwO��S1���Ul��>�e	=q	���e���q(����Lo�L��P2�3Ry!�4�����Df�}��g�8�jk
*"DKI�b�
5�<(5 �q����#>��#�7���&���?�Q��T���?[�g!�FT~��%�����<�Py���a�2��L�@�l(~�'"�W�V[,��)(��o�0<�
o�e��Z�t3wSu"�Q�/�	
r�?�$����(��p��I	�����4
�|5��.��VWW�zz���O�Og�G�G��q�T�Dp�[ ���n;���|MM�-����lWcys��?����	��s_�/���������wG7r	H
	���������9���#��z4%	�]����r�,�a��<h�AM����4g����F�\P�b�2��N��a���i �'�?���_^���q��������A5:�lu�	�F��d�}YHa�-���}G��f3�������+4�V\hh�������!�KV4g��8Z�!}���%'sa��jRg��C
��e���QE���N�94����Zv9��<D���+Xu��pC�%=���{P#�u�ng-.�]�b�8�p"M�)G�VW�������f��3�JQ���(t��j��_`1>���LT��q"#��Y�Yd��\��!�A��<
���l������X'�#��v�G}��2�Z���2D��`��E���9��t�.�f�J|�>9�^v����g���Br.f�G������9X^��&�]���d�/�p�/g�,C��t���.rv	�<���>T�>��{T��G��\^!w�>����;���y�^��X��r2��Q�nj�h!�!GoL��4��MH� � �`8�
�:�K���l�Vto*����V� KV���b��R�i�HE������y�� �m�t��C�e���Z�
7����^��j`����
��#�����������j�cf]�1A����4��w�s�M�����K�v�O_-��>�$|T�Cna���N���_�1���<����b
2�������`���s��N��h�$���&}6��^0Q����D4)'����Y��F��%���U��i��@�g��r���@��N��A�CK��8AX��/�]
W�R�����\���0Y�J�����:j`����*Ct�Z;��=������H�T�8y�?^Q/�
���Q>^��U�����=b��"��#+���Kj�*�����a^b��!0S��E���eD���$uk�V�����J�I�Q�2W�S����1���y����FWlQX*M�x��6<����<�'�:GTyUI�Mx���.�tV
�����=��9�`�#<I�����9y���Pb���1��I{��B�}����c���
\
�t~�����f}9oi�
��b����V�����*���G]�����|��&	�D�P�	�����XVA���E�p���lq�V%��G�.n����1jqH;}Oo��G����)�S�P�Y�����<^b�3��~��2�4��?�'������@��n���;���3��k��U8�|��0������b�
�@�P�%���O���h�������J��eF{e1����/����v����2&&�P�\{cj
�� �����vR������9�4XK����l�J�B�[x�8:==9��g�3f�[B�H]i������|�`�����L���=,B��P�e`�7	Y�O��IC��q/M��&��D�a���0��W��K���Y]�����hX�N_��F�px���X<6���~�C�#?��A}�w,HZ���@��0f��t����9����
D��6�z�Ri'x���M%7QW������dgbmo�����Rc��'����R��-p��"6x��Is��o�%Z53+��?�3/�����D}8a���N���
|�������)!2�yn���r�,����"�4�qy�m\ �07�6p���'����+��f����}����z���;�Q�����z�	#�o���W��^E�t�5%L�=��^� �i����T�\�>�`�1�X]�b-X���� ��#:�d
>���I7T�x�J|�����?��&�/������'�\�GE�{#�v8 �A���E���6�q��B@$<0gGA���������o0	�92�ac�C,�|�t�W�M�[����
/q�j������&�����l`�f��x��Q��� +����*�����������@�%KXmRK���
��m���S�>�c����k��&��2�Q��+KeQ2�	[���Csc�� ���2��Y$U1�L�B�,#��0������i��5�r��H'[���|G�y�&�4��(�ZT�'�m������ZH����d������T�_��h�����P���M,.��3B���������`uU��U���ti�R]�u����Y����qu��J������)��
}i�Yrb*���$\��
m���O�� �P��z4��g���~�����t���yi��Q�����!�R0mE��%�1I!�D�KK�y�i"���Fo���he����:�O���Y���Y�8�&���j��L&���
�]�['�&�QYPM�iU��dT�p \�8��xl���N�@�����<��fII�pY!�^a<0xB���Q6��N�
���#LE��5�K�H�$Q�hHJJ
�qt�!�����2�c�ko@���#��{���2��YpC��^�/�FVx�R��mVF�:�{�H���������$2�����D�8�8��)$�����Y���s��XN1�[�M6�����Znh�V,�I������	�9��{�������H{�`�X{����Un���X���'�����U������s��)��Ke��������wg��J����
�0�#�W_b!��p,^B�0�?Q�/�L�$^w��(M��,i]8%/A�Q��O������G��C�sZ�������l�9WC�B���R] ��_�;�>��Y=�S���"F�JQ����P0Q{��N�\��f*�nv@��gc��y:j
�|t�N�5m5��������G���Rol���C�[
�
5�,pl#"rO��G�
PF��
�l��b��X�:�l�����Ut�������*#��'>h��`'?���3�-���)x���������MjX�@]�s(�h
�479���$��)�T���)�.�A�"�����U���.���huw��FnU�1��w�������lz�v�����aIG��+i��7�Z�=b�v� `��I�w������Uj^<j�'_����/�H!�����f���P�E2J�������f�mY�,��R���M����^x��4��"�W����qXy�D�����2\d�j���p��l���$���F�1]��0�rw<�1�[���~=��9NJ:�M��[�;g�1��TBMY��u1�(�+(����9P!�Hx%=���`�N�B�r KUau]�pO-��Az��8�$�UG+�2G��"O������3�.���r��v�9c�����[~�?5J�v�S�5�jO����lQZR-/�����_�F�+a��g�\�g�M*YV��Td�.���/y2z��z�eE�$��T�J�rB��L"����-����_�V���MEN����:Xv�m�m�\tP%;�m����e^������A���J�I�Q+�Ry*�m�h�M�}'�5��~{���5��To5��T���������3#�L�za����2�[�ngQ�*�}I�*���v������%�dJ4����L�W��b
R���F)�E
�)�9��M(��vR��
��WA�*�U��vwF�6�y��!�!C*m���)2�����X�F(mH��:�}��aT�
��o �� ��a/������Fl-����02T!P���C���� �@M�����
�������&�{�����4m�N.�|����'k�{�d�po���|���
���N2�T��v�v��K�R9Q%%JeD�������P6lD����i��z���"��tqEnQ^J��T�%eU���S)3����Ek�A�O;UJ�*:�I���l�%�6�X/|�*���!xc��k��a[z�������o��rSNe=z�z�|)]���
�
t��
����U�`q�S�U`�k!��!��)��
�����A"S�.5,2�� ?'���K�,�T�B���"������,�1#�!UL�*9���Q 3��(�l���HdC���Z����^S`"$7$������B����KRFgS>B����zf�i����C>)�B�����*��A��r�)N/��Ut�:wdo�)���2�W+�-�<x�$M�&S;NfGI@#U:B��T�H��!������u�7W(��oS�T������2��1��q����eY���u�%
�������F��@\#�4�w
�)Iq,�I��)���|_�:?5��-�h�� �3�e���}����R����
x���P���2�T{�a������C�$���	��~�]��s����9`����y#O�-
�\�'jK �w�k������Qb����`+�
F��x�>�	����o�B�[.��75z^^�I
�%S���C��W��Dk���fDY���=����D�� ��������HZ��w�#��
�Z����Y<�$b�q��F�v��>���������;�?���V�$�=!���)�
M���4Y����l�.+�
����%U�W�50���D�����:34�U��R��Z��]��u��98
���7�� ����s��?������6�?v~�;2��=I\+���d��H�rP���@c�����'dH�-\�[O2LB�^YOMA5�CUt����i�@z�7���b(����u8pN�h�P��J*�d�+A�i�b��G��h�{5e�����0V���c�����u��s;]��-�2�����#2�(%�MA�#t��MJ�G�xnZ
�i];[2�s��e�ApI������R.�q��	�
UHX����$P
�vh�������,I�����	<�n�d{�������(o�f�sf_t��v���*������\�k�}=��-H���u��jK]����F�
hJ^Zd����� W�R}!�������R���:v�J�f�U���Ya��o��E��C�
v��\�m��2\�.\e��	WZ������>�i����2�vl���O3�B
�$~1c#*z��=�F��|����Q�������l�e�U�*#��4Ub����N�<���R����~���u��{9���#.��n����0��8�I�=��B�)qNa�r���
�O�Q���������>-��>�YI)EL���Ti�;'&��>N�M9��� �hIa��3{��O��;k���h%n����u���+3���Y��g_����a�w2��"yQFA|��G(��U:Z��������`�n��������P�Y*7�r��
����1Y�1���g���`~;������Y�/s_p��}���2�I���,����g6�uf2���g9�U��(8L�b�t%�R���HV����Z�$������Dmg�Dx�&>���.B+{���m�����I;��<���HD!�l��p�
��>
*&�-����?�8��(5.�\`U���A����J��d3#��������,�6?K�����'5���������#
�W����m�9�oqo�s�z��H.�c�_������X�5G<z��v:~��M���P�r��$A��M��upt�d��@�����;	!e��IN�>��C(���H&*xF�9E�&�� �������}������C<4v&�
�jge�����FI�4�]�������M����SL����d�g�� ^�
-R�4XV��z �����0a�1������w"t����8����nw�v��`c�����Ah�DDY$g�ru���`g��::�%�������tNy�����E�y��E����G��:��_B^�yh5�.C�J�AH��q�l�(�!2�~&as
'
}=�0�iX�Q1z2���M�/�h'Oc������:l�<l(�$���%pV�M��P�����fs���$�29h��
��
�BhZV��@�-�@�����F0Q�������X.�t)d���f��-�W�o��UQA�G��������,�o�R��A�E*��^uf] �t�����8�!0�~]	6�C��7�9.����^3�������7iH�x�^�!�#`(���O6�G�~�����},�����3�gsVsez.��0��?��,��e,�S�<g"_�2a��ui��L"�O�F��nzx�j9�|/��L/�oT���1/��
��ch�'5�Z�	'�/�~t����=��1�,�o����,(���*���G}�� �]Ch��k)��%����ov��U
&��F���\o����im}����_���<�z?���Zu�`:��k��@t��c:,;#�C0g��{j��B�B�>��f�
5������K�8�v@��A��C^h�]|Z�x���lgc:�	�AFaSo�'����*_���3�y���L�XoE+H��O���I��v�K*�C��� ,��A^^H`P����@h(��d"LN��\L���l��2	E��o�:?�x�6���+�a&+�Us��9;���G��P�BM�����x�}u�<^���|)���R%g����K�3�C���V�z�-��"��3?�����p��V�w`F�7�E���5��y���H�=�B?���-C�/�|�M�w
���v�{�1��������������D>�N?���H�%zp���>P���Q`Y��O�z�CN�;�r�A����q���V_{�)�_�'��$����k�V�K0/D�����&|�lOG��x�lN���z��Oc'�+��Y�T�XX���kC3&�8W��)�g�LL������F0����n��wT|���oh�e�e����,����"��5�'�6R:��;q�'PH�j�E����
����je��9��S��O�t|����������/�p������m4�C.	���~�$0@���~�Iy�����`g����Si���:����������l��io4���3�m�LS#���8��#/ r�����S��Iu�1����S8�I?�@Pkuh�$t
q��
�o%A.�z�����0
;�@!������=�q�U��]R�]��A�7O��w����%�f]�6�z���T�����-~
h��+��r�&�;�K�+�RK��l�b�s���"��
�_������2��v���o���
�/.���DF��p9��a�1z|���`�������<-��n�=*��?�N<����'���=duZ,��@]��m]���)���=B�
��V�Q���������G@
������c�;�!@�d\7^�a�Uy�`�P�x
7�������;�?!f�tO�����3qq����'fBSJ�t���~8:��%�}W�H�p���{����B��FK��

O_Z���M�=�?Y���������
����?::����1��Pl����*Z]��Y.���6p@�r��:@��T���i��_pN�z��D&>?��������u�2Q�ZZ��}/��
W����N�Z_a��
l K@#�G�`w�9R���*����/�g�
�L/�S������&�K?#9e�J����~�S�E���r���A�e �lrS����!�L�YK�5��m����bM2k�|�%j:\�7�UA+�������4��n�u��}����rY��P�}~�)����K����������F'����SHv|�v��|9�0�5m��#�3�	��.�k2g�����+x�[�i��
��a�����
����|\�<;����[�1��h�ZWp4<�����c��z�3���{�9{�s�WJ%�_��QM���H8��m��Dj�vJZ2�1������������������p�w���_b���������8�o��
c�m��&C�E^�r�o{�t���kH;��:�I��.@��[�.�:8��KQ`�����>�rY|}h&���P���u-��V�����E�YN����X���7r���0���F��t�T���J�cO��!0g�����v0/�J	 ���lE]�38����|����>���r���dn�[�4?z��W�W�b{zu��$prW�d��*��C��:���)��+Z�����&Kq����j��O�J= �V��{N�nu�M��n�F���@��*M �>�
�;9;~s$�}S�9�^}k�7
D�X��L�S��9��c������_J)~s����u��Y�x�W@%+���I<������>���k�s����Y9f����7_��|����J���I��Y.#��\���4)��+<W��ro�LTNm��s��dq����G��m�6\�w��>��~kat�X�,�����<���hg7!�z��GXk�T`���%��c-j�c*!j`
�D�-��O�(gG�O-��2�ljzW1��������7`k���Z�S(�Q��n�M`	}�����;�������������lcN�C��B4�GnVl�
wH��o��4��%?=l��
��!j.�A�Z
y��(�F~�����F+���
m#C��(�j�lcp��b
�,��p��Z���<����v��'�lc��]�+Z�k�F���V���M��V�9,�t_�������u���h��;�_�n�ns����c�!�/��2���T�|��+@���e����x�<�9��!�U����Q2
��^�
���#�����m���:���M�����l��l������+lk��������>�*r�vGE�4�;����j�m���S�#��Y���Y���H,��FO�R
�P�6R�*��X�I+��9
f���[�����x+�����?��$��Q���?�����v
�C%���&�Hm��ym�$�����}n��Sq3���F���F�q8���r����s:�:c'�7�<�qI]�0��c<�b�9������U&{��c�T�6r!�=������IN!S���^p+6��`���r����������n�k�Z����,P--���}}�+k:��?*
�M/�6y�t�;u7Y��@���'�����>=:$�(���o!��nz|l~t�@~�?��Q�(ri�&����SL+��Y�����Aef��R�m�}����E�^�����2�w����:���F�s��'��k�b����������[-���v��|��X{�*�Dt3��j�a��9��&�����
J3�k}x���o��x�����v���U�b�Mq7��R��D�n���y�i��{n�l��M����w�^�s&�����i���N�-��u �jT�f�pa��������C������l����6?�r� I���&�C����������"���2\]Y?�/qe�A��W���������z�'w���/_���xM
���u��OeRx-��>o��N��O���'�B�vbE>�?~������y�����r�����D������ ��2��f���I���a�l[�4��Ys) `)���E��Z����"=MM�~�H�F��������r�5p���oM�iw:�,{;�L=oS��U�~�b�Lb���~R������3��>)�x=��-������s�Z�����xZ���s��B�5p�	��C��/X���2�����Z9������3z������t'�?;��1c7�s����H���H���T�o�p>������:�7)w9���?��6��fO�
��?S��$���L��U�PpL�ze��
�?2��o����#dwZ��Z�+��O�����&����GrCN�?=�zAt��A����t�Sq�N,�.c�r�����)T���cB��n�mn8�
�)w�Z���5�
N����������q�����xS��G,�����9�m��4F���`�|�����E��]�������_5���M��.��?\M�D��Y�U�*�����>�{�J��NQ0����:,�p���;�[>Rw��z������|}^/��:�@��nbVz��x'a$���o��>�o�/<�i���j�F�	P���+s���$���oo)R���L�WW�����+���
�F���\�0J"�0����G��$�v#f����V�P��x`Wk;�y���s)'T5��T�����_����H�
^|wm�Rbqu��S)b�F��G������`�BT���9�uB�EE� )R�`�u��
\ �\�X����x��`��pS�[2n��$��/>}�d����~+�n�N��Wp@Ho~25G����>';5��n�]]�6�]N��rv���oa�vW�g�[���.9��`���Y���c�w/�Sgjn�����<��uh�g�w/kSg���<�m���v��n������s�G�u�@w_u��=4Ur
9Q�����{��m8��:�v=�z��xB�%�
>���=VX���z�h���$�"6���-�`��>�;��tC{8��el�T���}mvu�g�F���������<7���V����W��G��.h���_O���u��|Mqwo�v��L.���z
���T���N�S�*��@yV���2�����#CG06���\}6��� pG��0?94/X�GgN�A0�76>�����QtM.���+
���l�K�s/��;�=m!J�������wC����aGa���
��%�����.�]g=��b��������:��m�S�#�X2jG5G�$'0��M#t���d���c�N~S8�M���p�)F+�Ey#�f��;��;��y����	������#fk�R�� �j��tjU4��}o������Xu��������`#{�d��{�c�~X�������{�l��w6�?��	�����D�n}����=�y=Y�si>�w6wZ������W6:��.z�J$]�����[�:��X�}�W���|��N���;tw����j���~k���=�
)r���
E����J;�aT���2��nm��*u����X�{��Tb-��~tj}�O��G���
�t��Lpk�XBc1���Dm��X'������"$�_���w���}0��D�*"?��
���$B��k����\�K
1�]i��F,���AL4�\���\WEq>>�x'�����l����{"@�'n^Z��r��pf���w��N��?b3���o��~8z�9�����O�	�2"����m��U	�G��'��]���o]��9�d�_������bI%���<����g�������
>�����������D����>b���%��0#G�W�I����Q-����-mb,�����V��ZM
�Zn�F���F�N�u\w\C�� ��v?3>K������l�u�j��v[�^0rF�dL*Q���%��T�/U�>�A{T�z�
t�:��&�� �h�t���u7X�;
5"�&>C&����4h�6E���B�7�p�j�_3cq������Q��7gX���Kk*������_�Y]����_C!-c�������S=~��r�Z?>���+���"\��~�s�#��Z(`��lMQ|��x��)�"�(7��Cjj�G���^`t��_��u�����9��
{�+�V4��H����[�h�bSk�W���UGd�V���}J�v����Q�tv���\)6�0Du��l���6������i75������`�+�z������������n���<<^���S����D�{�6u���8(a���]o�B|�����N����]5�/�J�Uix���N�xu�j���_��ut�~�v�������8-��{z�W5�>�����:���1��]�v[��GV;�?���|U;7T;��j��v:��r�5����jfw�������f:_��:��_��G�f:[X3����B������V~U+���_���jev]$p��f�MdE�j>���|������k+�Y�&+������WE��"�U���H��"���Z��:�g�N����j-����2���C��<��?�f��c"�N9�`��o��@�&���i���B�3������D1�d�h
gA�������f�nz��������km�N[l�n���Z��"��M�Bk'�T�	�:^��Y��E�\�#��m�p�8_����|���K����e���OO~��v|�w���nWp����p��D���������K�7�G������)��!s�#��K1���Y���v�t~��u�0fr9��j��j[e����y;�o'A������b�c\sr��W���4������x!������~��N��[�6��k-P�/Z�'��?u�^��:-g��{�n��[�/5o�(jN{=Iy���	Y;5t7��������[��\���>���Z����@�o���]�s�j]L�v�	K�UW�qZ�m�\Ta��4�mqn�!�/�o]�c���Q������;F&0l@7w���D���NVl���������u[k����`i�*f2���D�9���s4�������3����G�H���&\L27�����0�3ZV����]i�������W�� �J�f�I�~��9{���#��uu�s���J�<&^\�!��+$f
m/=��r�v��7�� ���������q8����2S�3�nV�%Vy��i)F~��8�v������&l�,&(���o9:�����^S6��&v���j;}�m{�DQz�C/�lSR���A�����W<��p|�?���Z��8�jD*��sA'v)�1�H������HP�%)�&���;������8������wg���CC�[.+���'����4~Rz��	�
��ZV�T�~KO�L�&�>�d�X7A;���a���_�,�#R��;p�.gs9��h���	a(�6k�F?��������'o�C�6��H��O�Km��9��:{f��R�O�}Q�P��7b���`�`��a[=Z�e��l:���b�-�/@1|������@�+ �t4[GM����k�?f�I���NG~�������;��%�}��F������E�8R�?�8���4g����k!Vnr�7y��xQ'7t_���W�o�h�W
�hK���%��G�0���������4C���S�E;?�j��Y4�������_�FBcy��e|�K����������
���#[E
�og��H��]������,�T��p�����+� ��z`h����X���PH&�'�
���x�^~�B�qZ�
���"B	��l���[��j�7�������������;�����Z=u�w����N��C�	��#����{c�kqm4t�0u�uA��N����P�/=�6��e#�n������7��?J
O�B��}q��x;]+�/ �n���E�����$ �A�����r=���CM��B���aw��{�v�SK���-7�K}��3i1������#e3�mQ�F��<b��Rh��.(c_�E
YgA��z��cp[�����a2���U��j�����M�Qx�����8�MBV�I>�q���~.�������8�-�c����W��o���{�����_�'s=.L$����U,/�#�,��IM�W}����:�~�)�oG����?���3#���+�_9�VJ���&�Z��T~.`oe`W��k
�}�4S�/���Q�|��n����Eq%OV��*~	>�+���c�;�M��������V�H���=����������n�j?�'&�]�D�P�.g�U��w;�]/����-T{|u+c����V��R����w:}��W6��������	L4���:i��]����v���8j��G}���u��8���*����C��C�������b�7��	�yy<A�����=w�������z��7����N��w�v���������-
���2��pmQ0���0+���a=�����E��"�m��*��n(��&����H�0�?v�����N�����vq�
�u�\_t`O)�A��~u��[W���C����v#@����7+@�M�[K�xe�c
���X��X�x����T�p���_|��H�4V?%�;��;l�~���A\�!������XCi�~�z���^^u!.�k��^W���H����i�F���>m}��Y���D�hsi�4o���)��v&z��������|�_�(���_���� ��T�[��F����B�*���lJ@�}�[��[c��
V����S������1�����l���������mK�\mr����������%����Z��].�����-{S��=D��������\��|fZ�����h���������n]�)Z�p�%JbZ��7�r��u���a#��%��"6�����5V�g��LR^������I�������[8I��$��R��\L����P��uW��_����K�p�P2�C����-��W�]���A�wN��`>����jZ�S�_Nf��4}=��T��r{��wj+���^�/��L
������s��s^��t.�|8;v.��o{�r���\�����&�e��m�0^f��xM�����;/s���2���^���e�o�ef7q"�����cr7��w�n�;�]���pws�r7�7q7��8�$�w�m�+�����}�w�w�l��;���~���w����[����!A�CAt������Ams�}Z��7��$N8�|�t��aKe2e}�����
*l�����c�{
,n��"����5�Y~/�,����,�����Qt���5=�Yj�nHwD
�D
��f�(��{��\��J�W��Y���|��})�����������x�GQS�j�;��b�E�7�'�^��
���W`-�)@X4���*�OWs�����-�
%�MNI��a�I��Y-f�
��\~�`[�V�VJ�}�����
���EtL�\�~k~��6���/&���6��/g�X,��%� `�`:���C��Q[��$�s�����0��e�<~�:�r:�� �2(�	7F������x���h�W�Ex��hCL�����s��?��T������H�M���_���	�o������%=����k�vJZ=e7qk��}o[7�����al��blk����a���<f���b�
�=�h?a�o$�,q��q��k��^�������/G�sA8�z<tX�(��s��sX�~���H�ta��?9dc]�E�8P� y�%���D�����P?@+Z��K�p���m ��Ds����Dw�?�F��K-,X��
���,�"�����L�������&���<���@��?��a,��
��
�B�o�jy��-���,�G�����fs4�vF����6uV"�M�kcxm�!.*F�@�K��4(C@������w�S7z��+D�R��s������m������5!H7�

On 28 December 2016 at 19:12, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Stephen Frost <sfrost@snowman.net> writes:

* Dean Rasheed (dean.a.rasheed@gmail.com) wrote:

Hmm. I've not read any of the new code yet, but the fact that this
test now reduces to a one-time filter makes it effectively useless as
a test of qual evaluation order because it has deduced that it doesn't
need to evaluate them. I would suggest replacing the qual with
something that can't be reduced, perhaps "2*a = 6".

That's a good thought, I agree.

[ getting back to this patch finally... ] I made the suggested change
to that test case, and what I see is a whole lot of "NOTICE: snooped value
= whatever" outputs.

I'd leave it as shown in the attached diff fragment, except that I'm
a bit worried about possible platform dependency of the output. The
hashing occurring in the subplans shouldn't affect output order, but
I'm not sure if we want a test output like this or not. Thoughts?

How about replacing "a = 3" with "a < 7 AND a != 6". That then
exercises more of the possible types of behaviour for quals: The "a <
7" qual is pushed down and used as an index condition. The "a != 6"
qual is pushed down and used as a filter, because it's cheap and
leakproof. The leakproof() qual isn't pushed down on cost grounds. The
snoop() qual isn't pushed down on security grounds. Both snoop() and
leakproof() are used as filters, along with "a != 6", and a SB subplan
qual. "a != 6" is executed first because it has a security_level of 0,
and is cheaper than the subplan. snoop() is executed later, despite
being cheaper than the other filter quals, because it has a higher
security_level, and leakproof() is executed last because it has the
same security level as snoop() but is more expensive.

Thus the test is more likely to highlight any future changes to the
pushdown/ordering rules. The output is also neater, because nothing
ends up being printed by snoop(), although of course it is OK for
values greater than 5 to be printed.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Dean Rasheed <dean.a.rasheed@gmail.com> writes:

On 28 December 2016 at 19:12, Tom Lane <tgl@sss.pgh.pa.us> wrote:

[ getting back to this patch finally... ] I made the suggested change
to that test case, and what I see is a whole lot of "NOTICE: snooped value
= whatever" outputs.

I'd leave it as shown in the attached diff fragment, except that I'm
a bit worried about possible platform dependency of the output. The
hashing occurring in the subplans shouldn't affect output order, but
I'm not sure if we want a test output like this or not. Thoughts?

How about replacing "a = 3" with "a < 7 AND a != 6". That then
exercises more of the possible types of behaviour for quals: The "a <
7" qual is pushed down and used as an index condition. The "a != 6"
qual is pushed down and used as a filter, because it's cheap and
leakproof. The leakproof() qual isn't pushed down on cost grounds. The
snoop() qual isn't pushed down on security grounds. Both snoop() and
leakproof() are used as filters, along with "a != 6", and a SB subplan
qual. "a != 6" is executed first because it has a security_level of 0,
and is cheaper than the subplan. snoop() is executed later, despite
being cheaper than the other filter quals, because it has a higher
security_level, and leakproof() is executed last because it has the
same security level as snoop() but is more expensive.

Will do, although I think that the next test case (the one with "a = 8")
already shows most of those behaviors.

Maybe this one's just redundant and we should drop it?

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On 29 December 2016 at 15:55, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Dean Rasheed <dean.a.rasheed@gmail.com> writes:

On 28 December 2016 at 19:12, Tom Lane <tgl@sss.pgh.pa.us> wrote:

[ getting back to this patch finally... ] I made the suggested change
to that test case, and what I see is a whole lot of "NOTICE: snooped value
= whatever" outputs.

I'd leave it as shown in the attached diff fragment, except that I'm
a bit worried about possible platform dependency of the output. The
hashing occurring in the subplans shouldn't affect output order, but
I'm not sure if we want a test output like this or not. Thoughts?

How about replacing "a = 3" with "a < 7 AND a != 6". That then
exercises more of the possible types of behaviour for quals: The "a <
7" qual is pushed down and used as an index condition. The "a != 6"
qual is pushed down and used as a filter, because it's cheap and
leakproof. The leakproof() qual isn't pushed down on cost grounds. The
snoop() qual isn't pushed down on security grounds. Both snoop() and
leakproof() are used as filters, along with "a != 6", and a SB subplan
qual. "a != 6" is executed first because it has a security_level of 0,
and is cheaper than the subplan. snoop() is executed later, despite
being cheaper than the other filter quals, because it has a higher
security_level, and leakproof() is executed last because it has the
same security level as snoop() but is more expensive.

Will do, although I think that the next test case (the one with "a = 8")
already shows most of those behaviors.

Except that it doesn't have a cheap leakproof qual like "a != 6", not
handled automatically by the index, that order_qual_clauses() can
assign security_level = 0 to, and then move to the start of the list.

I think it's probably worth having a clause like that in one of the
tests, but it could perhaps be added to the "a = 8" test, if you
wanted to drop the "a = 3" test.

Regards,
Dean

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Tom,

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Stephen Frost <sfrost@snowman.net> writes:

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Here's an updated version of the RLS planning patch that gets rid of
the incorrect interaction with Query.hasRowSecurity and adjusts
terminology as agreed.

I've spent a fair bit of time going over this change to understand it,
how it works, and how it changes the way RLS and securiy barrier views
work.

Thanks for the review. Attached is an updated patch that I believe
addresses all of the review comments so far. The code is unchanged from
v2, but I improved the README, some comments, and the regression tests.

I've reviewed your updates and they answer all of my comments and I
appreciate the EC regression tests you added.

I also agree with Dean's down-thread suggested regression test change.

Thanks!

Stephen

Stephen Frost <sfrost@snowman.net> writes:

* Tom Lane (tgl@sss.pgh.pa.us) wrote:

Thanks for the review. Attached is an updated patch that I believe
addresses all of the review comments so far. The code is unchanged from
v2, but I improved the README, some comments, and the regression tests.

I've reviewed your updates and they answer all of my comments and I
appreciate the EC regression tests you added.

I also agree with Dean's down-thread suggested regression test change.

Thanks for reviewing --- I'll do something with that test case and
push it.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Tom Lane writes:

Thanks for reviewing --- I'll do something with that test case and
push it.

sqlsmith doesn't seem to like 215b43cdc:

select 1 from information_schema.usage_privileges
where information_schema._pg_keysequal(
(select null::smallint[]),
'{16,25,23}');

-- TRAP: FailedAssertion("!(!and_clause((Node *) clause))", File: "restrictinfo.c", Line: 81)

regards,
Andreas

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Andreas Seltenreich <seltenreich@gmx.de> writes:

sqlsmith doesn't seem to like 215b43cdc:

select 1 from information_schema.usage_privileges
where information_schema._pg_keysequal(
(select null::smallint[]),
'{16,25,23}');

-- TRAP: FailedAssertion("!(!and_clause((Node *) clause))", File: "restrictinfo.c", Line: 81)

Thanks, I'll take a look.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

This causes wrong index scan with RLS. Maybe function restriction_is_securely_promotable is too strict?

You can reproduce in this way:

create table abc (a integer, b text);
insert into abc select (random()*(10^4))::integer, (random()*(10^4))::text from generate_series(1,100000);

create index on abc(a, lower(b));

ALTER TABLE abc enable ROW LEVEL SECURITY;
ALTER TABLE abc FORCE&nbsp; ROW LEVEL SECURITY;

CREATE POLICY abc_id_iso_ply on abc to CURRENT_USER USING (a = (current_setting('app.a'::text))::int);

# for bypass user, index scan works fine
explain analyse select * from abc where a=1 and lower(b)='1234';
&nbsp; &nbsp; &nbsp;Index Scan using abc_a_lower_idx on abc

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Index Cond: ((a = 1) AND (lower(b) = '1234'::text))

# for RLS user, index scan can only use column a, and filter by lower(b)
set app.a=1;
explain analyse select * from abc where a=1 and lower(b)='1234';
&nbsp; &nbsp; &nbsp;Index Scan using abc_a_lower_idx on abc

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Index Cond: (a = 1)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Filter: (lower(b) = '1234'::text)

This only occurs when using non-leak-proof functional index. Everything works fine in following way:&nbsp;
create index on abc(a, b);
explain analyse select * from abc where a=1 and b='1234';

I think crucial function is restriction_is_securely_promotable. Maybe it is too strict to reject normal clause match.&nbsp;
Could you please recheck RLS with functional index?

regards,&nbsp;
Mark Zhao

------------------&nbsp;Original&nbsp;------------------
From: "Tom Lane" <tgl@sss.pgh.pa.us&gt;;
Date:&nbsp;Wed, Oct 26, 2016 05:58 AM
To:&nbsp;"pgsql-hackers"<pgsql-hackers@postgreSQL.org&gt;;

Subject:&nbsp;Improving RLS planning

Currently, we don't produce very good plans when row-level security
is enabled.&nbsp; An example is that, given

create table t1 (pk1 int primary key, label text);
create table t2 (pk2 int primary key, fk int references t1);

then for

select * from t1, t2 where pk1 = fk and pk2 = 42;

you would ordinarily get a cheap plan like

&nbsp;Nested Loop
&nbsp;&nbsp; -&gt;&nbsp; Index Scan using t2_pkey on t2
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index Cond: (pk2 = 42)
&nbsp;&nbsp; -&gt;&nbsp; Index Scan using t1_pkey on t1
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index Cond: (pk1 = t2.fk)

But stick an RLS policy on t1, and that degrades to a seqscan, eg

&nbsp;Nested Loop
&nbsp;&nbsp; Join Filter: (t1.pk1 = t2.fk)
&nbsp;&nbsp; -&gt;&nbsp; Index Scan using t2_pkey on t2
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Index Cond: (pk2 = 42)
&nbsp;&nbsp; -&gt;&nbsp; Seq Scan on t1
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Filter: (label = 'public'::text)

The reason for this is that we implement RLS by turning the reference
to t1 into a sub-SELECT, and the planner's recursive invocation of
subquery_planner produces only a seqscan path for t1, there not being
any reason visible in the subquery for it to do differently.

I have been thinking about improving this by allowing subquery_planner
to generate parameterized paths; but the more I think about that the
less satisfied I am with it.&nbsp; It will be quite expensive and probably
will still fail to find desirable plans in many cases.&nbsp; (I've not given
up on parameterized subquery paths altogether --- I just feel it'd be a
brute-force and not very effective way of dealing with RLS.)

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries.&nbsp; Instead, we can label individual
qual clauses with security precedence markings.&nbsp; Concretely, suppose we
add an "int security_level" field to struct RestrictInfo.&nbsp; The semantics
of this would be that a qual with a lower security_level value must be
evaluated before a qual with a higher security_level value, unless the
latter qual is leakproof.&nbsp; (It would likely also behoove us to add a
"leakproof" bool field to struct RestrictInfo, to avoid duplicate
leakproof-ness checks on quals.&nbsp; But that's just an optimization.)

In the initial implementation, quals coming from a RangeTblEntry's
securityQuals field would have security_level 0, quals coming from
anywhere else would have security_level 1; except that if we know
there are no security quals anywhere (ie not Query-&gt;hasRowSecurity),
we could give all quals security_level 0.&nbsp; (I think this exception
may be worth making because there's no need to test leakproofness
for a qual with security level 0; it could never be a candidate
for security delay anyway.)

Having done that much, I think all we need in order to get rid of
RLS subqueries, and just stick RLS quals into their relation's
baserestrictinfo list, are two rules:

1. When selecting potential indexquals, a RestrictInfo can be considered
for indexqual use only if it is leakproof or has security_level <= the
minimum among the table's baserestrictinfo clauses.

2. In order_qual_clauses, sort first by security_level and second by cost.

This would already be enough of a win to be worth doing.&nbsp; I think though
that this mechanism can be extended to also allow getting rid of the
restriction that security-barrier views can't be flattened.&nbsp; The idea
would be to make sure that quals coming from above the SB view are given
higher security_level values than quals within the SB view.&nbsp; We'd need
some extra mechanism to make that possible --- perhaps an additional kind
of node within jointree nests to show where there had been a
security-barrier boundary, and then some smarts in distribute_qual_to_rels
to prevent pushing upper quals down past a lower qual of strictly lesser
security level.&nbsp; But that can come later.&nbsp; (We do not need such smarts
to fix the RLS problem, because in the initial version, quals with lower
security level than another qual could only exist at the baserel level.)

In short, I'm proposing to throw away the entire existing implementation
for planning of RLS and SB views, and start over.

There are some corner cases I've not entirely worked out, in particular
what security_level to assign to quals generated from EquivalenceClasses.
A safe but not optimal answer would be to assign them the maximum
security_level of any source clause of the EC.&nbsp; Maybe it's not worth
working harder than that, because most equality operators are leakproof
anyway, so that it wouldn't matter what level we assigned them.

Before I start implementing this, can anyone see a fatal flaw in the
design?

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

This patch causes wrong index scan plan with RLS. Maybe function restriction_is_securely_promotable is too strict?

You can reproduce in this way:

create table abc (a integer, b text);
insert into abc select (random()*(10^4))::integer, (random()*(10^4))::text from generate_series(1,100000);

create index on abc(a, lower(b));

ALTER TABLE abc enable ROW LEVEL SECURITY;
ALTER TABLE abc FORCE&nbsp; ROW LEVEL SECURITY;

CREATE POLICY abc_id_iso_ply on abc to CURRENT_USER USING (a = (current_setting('app.a'::text))::int);

# for bypass user, index scan works fine
explain analyse select * from abc where a=1 and lower(b)='1234';
&nbsp; &nbsp; &nbsp;Index Scan using abc_a_lower_idx on abc

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Index Cond: ((a = 1) AND (lower(b) = '1234'::text))

# for RLS user, index scan can only use column a, and filter by lower(b)
set app.a=1;
explain analyse select * from abc where a=1 and lower(b)='1234';
&nbsp; &nbsp; &nbsp;Index Scan using abc_a_lower_idx on abc

&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Index Cond: (a = 1)
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Filter: (lower(b) = '1234'::text)

This only occurs when using non-leak-proof functional index. Everything works fine in following way:
create index on abc(a, b);
explain analyse select * from abc where a=1 and b='1234';

I think crucial function is restriction_is_securely_promotable. Maybe it is too strict to reject normal clause match.
Could you please recheck RLS with functional index?

regards,&nbsp;
Mark Zhao

------------------ Original ------------------
From: "Tom Lane" <tgl@sss.pgh.pa.us&gt;;
Date:&nbsp;Wed, Oct 26, 2016 05:58 AM
To:&nbsp;"pgsql-hackers"<pgsql-hackers@postgreSQL.org&gt;;

Subject:&nbsp;Improving RLS planning

Currently, we don't produce very good plans when row-level security
is enabled.&nbsp; An example is that, given

create table t1 (pk1 int primary key, label text);
create table t2 (pk2 int primary key, fk int references t1);

then for

select * from t1, t2 where pk1 = fk and pk2 = 42;

you would ordinarily get a cheap plan like

&nbsp;Nested Loop
&nbsp;&nbsp; -&gt;&nbsp; Index Scan using t2_pkey on t2
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; Index Cond: (pk2 = 42)
&nbsp;&nbsp; -&gt;&nbsp; Index Scan using t1_pkey on t1
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; Index Cond: (pk1 = t2.fk)

But stick an RLS policy on t1, and that degrades to a seqscan, eg

&nbsp;Nested Loop
&nbsp;&nbsp; Join Filter: (t1.pk1 = t2.fk)
&nbsp;&nbsp; -&gt;&nbsp; Index Scan using t2_pkey on t2
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; Index Cond: (pk2 = 42)
&nbsp;&nbsp; -&gt;&nbsp; Seq Scan on t1
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp; Filter: (label = 'public'::text)

The reason for this is that we implement RLS by turning the reference
to t1 into a sub-SELECT, and the planner's recursive invocation of
subquery_planner produces only a seqscan path for t1, there not being
any reason visible in the subquery for it to do differently.

I have been thinking about improving this by allowing subquery_planner
to generate parameterized paths; but the more I think about that the
less satisfied I am with it.&nbsp; It will be quite expensive and probably
will still fail to find desirable plans in many cases.&nbsp; (I've not given
up on parameterized subquery paths altogether --- I just feel it'd be a
brute-force and not very effective way of dealing with RLS.)

The alternative I'm now thinking about pursuing is to get rid of the
conversion of RLS quals to subqueries.&nbsp; Instead, we can label individual
qual clauses with security precedence markings.&nbsp; Concretely, suppose we
add an "int security_level" field to struct RestrictInfo.&nbsp; The semantics
of this would be that a qual with a lower security_level value must be
evaluated before a qual with a higher security_level value, unless the
latter qual is leakproof.&nbsp; (It would likely also behoove us to add a
"leakproof" bool field to struct RestrictInfo, to avoid duplicate
leakproof-ness checks on quals.&nbsp; But that's just an optimization.)

In the initial implementation, quals coming from a RangeTblEntry's
securityQuals field would have security_level 0, quals coming from
anywhere else would have security_level 1; except that if we know
there are no security quals anywhere (ie not Query-&gt;hasRowSecurity),
we could give all quals security_level 0.&nbsp; (I think this exception
may be worth making because there's no need to test leakproofness
for a qual with security level 0; it could never be a candidate
for security delay anyway.)

Having done that much, I think all we need in order to get rid of
RLS subqueries, and just stick RLS quals into their relation's
baserestrictinfo list, are two rules:

1. When selecting potential indexquals, a RestrictInfo can be considered
for indexqual use only if it is leakproof or has security_level <= the
minimum among the table's baserestrictinfo clauses.

2. In order_qual_clauses, sort first by security_level and second by cost.

This would already be enough of a win to be worth doing.&nbsp; I think though
that this mechanism can be extended to also allow getting rid of the
restriction that security-barrier views can't be flattened.&nbsp; The idea
would be to make sure that quals coming from above the SB view are given
higher security_level values than quals within the SB view.&nbsp; We'd need
some extra mechanism to make that possible --- perhaps an additional kind
of node within jointree nests to show where there had been a
security-barrier boundary, and then some smarts in distribute_qual_to_rels
to prevent pushing upper quals down past a lower qual of strictly lesser
security level.&nbsp; But that can come later.&nbsp; (We do not need such smarts
to fix the RLS problem, because in the initial version, quals with lower
security level than another qual could only exist at the baserel level.)

In short, I'm proposing to throw away the entire existing implementation
for planning of RLS and SB views, and start over.

There are some corner cases I've not entirely worked out, in particular
what security_level to assign to quals generated from EquivalenceClasses.
A safe but not optimal answer would be to assign them the maximum
security_level of any source clause of the EC.&nbsp; Maybe it's not worth
working harder than that, because most equality operators are leakproof
anyway, so that it wouldn't matter what level we assigned them.

Before I start implementing this, can anyone see a fatal flaw in the
design?

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers