From: | Joe Conway <mail(at)joeconway(dot)com> |
---|---|
To: | Simon Charette <charette(dot)s(at)gmail(dot)com> |
Cc: | Charles Clavadetscher <clavadetscher(at)swisspug(dot)org>, pgsql-general(at)postgresql(dot)org |
Subject: | Re: Recursive row level security policy |
Date: | 2016-12-17 18:18:38 |
Message-ID: | 0799a5d4-1086-242b-9ae1-cedaa8f053f3@joeconway.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
On 12/17/2016 01:01 PM, Simon Charette wrote:
> Thanks a lot Joe, that seems to work!
Good to hear.
> I suppose this works because PostgreSQL cannot introspect the
> get_owner_id procedure to detect it's querying the "accounts" table
> and thus doesn't warn about possible infinite recursion?
Not exactly. RLS does not get applied to the superuser, and the
get_owner_id procedure was 1) SECURITY DEFINER, and 2) created/owned by
postgres. Thus the procedure executes without invoking the RLS policy
and avoids the infinite recursion.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Charette | 2016-12-17 18:25:06 | Re: Recursive row level security policy |
Previous Message | Simon Charette | 2016-12-17 18:01:40 | Re: Recursive row level security policy |