Home > mailing lists

Re: [GENERAL] Recursive row level security policy - Mailing list pgsql-general

From	Stephen Frost
Subject	Re: [GENERAL] Recursive row level security policy
Date	December 18, 2016 01:04:27
Msg-id	20161217190427.GQ18360@tamriel.snowman.net Whole thread Raw
In response to	Re: [GENERAL] Recursive row level security policy (Simon Charette <charette.s@gmail.com>)
List	pgsql-general

Tree view

Simon,

* Simon Charette (charette.s@gmail.com) wrote:
> Ahh makes sense, thanks for the explanation!
>
> I was assuming USING() clauses were executed in the context of the
> owner of the policy, by passing RLS.

No, as with views, a USING() clause is executed as the caller not the
owner of the relation.  Security Definer functions can be used to
execute actions in the policy as another user.

Note that RLS won't be applied for the table owner either (unless the
relation has 'FORCE RLS' enabled for it), so you don't have to have
functions which are run as superuser to use the approach Joe
recommended.

Thanks!

Stephen

Attachment

signature.asc

pgsql-general by date:

From: Simon Charette
Date: 18 December 2016, 00:25:06
Subject: Re: [GENERAL] Recursive row level security policy

From: Joe Conway
Date: 18 December 2016, 01:23:26
Subject: Re: [GENERAL] Recursive row level security policy

Re: [GENERAL] Recursive row level security policy - Mailing list pgsql-general

Attachment

Previous

Next