Policy function not working (IN parameter not passed)

From: "Rainer Floegel (Suva)" <rainer(dot)floegel(at)suva(dot)ch>
To: "'pgsql-admin(at)lists(dot)postgresql(dot)org'" <pgsql-admin(at)lists(dot)postgresql(dot)org>
Subject: Policy function not working (IN parameter not passed)
Date: 2020-05-29 08:47:00
Message-ID: 7ed1216700e24d76aebe2ff59089e775@suva.ch
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-admin

Hello alltogether,

I'm pretty much a newbie to Postgresql having spent the last 20 years
almost exclusively with Oracle. When trying to set up row level policy
in Postgres, got stuck with the issue mentioned at the end of this post.

The testcase provided is reduced as much as possible in order not to
distract from the issue.

Tests were performed in PG 12.2 and 12.3.
The test PG Cluster version 12.3 was installed from scratch.
Yet, same outcome as in 12.2

-- as postgres

create database db1;

create user db1_owner password 'db1_owner';

alter database db1 owner to db1_owner;

grant all privileges on database db1 to db1_owner;

-- as db1_owner in db1

create schema policy_test;

-- drop table policy_test.partners;

create table policy_test.partners(business_partner text);

insert into policy_test.partners ( business_partner) values ('125210000');
insert into policy_test.partners ( business_partner) values ('125210001');

-- alter table policy_test.partners disable row level security;
alter table policy_test.partners enable row level security;

-- drop function policy_test.get_partners(text);
create or replace function policy_test.get_partners(text)
returns boolean as
$$
declare

is_true boolean := FALSE;
the_count integer := 0;

begin

select count(*)
into the_count
from policy_test.partners a
where a.business_partner = '125210000'
and a.business_partner = $1;

if the_count = 1 then
is_true := TRUE;
end if;

return is_true;

end;
$$ language plpgsql;

-- drop policy test_partner_policy on policy_test.partners;
create policy test_partner_policy on policy_test.partners
using (policy_test.get_partners(business_partner));

-- as postgres create pol_ex user;

create user pol_ex password 'pol_ex';

-- as db1_owner in db1
grant usage on schema policy_test to pol_ex;
grant select on policy_test.partners to pol_ex;

psql -U pol_ex -d db1
-- connect as pol_ex (ex here stands for "external" user)
select * from policy_test.partners;

Above select throws numerous lines shown underneath; sometimes in between the echoed SQL
error message max_stack_depth exceeded occurs. Beyond that no other error messages appear.

Whatever I tried the function does not accept / resolve the business_partner argument.
Is there a special way of indicating that this argument should be the tables' current row attribute?
Many examples on the Internet just pass the argument the way I tried.

Tried with prefixing scheme / table name to the argument, explict argument name instead of $ notation,
returning table of business_partners instead of boolean and so on, no avail.
Granting execute on the policy function to pol_ex did not help either.

I suspect a very basic issue due to my inexperience with Postgres.
If anyone of the seasoned Postgres Admins quickly can see what I did wrong, I'd be grateful for
a hint.

Thank you very much

Rainer Floegel

-- "Output" when running select * from policy_test.partners; (as pol_ex user)

SQL statement "select count(*)
from policy_test.partners a
where a.business_partner = '125210000'
and a.business_partner = $1"
PL/pgSQL function policy_test.get_partners(text) line 9 at SQL statement
SQL statement "select count(*)
from policy_test.partners a
where a.business_partner = '125210000'
and a.business_partner = $1"
PL/pgSQL function policy_test.get_partners(text) line 9 at SQL statement

and so on

[HTML tutorial]<https://www.suva.ch/de-ch/die-suva/news-und-medien/news/covid-19-informationen-fuer-unsere-kunden>

Coronavirus

Informationen f?r unsere Kunden
Informations actuelles destin?es ? nos clients
Informazioni aggiornate per i nostri clienti

www.suva.ch/covid-19<https://www.suva.ch/de-ch/die-suva/news-und-medien/news/covid-19-informationen-fuer-unsere-kunden>

________________________________

Disclaimer:

Diese Nachricht und ihr eventuell angeh?ngte Dateien sind nur f?r den Adressaten bestimmt. Sie kann vertrauliche oder gesetzlich gesch?tzte Daten oder Informationen beinhalten. Falls Sie diese Nachricht irrt?mlich erreicht hat, bitten wir Sie h?flich, diese unter Ausschluss jeglicher Reproduktion zu l?schen und die absendende Person zu benachrichtigen. Danke f?r Ihre Hilfe.

This message and any attached files are for the sole use of the recipient named above. It may contain confidential or legally protected data or information. If you have received this message in error, please delete it without making any copies whatsoever and notify the sender. Thank you for your assistance.

Responses

Browse pgsql-admin by date

  From Date Subject
Next Message Laurenz Albe 2020-05-29 16:06:34 Re: Policy function not working (IN parameter not passed)
Previous Message Stéphane KANSCHINE 2020-05-28 09:11:11 Re: Suggestion to Monitoring Tool