From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
---|---|
To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
Cc: | 875941708(at)qq(dot)com |
Subject: | BUG #17549: wrong index scan plan with RLS |
Date: | 2022-07-13 11:45:54 |
Message-ID: | 17549-5114159516d34c2d@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 17549
Logged by: Zhao Rui
Email address: 875941708(at)qq(dot)com
PostgreSQL version: 14.4
Operating system: All
Description:
You can reproduce in this way:
create table abc (a integer, b text);
insert into abc select (random()*(10^4))::integer, (random()*(10^4))::text
from generate_series(1,100000);
create index on abc(a, lower(b));
ALTER TABLE abc enable ROW LEVEL SECURITY;
ALTER TABLE abc FORCE ROW LEVEL SECURITY;
CREATE POLICY abc_id_iso_ply on abc to CURRENT_USER USING (a =
(current_setting('app.a'::text))::int);
# for bypass user, index scan works fine
explain analyse select * from abc where a=1 and lower(b)='1234';
Index Scan using abc_a_lower_idx on abc
Index Cond: ((a = 1) AND (lower(b) = '1234'::text))
# for RLS user, index scan can only use column a, and filter by lower(b)
set app.a=1;
explain analyse select * from abc where a=1 and lower(b)='1234';
Index Scan using abc_a_lower_idx on abc
Index Cond: (a = 1)
Filter: (lower(b) = '1234'::text)
This only occurs when using non-leak-proof functional index. Everything
works fine in following way:
create index on abc(a, b);
explain analyse select * from abc where a=1 and b='1234';
I think crucial function is restriction_is_securely_promotable. Maybe it is
too strict to reject normal clause match.
Could you please recheck RLS with functional index?
From | Date | Subject | |
---|---|---|---|
Next Message | David G. Johnston | 2022-07-13 12:28:52 | Re: pg_ctl cannot find postgresql.conf |
Previous Message | Дмитрий Карасёв | 2022-07-13 09:45:01 | pg_ctl cannot find postgresql.conf |