Home > mailing lists

FORCE ROW LEVEL SECURITY - Mailing list pgsql-hackers

From	Robert Haas
Subject	FORCE ROW LEVEL SECURITY
Date	November 4, 2015 21:44:06
Msg-id	CA+TgmoYHjkh6b4qYOh8=QwpATumK26OTKdD+Ci=A=5iy2LrJRQ@mail.gmail.com Whole thread Raw
Responses	Re: FORCE ROW LEVEL SECURITY (Stephen Frost <sfrost@snowman.net>) Re: FORCE ROW LEVEL SECURITY (Stephen Frost <sfrost@snowman.net>)
List	pgsql-hackers

Tree view

FORCE ROW LEVEL SECURITY doesn't behave as I would expect.

rhaas=# create policy hideit on foo1 using (a < 3);
CREATE POLICY
rhaas=# explain select * from foo1;                      QUERY PLAN
---------------------------------------------------------Seq Scan on foo1  (cost=0.00..22.70 rows=1270 width=36)
(1 row)
rhaas=# alter table foo force row level security;
ALTER TABLE
rhaas=# alter table foo1 enable row level security;
ALTER TABLE
rhaas=# explain select * from foo1;                      QUERY PLAN
---------------------------------------------------------Seq Scan on foo1  (cost=0.00..22.70 rows=1270 width=36)
(1 row)
rhaas=# create user bob;
CREATE ROLE
rhaas=# grant select on foo1 to bob;
GRANT
rhaas=# \c - bob
You are now connected to database "rhaas" as user "bob".
rhaas=> select * from foo1;a | b
---+---
(0 rows)

rhaas=> explain select * from foo1;                      QUERY PLAN
--------------------------------------------------------Seq Scan on foo1  (cost=0.00..25.88 rows=423 width=36)  Filter:
(a< 3)
 
(2 rows)

Isn't the whole purpose of FORCE ROW LEVEL SECURITY to cause RLS to be
applied even for the table owner?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

pgsql-hackers by date:

From: Alvaro Herrera
Date: 04 November 2015, 21:29:29
Subject: Re: patch for geqo tweaks

From: Stephen Frost
Date: 04 November 2015, 21:47:30
Subject: Re: FORCE ROW LEVEL SECURITY

FORCE ROW LEVEL SECURITY - Mailing list pgsql-hackers

Previous

Next