From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | FORCE ROW LEVEL SECURITY |
Date: | 2015-11-04 18:43:56 |
Message-ID: | CA+TgmoYHjkh6b4qYOh8=QwpATumK26OTKdD+Ci=A=5iy2LrJRQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
FORCE ROW LEVEL SECURITY doesn't behave as I would expect.
rhaas=# create policy hideit on foo1 using (a < 3);
CREATE POLICY
rhaas=# explain select * from foo1;
QUERY PLAN
---------------------------------------------------------
Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
(1 row)
rhaas=# alter table foo force row level security;
ALTER TABLE
rhaas=# alter table foo1 enable row level security;
ALTER TABLE
rhaas=# explain select * from foo1;
QUERY PLAN
---------------------------------------------------------
Seq Scan on foo1 (cost=0.00..22.70 rows=1270 width=36)
(1 row)
rhaas=# create user bob;
CREATE ROLE
rhaas=# grant select on foo1 to bob;
GRANT
rhaas=# \c - bob
You are now connected to database "rhaas" as user "bob".
rhaas=> select * from foo1;
a | b
---+---
(0 rows)
rhaas=> explain select * from foo1;
QUERY PLAN
--------------------------------------------------------
Seq Scan on foo1 (cost=0.00..25.88 rows=423 width=36)
Filter: (a < 3)
(2 rows)
Isn't the whole purpose of FORCE ROW LEVEL SECURITY to cause RLS to be
applied even for the table owner?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2015-11-04 18:47:25 | Re: FORCE ROW LEVEL SECURITY |
Previous Message | Alvaro Herrera | 2015-11-04 18:29:18 | Re: patch for geqo tweaks |