PostgREST
Support per-table db-max-rows configuration via in-database settings
Problem
Limiting all database tables to a single max-rows value is quite restrictive. In practice, some tables are sensitive and should be queried in small quantities, while others can safely support larger result sets.
Solution
Allow db-max-rows to be configured per table, ideally via an in-database configuration mechanism.
There are several shortcomings with db-max-rows:
- https://github.com/PostgREST/postgrest/issues/3576
- https://github.com/PostgREST/postgrest/issues/3651
- Clients don't know if it was applied https://github.com/PostgREST/postgrest/issues/2776
I've been thinking that db-max-rows really is part of a quota system. So taking https://github.com/PostgREST/postgrest/issues/4085 approach in mind, perhaps we can have a JWT like:
{
"sub": "...",
"iat": 1516239022
"quota": {
"max-rows": 1000
}
}
This is global too, but in theory we could add table keys there (not sure if a good idea since JWT size could increase too much).
Advantages:
- max rows is still enforced
- max rows can be applied per application user, not just per role
- clients know they are being limited (the JWT can be decoded)
- we don't need to have a complicated setting inside the db or in postgREST config
Disadvantages:
- JWT size could increase too much, if we do support a per-table max rows.
