Re: FORCE ROW LEVEL SECURITY

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: FORCE ROW LEVEL SECURITY
Date: 2015-11-04 19:39:34
Message-ID: 20151104193934.GJ3685@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Robert,

* Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> On Wed, Nov 4, 2015 at 1:48 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Robert Haas (robertmhaas(at)gmail(dot)com) wrote:
> >> FORCE ROW LEVEL SECURITY doesn't behave as I would expect.
> >>
> >> rhaas=# create policy hideit on foo1 using (a < 3);
> >> CREATE POLICY
> >> rhaas=# explain select * from foo1;
> >> QUERY PLAN
> >> ---------------------------------------------------------
> >> Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
> >> (1 row)
> >> rhaas=# alter table foo force row level security;
> >> ALTER TABLE
> >> rhaas=# alter table foo1 enable row level security;
> >> ALTER TABLE
> >
> > Sorry if my prior wasn't clear, but above you do 'foo' and 'foo1'
> > independently.
> >
> > Did you intend to alter table 'foo'?
>
> Hmm. I've clearly done both, but it still doesn't work:
>
> rhaas=# alter table foo1 enable row level security;
> ALTER TABLE
> rhaas=# alter table foo1 force row level security;
> ALTER TABLE
> rhaas=# \d foo1
> Table "public.foo1"
> Column | Type | Modifiers
> --------+---------+-----------
> a | integer | not null
> b | text |
> Policies (Forced Row Security Enabled):
> POLICY "hideit" FOR ALL
> USING ((a < 3))
> Inherits: foo
>
> rhaas=# explain select * from foo1;
> QUERY PLAN
> ---------------------------------------------------------
> Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
> (1 row)

In this case, you ran it as superuser which automatically has the
'BYPASSRLS' privilege, which means that RLS is bypassed always.

The change to how BYPASSRLS works was discussed with and ultimately
implemented by Noah, as I recall.

Thanks!

Stephen

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Pavel Stehule 2015-11-04 20:09:36 Re: Request: pg_cancel_backend variant that handles 'idle in transaction' sessions
Previous Message Merlin Moncure 2015-11-04 19:35:06 Re: Request: pg_cancel_backend variant that handles 'idle in transaction' sessions