| From: | "Brightwell, Adam" <adam(dot)brightwell(at)crunchydatasolutions(dot)com> |
|---|---|
| To: | Thom Brown <thom(at)linux(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Robert Haas <robertmhaas(at)gmail(dot)com>, PostgreSQL Hackers <pgsql-hackers(at)postgresql(dot)org>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Dean Rasheed <dean(dot)a(dot)rasheed(at)gmail(dot)com>, Craig Ringer <craig(at)2ndquadrant(dot)com>, Yeb Havinga <yeb(dot)havinga(at)portavita(dot)nl> |
| Subject: | Re: RLS Design |
| Date: | 2014-09-19 22:03:38 |
| Message-ID: | CAKRt6CS59aJngQ1sCZmwNgt5kKt+Ddo-O4V7LfNSonCUjnsrYQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Thom,
Also, I seem to get an error message with the following:
>
> # create policy nice_colours ON colours for all to joe using (visible =
> true) with check (name in ('blue','green','yellow'));
> CREATE POLICY
>
> \c - joe
>
> > insert into colours (name, visible) values ('blue',false);
> ERROR: function with OID 0 does not exist
>
> And if this did work, but I only violated the USING clause, would this
> still say the WITH CHECK clause was the cause?
>
Since RLS is built on top of the same mechanisms used for Security Barrier
Views, I figured I would check this case against that and, for the heck of
it, regular VIEWs as well. The result is the same error in both cases
(below and attached). I also verified that this issue exists for 9.4beta2
and the current REL9_4_STABLE branch. If this isn't the expected behavior
(I can't imagine that it is), I am certainly willing to dive into it
further and see what I can determine for a solution/recommendation. At any
rate, this appears to be a previously existing issue with WITH CHECK
OPTION. Thoughts?
postgres=# DROP TABLE IF EXISTS colors CASCADE;
NOTICE: table "colors" does not exist, skipping
DROP TABLE
postgres=# DROP ROLE IF EXISTS joe;
DROP ROLE
postgres=# CREATE ROLE joe LOGIN;
CREATE ROLE
postgres=# CREATE TABLE colors (name text, visible bool);
CREATE TABLE
postgres=# CREATE OR REPLACE VIEW v_colors_1 WITH (security_barrier) AS
postgres-# SELECT * FROM colors WHERE (name in ('blue', 'green',
'yellow'))
postgres-# WITH CHECK OPTION;
CREATE VIEW
postgres=# CREATE OR REPLACE VIEW v_colors_2 AS
postgres-# SELECT * FROM colors WHERE (name in ('blue', 'green',
'yellow'))
postgres-# WITH CHECK OPTION;
CREATE VIEW
postgres=# GRANT ALL ON v_colors_1, v_colors_2 TO joe;
GRANT
postgres=# \c - joe
You are now connected to database "postgres" as user "joe".
postgres=> INSERT INTO v_colors_1 (name, visible) VALUES ('blue', false);
ERROR: function with OID 0 does not exist
postgres=> INSERT INTO v_colors_2 (name, visible) VALUES ('blue', false);
ERROR: function with OID 0 does not exist
Thanks,
Adam
--
Adam Brightwell - adam(dot)brightwell(at)crunchydatasolutions(dot)com
Database Engineer - www.crunchydatasolutions.com
| Attachment | Content-Type | Size |
|---|---|---|
| with_check_error.sql | application/sql | 599 bytes |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2014-09-19 22:34:08 | Re: pg_xlogdump --stats |
| Previous Message | Peter Geoghegan | 2014-09-19 21:54:02 | Re: B-Tree support function number 3 (strxfrm() optimization) |