Re: RLS with check option - surprised design

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Pavel Stehule <pavel(dot)stehule(at)gmail(dot)com>
Cc: PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: RLS with check option - surprised design
Date: 2014-10-05 12:16:01
Message-ID: 20141005121600.GC28859@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

* Pavel Stehule (pavel(dot)stehule(at)gmail(dot)com) wrote:
> I am playing with RLS. I created simple table
>
> table_data (inserted_by text, v integer);
>
> I created two policies
>
> create policy p1 on data with check (inserted_by = session_user);
> create policy p2 on data with check (v between 10 and 1000);
>
> I was surprised so p2 effectively disables p1;

It doesn't disable it at all- both are applied using OR, as documented
and discussed extensively earlier this year..

I'm not against revisiting that and there has been suggestions about
providing a 'RESTRICTED' policy type which AND's them together, but I
hope it isn't surprising to anyone who has looked at the documentation..
You might also have a policy which applies to all roles and then a more
permissive policy for an 'admin' type of user- look at the "Unix passwd"
example outlined in the documentation.

> next a message:
>
> ERROR: new row violates WITH CHECK OPTION for "data"
> DETAIL: Failing row contains (2014-10-05 12:28:30.79652, petr, 1000).
>
> Doesn't inform about broken policy.

I'm guessing this is referring to the above policies and so my comments
there apply.. One thing to note about this is that there is an active
discussion about removing the 'DETAIL' part of that error message as it
may be an information leak.

Thanks,

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Marti Raudsepp 2014-10-05 12:52:19 Re: CREATE IF NOT EXISTS INDEX
Previous Message Ali Akbar 2014-10-05 10:50:49 Re: Add generate_series(numeric, numeric)