|
- <?xml version="1.0" encoding="UTF-8" standalone="no"?>
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>70.3. Planner Statistics and Security</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="multivariate-statistics-examples.html" title="70.2. Multivariate Statistics Examples" /><link rel="next" href="appendixes.html" title="Part VIII. Appendixes" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">70.3. Planner Statistics and Security</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="multivariate-statistics-examples.html" title="70.2. Multivariate Statistics Examples">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="planner-stats-details.html" title="Chapter 70. How the Planner Uses Statistics">Up</a></td><th width="60%" align="center">Chapter 70. How the Planner Uses Statistics</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="appendixes.html" title="Part VIII. Appendixes">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="PLANNER-STATS-SECURITY"><div class="titlepage"><div><div><h2 class="title" style="clear: both">70.3. Planner Statistics and Security</h2></div></div></div><p>
- Access to the table <code class="structname">pg_statistic</code> is restricted to
- superusers, so that ordinary users cannot learn about the contents of the
- tables of other users from it. Some selectivity estimation functions will
- use a user-provided operator (either the operator appearing in the query or
- a related operator) to analyze the stored statistics. For example, in order
- to determine whether a stored most common value is applicable, the
- selectivity estimator will have to run the appropriate <code class="literal">=</code>
- operator to compare the constant in the query to the stored value.
- Thus the data in <code class="structname">pg_statistic</code> is potentially
- passed to user-defined operators. An appropriately crafted operator can
- intentionally leak the passed operands (for example, by logging them
- or writing them to a different table), or accidentally leak them by showing
- their values in error messages, in either case possibly exposing data from
- <code class="structname">pg_statistic</code> to a user who should not be able to
- see it.
- </p><p>
- In order to prevent this, the following applies to all built-in selectivity
- estimation functions. When planning a query, in order to be able to use
- stored statistics, the current user must either
- have <code class="literal">SELECT</code> privilege on the table or the involved
- columns, or the operator used must be <code class="literal">LEAKPROOF</code> (more
- accurately, the function that the operator is based on). If not, then the
- selectivity estimator will behave as if no statistics are available, and
- the planner will proceed with default or fall-back assumptions.
- </p><p>
- If a user does not have the required privilege on the table or columns,
- then in many cases the query will ultimately receive a permission-denied
- error, in which case this mechanism is invisible in practice. But if the
- user is reading from a security-barrier view, then the planner might wish
- to check the statistics of an underlying table that is otherwise
- inaccessible to the user. In that case, the operator should be leak-proof
- or the statistics will not be used. There is no direct feedback about
- that, except that the plan might be suboptimal. If one suspects that this
- is the case, one could try running the query as a more privileged user,
- to see if a different plan results.
- </p><p>
- This restriction applies only to cases where the planner would need to
- execute a user-defined operator on one or more values
- from <code class="structname">pg_statistic</code>. Thus the planner is permitted
- to use generic statistical information, such as the fraction of null values
- or the number of distinct values in a column, regardless of access
- privileges.
- </p><p>
- Selectivity estimation functions contained in third-party extensions that
- potentially operate on statistics with user-defined operators should follow
- the same security rules. Consult the PostgreSQL source code for guidance.
- </p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="multivariate-statistics-examples.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="planner-stats-details.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="appendixes.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">70.2. Multivariate Statistics Examples </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part VIII. Appendixes</td></tr></table></div></body></html>
|
