| From: | Amit Langote <Langote_Amit_f8(at)lab(dot)ntt(dot)co(dot)jp> |
|---|---|
| To: | Mike Palmiotto <mike(dot)palmiotto(at)crunchydata(dot)com>, fte(at)nct(dot)ru |
| Cc: | pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #14682: row level security not work with partitioned table |
| Date: | 2017-06-02 02:18:30 |
| Message-ID: | 76ded23f-d8e0-3212-86fa-3c9783a2c55e@lab.ntt.co.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
On 2017/06/02 3:13, Mike Palmiotto wrote:
> On Thu, Jun 1, 2017 at 2:59 AM, <fte(at)nct(dot)ru> wrote:
>> The following bug has been logged on the website:
>>
>> Bug reference: 14682
>> Logged by: Fakhroutdinov Evgenievich
>> Email address: fte(at)nct(dot)ru
>> PostgreSQL version: 10beta1
>> Operating system: macOS Sierra 10.12.5
>> Description:
>>
>> create table test (
>> id bigserial not null,
>> tm timestamp not null,
>> user_name text not null,
>> rem text
>> ) partition by range (tm);
>>
>> create table test_1q (like test including all);
>> create table test_2q (like test including all);
>>
>> alter table test attach partition test_1q for values from ('2017-01-01') to
>> ('2017-04-01');
>> alter table test attach partition test_2q for values from ('2017-04-01') to
>> ('2017-07-01');
>>
>> CREATE ROLE bob; -- Normal user
>> CREATE ROLE alice; -- Normal user
>>
>> insert into test(tm,user_name,rem)
>> values
>> ('2017-01-09 22:15:15','bob','bla-bla'),
>> ('2017-02-09 22:15:15','alice','bla-bla'),
>> ('2017-03-09 22:15:15','bob','bla-bla'),
>> ('2017-04-09 22:15:15','alice','bla-bla'),
>> ('2017-05-09 22:15:15','bob','bla-bla'),
>> ('2017-06-09 22:15:15','alice','bla-bla');
>>
>> ALTER TABLE test ENABLE ROW LEVEL SECURITY;
>> ALTER TABLE test_1q ENABLE ROW LEVEL SECURITY;
>> ALTER TABLE test_2q ENABLE ROW LEVEL SECURITY;
>>
>> CREATE POLICY view_test ON test FOR SELECT USING (current_user =
>> user_name);
>> CREATE POLICY view_test_1q ON test_1q FOR SELECT USING (current_user =
>> user_name);
>> CREATE POLICY view_test_2q ON test_2q FOR SELECT USING (current_user =
>> user_name);
>>
>> GRANT SELECT ON test TO public;
>> GRANT SELECT ON test_1q TO public;
>> GRANT SELECT ON test_2q TO public;
>>
>> set role to bob;
>> select * from test;
>> id | tm | user_name | rem
>> ----+---------------------+-----------+---------
>> 1 | 2017-01-09 22:15:15 | bob | bla-bla
>> 2 | 2017-02-09 22:15:15 | alice | bla-bla
>> 3 | 2017-03-09 22:15:15 | bob | bla-bla
>> 4 | 2017-04-09 22:15:15 | alice | bla-bla
>> 5 | 2017-05-09 22:15:15 | bob | bla-bla
>> 6 | 2017-06-09 22:15:15 | alice | bla-bla
>> (6 rows)
>>
>> select * from test_1q;
>> id | tm | user_name | rem
>> ----+---------------------+-----------+---------
>> 1 | 2017-01-09 22:15:15 | bob | bla-bla
>> 3 | 2017-03-09 22:15:15 | bob | bla-bla
>> (2 rows)
>>
>> select * from test_2q;
>> id | tm | user_name | rem
>> ----+---------------------+-----------+---------
>> 5 | 2017-05-09 22:15:15 | bob | bla-bla
>> (1 row)
>
> This is indeed a bug. fireRIRrules is currently skipping the RLS
> policy check when relkind == PARTITIONED_TABLES, so RLS policies are
> not applied. The attached patch fixes the behavior.
Thanks Mike for creating the patch. Agree with Michael that a test would
be nice.
Thanks,
Amit
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Noah Misch | 2017-06-02 05:57:42 | Re: [PATCH] Fixed malformed error message on malformed SCRAM message. |
| Previous Message | wangchuanting | 2017-06-02 01:59:32 | Re: BUG #14680: startup process on standby encounter a deadlock of TwoPhaseStateLock when redo 2PC xlog |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2017-06-02 02:23:11 | Re: Patch: Add --no-comments to skip COMMENTs with pg_dump |
| Previous Message | Peter Eisentraut | 2017-06-02 02:17:57 | Re: walsender & parallelism |