| From: | Simon Charette <charette(dot)s(at)gmail(dot)com> |
|---|---|
| To: | Joe Conway <mail(at)joeconway(dot)com> |
| Cc: | Charles Clavadetscher <clavadetscher(at)swisspug(dot)org>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Recursive row level security policy |
| Date: | 2016-12-17 18:25:06 |
| Message-ID: | CALgFm5iAbWoJ=tfdvm3g4bu09knGBrgQR6UAAfiH8Cn6Upa=NQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Ahh makes sense, thanks for the explanation!
I was assuming USING() clauses were executed in the context of the
owner of the policy, by passing RLS.
2016-12-17 13:18 GMT-05:00 Joe Conway <mail(at)joeconway(dot)com>:
> On 12/17/2016 01:01 PM, Simon Charette wrote:
>> Thanks a lot Joe, that seems to work!
>
> Good to hear.
>
>> I suppose this works because PostgreSQL cannot introspect the
>> get_owner_id procedure to detect it's querying the "accounts" table
>> and thus doesn't warn about possible infinite recursion?
>
> Not exactly. RLS does not get applied to the superuser, and the
> get_owner_id procedure was 1) SECURITY DEFINER, and 2) created/owned by
> postgres. Thus the procedure executes without invoking the RLS policy
> and avoids the infinite recursion.
>
> Joe
>
> --
> Crunchy Data - http://crunchydata.com
> PostgreSQL Support for Secure Enterprises
> Consulting, Training, & Open Source Development
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2016-12-17 19:04:27 | Re: Recursive row level security policy |
| Previous Message | Joe Conway | 2016-12-17 18:18:38 | Re: Recursive row level security policy |